Security
To ensure the integrity and authenticity of the data, BMG Money implements HMAC-SHA256. You must validate the X-Bmg-Signature header in every incoming request.
Header Format: X-Bmg-Signature: t=1737662400,v1=9f86d...
Validation Steps (C# Example)
string secret = "your_shared_secret";
string signatureHeader = Request.Headers["X-Bmg-Signature"];
string timestamp = signatureHeader.Split(',')[0].Split('=')[1];
string v1Hash = signatureHeader.Split(',')[1].Split('=')[1];
// 1. Concatenate timestamp + . + Raw Body
string baseString = $"{timestamp}.{requestRawBody}";
// 2. Compute HMAC-SHA256
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(baseString));
string computedSignature = BitConverter.ToString(hash).Replace("-", "").ToLower();
// 3. Authenticate
if (computedSignature != v1Hash) throw new UnauthorizedAccessException();