Disbursements Transfer

Information

Method	Path	Format	Authentication
POST	`/api/v2.0/disbursement/transfer`	json	OAuth 2.0 with Access Token

Request Details

Headers Structure

Field	Value	Type	Mandatory	Description	Example
X-PARTNER-ID	api_key	Alphanumeric	Mandatory	API key obtained from the merchant dashboard.	b3ed7d4b-a96c-6c08-b3c7-12c3124242d9
Accept	application/json	Alphabetic	Mandatory	Specifies JSON as the expected response format.	application/json
Authorization	Bearer {bearerToken}	Alphanumeric	Mandatory	Bearer token obtained from the get access token endpoint.	Bearer eyJ0eXAiOiJKV1…
X-Signature	HMAC-SHA512 Signature	Alphanumeric	Mandatory	HMAC-SHA512 signature for request authentication. See signature generation guide below.	a1b2c3d4e5f6…
X-Timestamp	Unix Timestamp (seconds)	Numeric	Mandatory	Request timestamp in Unix seconds format	1714618220

Body Structure

Field	Type	Mandatory	Length	Description	Example
account_id	String	Mandatory	Max: 50	Account ID	01K8N5ZNJH8MPGAK9QM080CXW8
reference_number	String	Mandatory	Max: 32	Unique identifier for the transaction. Must be unique per merchant.	“2736437254634364534342”
amount	Numeric	Mandatory	Min: 10000, Max: merchant limit	The transaction amount.	50000
bank_code	Alphanumeric	Mandatory	3-8	Bank Number Code (3 digit) or Bank Swift Code (8 Character Length)	BRINIDJA
bank_account_number	Numeric	Mandatory	6-20 digits	The beneficiary’s bank account number.	“521398319083210”
notes	String	Optional	Max: 50	Additional notes for the transaction.	“bayar cicilan”

Body Example

{
    "account_id": "01K8N5ZNJH8MPGAK9QM080CXW8",
    "reference_number" : "5176770190020260101114",
    "bank_account_number": "8330432404",
    "amount": 10000,
    "bank_code": "014",
    "notes": "payroll bulan ini"
}

Response Details

Response Structure

Field	Type	Mandatory	Description	Example
response_code	String	Mandatory	5	Response code. Please check appendix 01
response_message	String	Mandatory	50	Response message. Please check appendix 01
data	Object	Mandatory	Response payload object	-
> transaction_id	String	Mandatory	System-generated transaction ID	“1512220251105174015668”
> reference_number	String	Mandatory	Merchant’s unique reference number	“123456789123”
> transaction_status	Object	Mandatory		Transaction status. I.e: 00 (Success), 01 (Initiated) , etc, Please check appendix 02
>> code	Numeric	Mandatory	-	I.e: 01, 02, etc
>> desc	String	Mandatory	-	I.e: Success, Initiated, etc
> post_timestamp	String	Mandatory	Transaction creation time (Unix milliseconds)	“1762339215000”
> processed_timestamp	String	Conditional	Processing completion time (Unix ms, empty if failed)	“1762339215672”
> bank	Object	Mandatory	Beneficiary bank information	-
>> code	String	Mandatory	Bank Swift or Number code (e.g., 002, BRINIDJA)	BRINIDJA
>> name	String	Mandatory	Bank code (e.g., BRI, BNI, DANAMON)	“BRI”
>> account_name	String	Conditional	Beneficiary account holder name (null if inquiry failed)	“Yayasan Wahyudin Tbk”
>> account_number	String	Mandatory	Beneficiary bank account number	“521398319083210”
> gross_amount	Object	Mandatory	Total amount including fees	-
>> currency	String	Mandatory	Currency code (ISO 4217)	“IDR”
>> value	String	Mandatory	Gross amount value	“50000”
> fee	Object	Mandatory	Transfer fee details	-
>> name	String	Mandatory	Fee description	“Transfer Fee”
>> currency	String	Mandatory	Currency code (ISO 4217)	“IDR”
>> value	String	Mandatory	Fee amount	“3000”
> net_amount	Object	Mandatory	Amount received by beneficiary (gross - fee)	-
>> currency	String	Mandatory	Currency code (ISO 4217)	“IDR”
>> value	String	Mandatory	Net amount value	“47000”
> balance_after	Object	Mandatory	Account balance after transaction	-
>> currency	String	Conditional	Currency code (null if failed)	“IDR”
>> value	String	Conditional	Balance value (null if failed)	“777000”
> notes	String	Optional	Transaction notes from request	“bayar pajak”
> failed_code	Numeric	Conditional	Error code (only present when status is failed)	SP003
> failed_reason	String	Conditional	Error message (only present when status is failed)	INSUFFICIENT BALANCE

Response Example

Success: Here’s an example of a successful response.

{
    "response_code": "SP000",
    "response_message": "Successfully",
    "data": {
        "transaction_id": "101222025122910292195055674",
        "reference_number": "11111111118",
        "transaction_status": {
            "code": "00",
            "desc": "Success"
        },
        "post_timestamp": "1766978961000",
        "processed_timestamp": "1766978962000",
        "bank": {
            "code": "002",
            "name": "BRI",
            "account_name": "Dummy Test Account Internal",
            "account_number": "11111111118"
        },
        "gross_amount": {
            "currency": "IDR",
            "value": "12504.00"
        },
        "fee": {
            "currency": "IDR",
            "value": "2500"
        },
        "net_amount": {
            "currency": "IDR",
            "value": "10004.00"
        },
        "balance_after": {
            "currency": "IDR",
            "value": "829988"
        },
        "notes": "test transfer"
    }
}

Pending: example response.

{
    "response_code": "SP000",
    "response_message": "Successfully",
    "data": {
        "transaction_id": "101222025122910321260732119",
        "reference_number": "33311111111",
        "transaction_status": {
            "code": "03",
            "desc": "Pending"
        },
        "post_timestamp": "1766979132000",
        "processed_timestamp": "",
        "bank": {
            "code": "002",
            "name": "BRI",
            "account_name": "",
            "account_number": "33311111111"
        },
        "gross_amount": {
            "currency": "IDR",
            "value": "12506.00"
        },
        "fee": {
            "currency": "IDR",
            "value": "2500"
        },
        "net_amount": {
            "currency": "IDR",
            "value": "10006.00"
        },
        "balance_after": {
            "currency": "IDR",
            "value": "0"
        },
        "notes": "test transfer"
    }
}

Failed Transaction.

{
    "response_code": "SP001",
    "response_message": "Transaction Failure",
    "data": {
        "transaction_id": "121222025122617513896515436",
        "reference_number": "333",
        "transaction_status": {
            "code": "06",
            "desc": "Failed"
        },
        "post_timestamp": "1766746298000",
        "processed_timestamp": "",
        "bank": {
            "code": "002",
            "name": "BRI",
            "account_name": "",
            "account_number": "091701064838533"
        },
        "gross_amount": {
            "currency": "IDR",
            "value": "12501.00"
        },
        "fee": {
            "currency": "IDR",
            "value": "2500"
        },
        "net_amount": {
            "currency": "IDR",
            "value": "10001.00"
        },
        "balance_after": {
            "currency": "IDR",
            "value": "0"
        },
        "notes": "test transfer",
        "failed_reason": "Transaction Failure : Invalid beneficiary account: Account inactive",
        "failed_code": "SP001"
    }
}

Error: Duplicate reference_number

{
    "response_code": "SP004",
    "response_message": "Duplicate Reference Number",
    "data": {
        "account_id": "01K5G4FZZ18DMK0M5QTR8Y9QY9",
        "reference_number": "331",
        "amount": 61000,
        "notes": "test transfer",
        "bank_code": "BRINIDJA",
        "bank_account_number": "091701064838533",
        "message": "Transaction with this reference number already exists"
    }
}

Error: Validation

{
    "response_code": "SP018",
    "response_message": "Validation error",
    "data": {
        "account_id": "01K8J8GBTB88H9Z6DVMY1XMJP8",
        "reference_number": "331",
        "amount": 61000,
        "notes": "test transfer",
        "bank_code": null,
        "bank_account_number": "091701064838533",
        "message": "Validation error 'bank_code': 'The bank code field is required.'"
    }
}

Error: Insufficient Balance

{
    "response_code": "SP003",
    "response_message": "Insufficient Balance",
    "data": {
        "transaction_id": "291222025122617393593025327",
        "reference_number": "331",
        "transaction_status": {
            "code": "06",
            "desc": "Failed"
        },
        "post_timestamp": "1766745575000",
        "processed_timestamp": "",
        "bank": {
            "code": "002",
            "name": "BRI",
            "account_name": "",
            "account_number": "091701064838533"
        },
        "gross_amount": {
            "currency": "IDR",
            "value": "63500.00"
        },
        "fee": {
            "currency": "IDR",
            "value": "2500"
        },
        "net_amount": {
            "currency": "IDR",
            "value": "61000.00"
        },
        "balance_after": {
            "currency": "IDR",
            "value": "0"
        },
        "notes": "test transfer"
    }
}

Error: General Error

{
    "response_code": "SP019",
    "response_message": "General Error",
    "data": {
        "account_id": "01K5G4FZZ18DMK0M5QTR8Y9QY9",
        "reference_number": "331",
        "amount": 61000,
        "notes": "test transfer",
        "bank_code": "BRINIDJA",
        "bank_account_number": "091701064838533",
        "message": "internal server error"
    }
}

Error: Expired Access Token.

{
    "status": 401,
    "success": false,
    "error": {
        "code": 401,
        "message": "Unauthorized merchant, please sign in"
    }
}

Error: Invalid Signature.

{
    "status": 401,
    "success": false,
    "error": {
        "code": 4019900,
        "message": "Unauthorized. Invalid X-SIGNATURE"
    }
}

List of Bank Swift Codes Supported

Swift Code	Number Code	Full Name	Short Name
BRINIDJA	2	Bank Rakyat Indonesia	BRI
IBBKIDJA	16	Bank Maybank Indonesia	Maybank
BNINIDJA	9	Bank Negara Indonesia	BNI
BDINIDJA	11	Bank Danamon	Danamon
CENAIDJA	14	Bank Central Asia	BCA
BMRIIDJA	8	Bank Mandiri	Mandiri
BPIAIDJA	47	Bank Resona	Bank Resona
CTCBIDJA	949	Bank Chinatrust Indonesia	Bank Chinatrust
PINBIDJA	19	Bank Panin	Bank Panin
BUMIIDJA	485	Bank MNC Internasional	Bank MNC
DBSBIDJA	46	Bank DBS Indonesia	Bank DBS
PDKSIDJ1	122	BPD Kalimantan Selatan	Bank Kalsel
PDWRIDJ1	135	BPD Sulawesi Tenggara	Bank Sultra
SCBLIDJX	50	Standard Charted Bank	Standard Charted
ABALIDBS	129	BPD Bali	Bank Bali
PDJGIDJ1	113	BPD Jawa Tengah	Bank Jateng
SYJBIDJ1	425	Bank BJB Syariah	BJB Syariah
PDWGIDJ1	134	BPD Sulawesi Tengah	Bank Sulteng
MEDHIDS1	151	Bank Mestika Dharma	Bank Mestika
BKCHIDJA	69	Bank of China Hongkong	Bank Hongkong
PDJBIDJA	110	Bank Jawa Barat Dan Banten	Bank BJB
SBJKIDJA	153	Bank Sinarmas	Bank Sinarmas
ANZBIDJX	61	Bank ANZ Indonesia	Bank Anz
ARTGIDJA	37	Bank Artha Graha International	Artha Graha
BBUKIDJA	441	Bank Bukopin	Bank Bukopin
BBAIIDJA	76	Bank Bumi Arta	Bank Bumi Artha
BCIAIDJA	54	Bank Capital Indonesia	Bank Capital
SYCAIDJ1	536	Bank Central Asia Syariah	BCA Syariah
BICNIDJA	950	Bank Commonwealth	Bank Commonwealth
BDKIIDJ1	111	Bank DKI	Bank DKI
GNESIDJA	161	Bank Ganesha	Bank Ganesha
ICBKIDJA	164	Bank ICBC Indonesia	Bank ICBC
IAPTIDJA	513	Bank Ina Perdania	Bank Ina
BIDXIDJA	555	Bank Index Selindo	Bank Index
MASDIDJ1	157	Bank Maspion Indonesia	Bank Maspion
MAYAIDJA	97	Bank Mayapada International	Bank Mayapada
MAYOIDJA	553	Bank Mayora	Bank Mayora
MEGAIDJA	426	Bank Mega	Bank Mega
BMSEIDJA	548	Bank Multi Arta Sentosa	Multi Arta
LFIBIDJ1	503	Bank Nationalnobu	Bank Nobu
BOTKIDJX	42	Bank MUFG	Bank MUFG
BDIPIDJ1	523	Bank Sahabat Sampoerna	Bank Sampoerna
SDOBIDJ1	521	Bank Syariah Bukopin	Bukopin Syariah
BUTGIDJ1	506	Bank Syariah Mega	Mega Syariah
SUNIIDJA	213	Bank Tabungan Pensiunan Nasional (BTPN)	Bank BTPN
BBIJIDJA	23	Bank UOB Indonesia	Bank UOB
VICTIDJ1	566	Bank Victoria Internasional	Bank Victoria
PDBKIDJ1	133	BPD Bengkulu	Bank Bengkulu
PDYKIDJ1	112	BPD Daerah Istimewa Yogyakarta	Bank DIY
PDJMIDJ1	115	BPD Jambi	Bank Jambi
PDJTIDJ1	114	BPD Jawa Timur	Bank Jatim
PDKBIDJ1	123	BPD Kalimantan Barat	Bank Kalbar
PDKGIDJ1	125	BPD Kalimantan Tengah	Bank Kalteng
PDLPIDJ1	121	BPD Lampung	Bank Lampung
PDMLIDJ1	131	BPD Maluku Dan Malut	Bank Maluku Malut
PDNBIDJ1	128	BPD Nusa Tenggara Barat	Bank NTB
PDIJIDJ1	132	BPD Papua	Bank Papua
PDWUIDJ1	127	BPD Sulut	Bank Sulut
BSSPIDSP	120	BPD Sumsel Dan Babel	Bank Sulsel Babel
PDSUIDJ1	117	BPD Sumut	Bank Sumut
CITIIDJX	31	Citibank	Citibank
HSBCIDJA	87	HSBC Indonesia	HSBC
ALOBIDJA	567	Allo Bank Indonesia	Allo Bank
BSMDIDJA	451	Bank Syariah Indonesia	BSI
BNIAIDJA	22	CIMB Niaga	CIMB
BBBAIDJA	13	Bank Permata	PERMATA
MUABIDJA	147	Bank Muamalat Indonesia	MUAMALAT
NISPIDJA	28	OCBC Indonesia	OCBC
MEEKIDJ1	152	Bank Shinhan Indonesia	Bank Shinhan
SIHBIDJ1	564	Mandiri Taspen Pos	Bank Mandiri Taspen
AWANIDJA	167	Bank QNB Indonesia	Bank QNB
PDBBIDJ1	137	BPD Banten	Bank Banten
CICTIDJA	95	Bank JTrust Indonesia	Bank JTrust
PUBAIDJ1	547	BTPN Syariah	BTPN Syariah
BSDRIDJA	212	Bank Woori Saudara Indonesia 1906	Bank Woori Saudara
LMANIDJ1	526	Bank Oke Indonesia	Bank Oke
NETBIDJA	947	Bank Aladin Syariah	Bank Aladin Syariah
IBKOIDJA	945	Bank IBK Indonesia	Bank IBK
SSPIIDJA	535	Bank Seabank Indonesia	Bank Seabank
BBLUIDJA	501	Bank BCA DIGITAL	Blu (BCA Digital)
JAGBIDJA	542	Bank Jago	Bank Jago
BUSTIDJ1	459	Krom Bank Indonesia	Krom Bank
HNBNIDJA	484	Bank Hana (Line)	Bank Hana (Line)
PDRIIDJA	119	BPD RIAU	BPD Riau
PDKTIDJ1	124	BPD KALIMANTAN TIMUR DAN KALIMANTAN UTARA	BPD Kaltim dan Kaltara
PDNTIDJA	130	BPD NUSA TENGGARA TIMUR	BPD NTT
PDWSIDJA	126	BANK SULSELBAR	Bank Sulselbar
FAMAIDJ1	562	Superbank Indonesia	Superbank
BTANIDJA	200	Bank Tabungan Negara (BTN)	BTN
LOMAIDJ1	531	PT. BANK AMAR INDONESIA	Bank Amar
SYACIDJ1	116	PT. BANK ACEH SYARIAH	Bank Aceh Syariah
AGTBIDJA	494	BANK RAYA INDONESIA	Bank Raya
JSABIDJ1	472	Bank Jasa Jakarta	Jasa Jakarta
SYBTIDJ1	200	Bank Tabungan Negara UUS (BTN Syariah)	BTN Syariah
MCORIDJA	36	China Construction Bank	China Construction Bank
SYNAIDJ1	22	CIMB Niaga Syariah	CIMB Niaga Syariah
NUPAIDJ6	145	Bank Nusantara Parahyangan	Bank Nusantara Parahyangan
BKIDIDJA	146	Bank of India	Bank of India
ARFAIDJ1	517	Panin Dubai Syariah	Panin Dubai Syariah
SYBBIDJ1	13	Permata Syariah	Permata Syariah
RABOIDJA	89	Rabobank Indonesia	Rabobank Indonesia
INDOIDJA	498	Bank SBI Indonesia	Bank SBI Indonesia
SWAGIDJ1	405	Victoria Syariah	Victoria Syariah
SYSBIDJ1	118	Nagari Syariah	Nagari Syariah
	688	BPR Karyajatnika Sadaya	BPR Karyajatnika Sadaya
CNBAIDJ1	559	Centratama Nasional Bank	Centratama Nasional Bank
YUDBIDJ1	490	Bank Neo Commerce (BNC)	BNC

For detailed information about response codes and transaction statuses, refer to:

Response Code Reference - Complete list of API response codes
Transaction Status Reference - Complete list of transaction status codes

How to Generate Request Signature

Every transaction request must include an X-Signature header that will be validated by SingaPay. If the signature is invalid, the request will be rejected.

Signature Algorithm

The signature uses HMAC-SHA512 algorithm with the following steps:

Step 1: Normalize the Request Body

Sort all JSON object keys recursively in alphabetical order, then encode using:

JSON_UNESCAPED_UNICODE - Don’t escape unicode characters
JSON_UNESCAPED_SLASHES - Don’t escape forward slashes

Example:

// Original body (key order doesn't matter)
{
  "notes": "bayar cicilan",
  "amount": 50000,
  "bank_swift_code": "BRINIDJA",
  "reference_number": "123456789123",
  "bank_account_number": "521398319083210"
}

// Normalized (keys sorted alphabetically)
{"amount":50000,"bank_account_number":"521398319083210","bank_swift_code":"BRINIDJA","notes":"bayar cicilan","reference_number":"123456789123"}

Step 2: Hash the Normalized Body

Hash the normalized JSON string using SHA-256:

hashedBody = SHA256(normalizedBody)

Example:

hashedBody = "a1b2c3d4e5f6789..."

Step 3: Build the String to Sign

Combine the following components with colon (:) separator:

stringToSign = METHOD:ENDPOINT:ACCESS_TOKEN:HASHED_BODY:TIMESTAMP

Where:

METHOD = HTTP method (e.g., POST)
ENDPOINT = Request URI path (e.g., /api/v1.0/disbursements/{account_id}/transfer)
ACCESS_TOKEN = Bearer token from Authorization header (without “Bearer ” prefix)
HASHED_BODY = SHA-256 hash from Step 2
TIMESTAMP = Unix timestamp in seconds (from X-Timestamp header)

Example:

POST:/api/v1.0/disbursements/abc123/transfer:eyJ0eXAiOiJKV1QiLCJhbGc...:a1b2c3d4e5f6789...:1714618220

Step 4: Generate HMAC-SHA512 Signature

Generate the signature using HMAC-SHA512 with your client_secret as the key:

signature = HMAC_SHA512(stringToSign, client_secret)

The output is a hexadecimal string (not base64).

Code Examples

PHP Example

<?php
function generateSignature($method, $endpoint, $accessToken, $body, $timestamp, $clientSecret) {
    // Step 1: Normalize body
    $bodyArray = json_decode($body, true);
    ksort($bodyArray);
    array_walk_recursive($bodyArray, function(&$item) {
        if (is_array($item)) ksort($item);
    });
    $normalizedBody = json_encode($bodyArray, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);

    // Step 2: Hash normalized body
    $hashedBody = hash('sha256', $normalizedBody);

    // Step 3: Build string to sign
    $stringToSign = "{$method}:{$endpoint}:{$accessToken}:{$hashedBody}:{$timestamp}";

    // Step 4: Generate HMAC-SHA512 signature
    $signature = hash_hmac('sha512', $stringToSign, $clientSecret);

    return $signature;
}

// Usage
$signature = generateSignature(
    'POST',
    '/api/v1.0/disbursements/abc123/transfer',
    'eyJ0eXAiOiJKV1QiLCJhbGc...',
    '{"amount":50000,"bank_account_number":"521398319083210","bank_swift_code":"BRINIDJA","notes":"bayar cicilan","reference_number":"123456789123"}',
    '1714618220',
    'your_client_secret_here'
);
?>

JavaScript/Node.js Example

const crypto = require('crypto');

function sortObjectKeys(obj) {
    if (typeof obj !== 'object' || obj === null) return obj;
    if (Array.isArray(obj)) return obj.map(sortObjectKeys);

    return Object.keys(obj)
        .sort()
        .reduce((sorted, key) => {
            sorted[key] = sortObjectKeys(obj[key]);
            return sorted;
        }, {});
}

function generateSignature(method, endpoint, accessToken, body, timestamp, clientSecret) {
    // Step 1: Normalize body
    const bodyObject = JSON.parse(body);
    const sortedBody = sortObjectKeys(bodyObject);
    const normalizedBody = JSON.stringify(sortedBody);

    // Step 2: Hash normalized body
    const hashedBody = crypto
        .createHash('sha256')
        .update(normalizedBody)
        .digest('hex');

    // Step 3: Build string to sign
    const stringToSign = `${method}:${endpoint}:${accessToken}:${hashedBody}:${timestamp}`;

    // Step 4: Generate HMAC-SHA512 signature
    const signature = crypto
        .createHmac('sha512', clientSecret)
        .update(stringToSign)
        .digest('hex');

    return signature;
}

// Usage
const signature = generateSignature(
    'POST',
    '/api/v1.0/disbursements/abc123/transfer',
    'eyJ0eXAiOiJKV1QiLCJhbGc...',
    '{"amount":50000,"bank_account_number":"521398319083210","bank_swift_code":"BRINIDJA","notes":"bayar cicilan","reference_number":"123456789123"}',
    '1714618220',
    'your_client_secret_here'
);

Python Example

import hashlib
import hmac
import json

def sort_dict_recursive(obj):
    if isinstance(obj, dict):
        return {k: sort_dict_recursive(v) for k, v in sorted(obj.items())}
    elif isinstance(obj, list):
        return [sort_dict_recursive(item) for item in obj]
    return obj

def generate_signature(method, endpoint, access_token, body, timestamp, client_secret):
    # Step 1: Normalize body
    body_dict = json.loads(body)
    sorted_body = sort_dict_recursive(body_dict)
    normalized_body = json.dumps(sorted_body, ensure_ascii=False, separators=(',', ':'))

    # Step 2: Hash normalized body
    hashed_body = hashlib.sha256(normalized_body.encode()).hexdigest()

    # Step 3: Build string to sign
    string_to_sign = f"{method}:{endpoint}:{access_token}:{hashed_body}:{timestamp}"

    # Step 4: Generate HMAC-SHA512 signature
    signature = hmac.new(
        client_secret.encode(),
        string_to_sign.encode(),
        hashlib.sha512
    ).hexdigest()

    return signature

# Usage
signature = generate_signature(
    'POST',
    '/api/v1.0/disbursements/abc123/transfer',
    'eyJ0eXAiOiJKV1QiLCJhbGc...',
    '{"amount":50000,"bank_account_number":"521398319083210","bank_swift_code":"BRINIDJA","notes":"bayar cicilan","reference_number":"123456789123"}',
    '1714618220',
    'your_client_secret_here'
)

Important Notes

Timestamp Format: Must be Unix timestamp in seconds (not milliseconds, not ISO 8601)
Access Token: Extract from Authorization header without “Bearer ” prefix
Endpoint: Must include the full path starting with /api/v1.0/... and include the {account_id} parameter
JSON Normalization: Keys must be sorted recursively for nested objects
Hash Output: Use hexadecimal encoding (not base64)
Client Secret: Use your client_secret from merchant credentials, NOT your client_id or api_key

Security Validation

SingaPay will:

Verify the X-PARTNER-ID matches an existing API key
Retrieve the corresponding client_secret from the credentials table
Regenerate the signature using the same algorithm
Use constant-time comparison (hash_equals) to prevent timing attacks
Reject the request if signatures don’t match

On this page