Postback Security

HMAC Hashing

To ensure that all postbacks are genuine and originate from TarGo, each callback request includes a security signature called a hash. This hash is automatically appended to the end of every postback URL we send.

How It Works

You define your postback URL, for example:

https://yourpostback.com/pb?uid={user_id}&reward={reward}

TarGo replaces the placeholders ({user_id}, {reward}, etc.) with real values.
TarGo then temporarily appends &hash= with an empty value to the end of the URL.
TarGo computes the signature:

hash = HMAC-SHA1( full_callback_url_with_hash_empty , app_secret_key )

TarGo replaces the empty hash value with the computed hash and sends the final callback to your server.

Example Final Request:

https://yourpostback.com/pb?uid=abc123&reward=500&hash=dbcd6bb892842a52b4fca9bec36cd4b

⚠️ Important Notes

Rule

Description

Why It Matters

Do NOT modify the URL

Verify the hash using the exact URL string received

Any change results in a different hash and failed validation

Do NOT reorder query parameters

Keep parameter order exactly as TarGo sent it

Parameter order affects the hash value

Do NOT encode or decode the URL

Do not apply decode, encode, or format conversions

Encoding changes characters and invalidates the hash

Keep hash= placeholder but empty during verification

Replace hash=VALUE → hash= before hashing

The hash is computed on the URL with hash value removed

Use HMAC-SHA1 Algorithm

Hash is always HMAC-SHA1(URL, secret_key)

Other algorithms will not match the signature

Compare using a timing-safe compare

Use hash_equals() / timingSafeEqual()

Prevents timing-based forgery attacks

Use full URL including domain

Hash input must include scheme, host, path & query

Hash must match TarGo’s full signed string

Hashing Code Examples

<?php

$secretKey = "YOUR_SECRET_KEY";

// Build full raw URL
$fullUrl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http")
         . "://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";

$receivedHash = $_GET['hash'] ?? '';

// Remove hash value → leave "hash="
$urlWithoutHash = preg_replace('/hash=[A-Za-z0-9]+/i', 'hash=', $fullUrl);

$expectedHash = hash_hmac('sha1', $urlWithoutHash, $secretKey);

if (hash_equals($expectedHash, $receivedHash)) {
    http_response_code(200);
    echo "OK";
} else {
    http_response_code(403);
    echo "INVALID";
}

import hmac
import hashlib
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse

secret_key = b"YOUR_SECRET_KEY"

def verify(full_url):
    parsed = urlparse(full_url)
    query = parse_qs(parsed.query)

    received_hash = query.get("hash", [""])[0]

    query["hash"] = [""]  # remove value, keep key
    ordered_query = urlencode(query, doseq=True)

    url_without_hash = urlunparse(parsed._replace(query=ordered_query))

    expected_hash = hmac.new(secret_key, url_without_hash.encode(), hashlib.sha1).hexdigest()

    return hmac.compare_digest(expected_hash, received_hash)

# print(verify("https://site.com/callback?uid=123&reward=500&hash=abcd"))

IP Whitelisting

You can restrict the callbacks to be accepted only from our sever IP address(es). Please whitelist the following IP(s) and regularly check back to find possible changes

1.1.1.1

PreviousPostback Configuration (S2S)NextPostback Test

Last updated 1 month ago

Good night

HMAC Hashing

How It Works

⚠️ Important Notes

Hashing Code Examples

IP Whitelisting