▌ DEVELOPERS · API & WEBHOOKS

ENDPOINTS Y CLAVES

Tokens de servicio, scopes y webhooks firmados HMAC.

NOMBRE	PREFIX	SCOPE	ÚLTIMO USO
Producción — Backend	bar_live_8a2c…	vault, tokenization	hace 14 s	ROTAR
Producción — Fraude	bar_live_91ff…	fraud	hace 1 min	ROTAR
Sandbox — QA	bar_test_42aa…	*	hace 3 h	ROTAR

WEBHOOK · fraud.evaluated

POST https://tu-app.com/webhooks/barrier
X-Barrier-Signature: t=1719..,v1=..
{
  "type": "fraud.evaluated",
  "tx_id": "tx_0004",
  "score": 96,
  "decision": "block",
  "signals": ["highrisk_bin", "vpn_detected"]
}

VERIFICAR FIRMA HMAC

import crypto from "crypto";

const sig = req.headers["x-barrier-signature"];
const [ts, v1] = sig.split(",").map(p => p.split("=")[1]);
const payload = ts + "." + req.rawBody;
const expected = crypto
  .createHmac("sha256", process.env.BARRIER_SECRET)
  .update(payload).digest("hex");

if (!crypto.timingSafeEqual(
  Buffer.from(v1), Buffer.from(expected)
)) return res.sendStatus(401);