miaPOS.eu
Contact sales
Docs · API reference

Signature verification

Verifying signed callbacks from miaPOS. RSA-SHA256, public key fetched once, cached, rotated on key change.

AudienceDeveloper
DifficultyIntermediate
Updated2026-05-30

Algorithm

miaPOS signs every callback body with its private key using RSA-SHA256. The signature travels in the X-MiaPos-Signature header as base64.

The authoritative description — including the canonical "sort fields alphabetically, join with ;" construction of the signed string — lives in the public integration repo: Signature Verification Guide. The guide ships with full Java and Python reference implementations you can copy and adapt.

Fetch the public key

GET/ecomm/api/v1/public-key

Returns the current PEM-encoded RSA public key. Cache it; refresh on signature verification failure (the key may have rotated).

Verify (PHP)

$body      = file_get_contents('php://input');
$signature = base64_decode($_SERVER['HTTP_X_MIAPOS_SIGNATURE']);
$publicKey = openssl_pkey_get_public($cachedPem);

$verified = openssl_verify($body, $signature, $publicKey, OPENSSL_ALGO_SHA256) === 1;
if (!$verified) { http_response_code(400); exit('Invalid signature'); }

Verify (Node.js)

import crypto from 'crypto';

const verifier = crypto.createVerify('RSA-SHA256');
verifier.update(rawBody);
const valid = verifier.verify(cachedPem, signature, 'base64');
if (!valid) return res.status(400).end();

Key rotation

miaPOS rotates the signing key approximately yearly, or immediately on any suspected exposure. Cache the public key with a TTL of 24 hours; on signature verification failure, refetch and retry once before rejecting.