What is the Message Authentication Code in Webhook?

The Message Authentication Code for the payload is what you can use to verify that the POST request is indeed sent by Instamojo, versus someone else trying to impersonate Instamojo and/or gain access to your data/systems. 

You don't strictly need to use it since the data is sent in plain text, and therefore readable without verifying the MAC, it is a good idea to verify the MAC to ensure the integrity and authenticity of the POST request. 

 

In short, using MAC is optional, but recommended as a security feature. 

 

Here is the procedure for verifying MAC. 

If d is a set of key-value pairs that corresponds to the POST request (Eg: d = {"foo": 1, "bar": 2, "baz": 3, "mac": 4})

1. From d, remove the key-value pair that corresponds to the message authentication code (its key is "mac"). (Eg: new_d = {'foo': 1, 'bar': 2, 'baz': 3})
2. Prepare a list of all values from the set d, ordered alphabetically by their keys in lower case. Eg: [2, 3, 1] (since the alphabetical order of the keys is: "bar", "baz" and "foo"))
3. Concatenate all the items from this list into one string, with each item separated from the other with a pipe ('|'). (Eg: "2|3|1")
4. Use the HMAC-SHA1 algorithm to generate a message authentication code using the above string as the message and the secret given to you by Instamojo as the salt. (Most programming languages have readymade libraries that implement HMAC-SHA1).
5. Compare the message authentication code that you've derived using the above steps with the code you received from Instamojo (which was removed from d in step 1 above). If the strings are the same, consider the message verified.