Postback header security
Daphne Vijn avatar
Written by Daphne Vijn
Updated over a week ago


At Evidos we are constantly striving to improve the security of our platform.

The Signhost postback service is meant to provide realtime updates on your transactions to your server.

We have two methods to secure postbacks:

These two methods can be used at the same time.

We have two methods to specify the Postback Url

  • The variable method, by sending us a Postback Url for each transaction when creating the transaction in the API with a POST call. This method supports only digest security.

  • The static method, by specifying the Postback Url(s) in our Portal for your applicaton. This method supports both Digest security, and security headers.

Please note that we will move to a variable IP, we advise you to not rely on IPwhitelisting as this may prevent us from delivering postbacks to your system.

This article explaines the Security header method in more detail.

Postback security headers

This security measure can be used by specifying one or more static postback Urls in our web portal. To manage this we've added a new page.

In our web portal a portal administrator can access the Push notifications menu. Click the button to go there directly. We will link this page from the regular portal menu at a later date.

Postback page

On this page you can:

  • Add postback Urls

  • Delete postback Urls

See the postback Url status, such as:

  • If it uses a security header or not

  • If there are any postbacks queueing because of a server error in your application. The status then changes to failing.

Adding a Postback Url

When you add a new Postback Url, please remember to enter the whole link, with https://

Optionally, you can add an Authorization Header as well. This header will be used in every POST to your server endpoint, and can be used to validate if the Postback was sent by us before you have to apply further business logic.

You can enter any string, we advise you however to choose a secure and securely generated header.

Please note, you will first receive an empty postback after creating the postback URL.

Checks and statuses

On creating the Postback Url, we will check if your endpoint is http compliant. For this we will send a:

  • POST

  • PUT


  • GET

We will expect a valid response for these requests. The Post has to deliver back a status 2xx. The other requests can give back any valid http response.

Without a response the Postback Url cannot be created and a warning is shown.

By checking this Url we will make sure that your endpoint will handle all postbacks.

If we do not receive a valid response when your Url is operational, we will queue to prevent data loss. Read more about our queuing policy on the bottom of this page.

What will you receive

With each postback, we send an Authorization header. In this example, 123456789 is specified in the portal.

What happens to the current postback Url mechanism?

Please note that when you use this new header security method, the method of specifying the Postback Url remains the same.

  • When a Postback Url is entered by you in the Evidos web portal, we will always use this Url.

  • When you specify a Postback Url in your API POST Request, we will use that Url additionaly.

Both methods function independently of eachother. As a reminder, only by specifying a Postback Url in the portal, you are able to use the Header security.

Did this answer your question?