Reading Time: 5 minutes

Category: Security, Tutorial

Tags: 2fa, security, google-authenticator, mutasibank, authentication

Pengantar

Keamanan akun adalah prioritas utama saat mengelola data finansial. Two-Factor Authentication (2FA) menambahkan lapisan keamanan ekstra pada akun Mutasibank Anda dengan mengharuskan kode verifikasi 6 digit selain password saat login.

Dengan mengaktifkan 2FA, bahkan jika seseorang mengetahui password Anda, mereka tidak bisa login tanpa akses ke perangkat authenticator Anda.

Dalam tutorial ini, Anda akan belajar:

• ✅ Cara mengaktifkan 2FA di Mutasibank

• ✅ Setup Google Authenticator atau Authy

• ✅ Backup recovery codes untuk keamanan

• ✅ Troubleshooting masalah umum 2FA

Mengapa 2FA Itu Penting?

Statistik Keamanan:

• 81% dari data breach disebabkan oleh password yang lemah atau dicuri

• 2FA mengurangi risiko account takeover hingga 99.9%

• Banking systems wajib menggunakan multi-factor authentication (MFA)

Skenario Tanpa 2FA:

Bayangkan password Anda bocor karena:

• Phishing email palsu

• Malware di komputer

• Database leak dari website lain yang menggunakan password sama

❌ Tanpa 2FA: Hacker langsung bisa login dan akses semua data bank Anda ✅ Dengan 2FA: Hacker butuh perangkat fisik Anda untuk mendapat kode verifikasi

Persyaratan

Sebelum memulai, pastikan Anda punya:

1. Akun Mutasibank yang sudah terdaftar

2. Smartphone (Android atau iOS)

3. Aplikasi Authenticator - pilih salah satu:

   • Google Authenticator (gratis, populer)

   • Authy (gratis, support multi-device & backup)

   • Microsoft Authenticator (gratis)

   • 1Password (berbayar, all-in-one)

Langkah 1: Download Aplikasi Authenticator

Google Authenticator

Android:

1. Buka Google Play Store

2. Cari "Google Authenticator"

3. Install aplikasi dari Google LLC

4. Buka aplikasi

iOS:

1. Buka App Store

2. Cari "Google Authenticator"

3. Install aplikasi dari Google LLC

4. Buka aplikasi

Authy (Alternatif dengan Backup Cloud)

Keunggulan Authy:

• ✅ Multi-device support

• ✅ Cloud backup (jika HP hilang, codes tetap aman)

• ✅ Lebih user-friendly

Download:

• Android: Play Store → "Authy"

• iOS: App Store → "Authy"

Langkah 2: Login ke Mutasibank Dashboard

1. Buka browser dan kunjungi https://mutasibank.co.id

2. Klik tombol "Login" di pojok kanan atas

3. Masukkan email dan password Anda

4. Klik "Login"

Langkah 3: Akses Pengaturan Keamanan

Setelah login berhasil:

1. Klik foto profil Anda di pojok kanan atas

2. Pilih menu "Profile" atau "Settings"

3. Temukan opsi "Two-Factor Authentication" atau "Google 2FA"

Langkah 4: Scan QR Code

Di halaman 2FA, Anda akan melihat:

A. QR Code

1. Buka aplikasi Google Authenticator di HP

2. Tap tombol "+" atau "Add account"

3. Pilih "Scan QR code"

4. Arahkan kamera ke QR code di layar komputer

5. Akun "Mutasibank" akan otomatis ditambahkan

B. Manual Entry (Jika QR Code Tidak Bisa Discan)

Jika kamera tidak berfungsi atau ada error:

1. Di Google Authenticator, pilih "Enter a setup key"

2. Isi form:

   • Account name: Mutasibank

   • Your key: [copy secret key dari website]

   • Type of key: Time-based

3. Tap "Add"

Secret Key Format:

JBSWY3DPEHPK3PXP

Langkah 5: Simpan Recovery Codes

⚠️ SANGAT PENTING! Recovery codes adalah backup jika HP hilang atau rusak.

Cara Menyimpan Recovery Codes:

1. Download file recovery codes (biasanya format .txt)

2. Print dan simpan di tempat aman (bukan di komputer yang sama!)

3. Screenshot dan simpan di password manager (1Password, Bitwarden)

4. Catat di buku fisik (old-school tapi aman!)

Contoh Recovery Codes:

1. 5d41402a-bc4b-1234
2. 7c9e6679-8a9b-5678
3. 98f13708-2c3d-9012
4. 3c59dc04-8e5f-3456
5. eccbc874-9f6a-7890

⚠️ JANGAN:

• Simpan di email (bisa di-hack)

• Share ke orang lain

• Simpan di cloud storage tanpa enkripsi

Langkah 6: Verifikasi Setup

Setelah scan QR code, sistem akan minta verifikasi:

1. Lihat kode 6 digit di Google Authenticator

   • Contoh: 123 456

   • Kode berubah setiap 30 detik

2. Ketik kode tersebut di form verifikasi Mutasibank

3. Klik "Verify and Activate"

✅ Jika berhasil: Anda akan melihat pesan "2FA Successfully Enabled!"

❌ Jika error: Pastikan waktu di HP sama dengan server (automatic time zone)

Langkah 7: Test Login dengan 2FA

Untuk memastikan 2FA berfungsi:

1. Logout dari akun Mutasibank

2. Klik "Login" lagi

3. Masukkan email dan password seperti biasa

4. Halaman baru akan muncul: "Enter 2FA Code"

5. Buka Google Authenticator di HP

6. Lihat kode 6 digit untuk Mutasibank

7. Ketik kode tersebut

8. Klik "Verify"

✅ Login berhasil! 2FA Anda sudah aktif!

Troubleshooting: Masalah Umum

1. Kode 2FA Selalu Invalid

Penyebab: Waktu di HP tidak sinkron dengan server

Solusi:

Android:
Settings → System → Date & time → Enable "Automatic date & time"

iOS:
Settings → General → Date & Time → Enable "Set Automatically"

Verifikasi waktu server:

• Mutasibank menggunakan UTC+7 (Jakarta Time)

• Google Authenticator auto-sync ke time server

2. HP Hilang/Rusak, Tidak Bisa Login

Solusi:

Opsi 1: Gunakan Recovery Code

1. Di halaman login 2FA, klik "Use recovery code"

2. Masukkan salah satu recovery code yang Anda simpan

3. Login berhasil

4. Segera setup 2FA lagi dengan HP baru

Opsi 2: Hubungi Support

• WhatsApp: +62 856 120 5976

• Email: support@mutasibank.co.id

• Siapkan data verifikasi:

  • Email terdaftar

  • Nomor HP

  • Screenshot KTP (untuk verifikasi identitas)

  • Transaksi terakhir (jika ada)

⏱️ Waktu respon: 1-24 jam (hari kerja)

3. Kode Tidak Muncul di Authenticator

Penyebab: Account belum ditambahkan dengan benar

Solusi:

1. Hapus account "Mutasibank" dari Google Authenticator

2. Ulangi proses scan QR code atau manual entry

3. Pastikan secret key di-copy dengan benar (tanpa spasi)

4. "This code has already been used"

Penyebab: Kode yang sama dipakai 2x (kode valid hanya 1x dalam 30 detik)

Solusi:

• Tunggu kode berikutnya (refresh otomatis setiap 30 detik)

• Jangan spam klik "Verify"

• Pastikan jam di HP akurat

Best Practices Keamanan 2FA

✅ DO (Lakukan):

1. Backup recovery codes di 2-3 tempat berbeda

2. Update Authenticator app secara berkala

3. Enable biometric lock di Authenticator app (fingerprint/face ID)

4. Gunakan password manager untuk simpan recovery codes terenkripsi

5. Test recovery codes sebelum HP hilang (gunakan 1 code untuk test, simpan sisanya)

❌ DON'T (Jangan):

1. Screenshot QR code dan simpan di galeri HP (bisa di-hack)

2. Share secret key ke orang lain

3. Gunakan SMS-based 2FA (vulnerable to SIM swap attack)

4. Install Authenticator di emulator (security risk)

5. Disable 2FA setelah aktif (kecuali ada alasan kuat)

FAQ: Pertanyaan yang Sering Diajukan

1. Apakah 2FA Wajib di Mutasibank?

Saat ini 2FA opsional, tapi sangat disarankan untuk:

• ✅ Akun dengan banyak bank terhubung

• ✅ Akun bisnis/perusahaan

• ✅ Akun yang diakses dari berbagai lokasi/IP

Rencana: 2FA akan menjadi mandatory untuk paket ADVANCE di Q2 2025.

2. Bisakah Pakai SMS untuk 2FA?

Saat ini Mutasibank hanya support Authenticator-based 2FA (TOTP).

Mengapa bukan SMS?

• ❌ SIM swap attack (hacker bisa pindah nomor Anda)

• ❌ SMS delay (kode bisa terlambat sampai)

• ❌ Biaya SMS untuk server

• ✅ Authenticator lebih aman & gratis

3. Bagaimana Jika Ganti HP Baru?

Metode 1: Transfer via Authy (Recommended)

• Authy support multi-device

• Login dengan akun yang sama di HP baru

• Semua codes otomatis tersinkron

Metode 2: Google Authenticator Export (Google Auth v5.0+)

1. HP lama: Google Authenticator → Menu → Export accounts

2. HP baru: Google Authenticator → Import accounts → Scan QR

3. Semua accounts ter-transfer

Metode 3: Setup Ulang Manual

1. Di Mutasibank, disable 2FA (butuh kode dari HP lama)

2. Enable lagi dan scan QR code dengan HP baru

3. Simpan recovery codes baru

4. Apakah 2FA Mempengaruhi Akses API?

Tidak! 2FA hanya untuk web dashboard login.

API Authentication tetap menggunakan:

• Bearer token

• API key

• Webhook signatures

Tidak ada perubahan pada integrasi API Anda.

5. Bisakah Multiple User Akses dengan 2FA?

Ya, tapi setiap user harus punya:

• ✅ Email login terpisah (invite via dashboard)

• ✅ Authenticator setup sendiri

• ✅ Recovery codes masing-masing

Tidak bisa: Share 1 akun untuk multiple user (security risk!)

Keamanan Lanjutan (Advanced)

Multi-Device Backup dengan Authy

Jika Anda sering ganti HP atau punya tablet/laptop:

1. Download Authy (bukan Google Authenticator)

2. Setup 2FA Mutasibank dengan Authy

3. Enable multi-device:

   • Authy Settings → Devices → Allow multi-device

4. Install Authy di perangkat lain (tablet/PC)

5. Login dengan nomor HP yang sama

6. Disable multi-device setelah setup (untuk keamanan)

Hardware Security Keys (Future)

Coming Soon: Mutasibank akan support hardware keys seperti:

• YubiKey

• Titan Security Key

• Nitrokey

Keunggulan:

• Phishing-resistant

• No battery required

• Support USB, NFC, Bluetooth

Kesimpulan

Two-Factor Authentication (2FA) adalah cara paling efektif melindungi akun Mutasibank Anda dari unauthorized access. Dengan hanya 5 menit setup, Anda bisa:

✅ Kurangi risiko account takeover hingga 99.9% ✅ Lindungi data bank dari hacker ✅ Comply dengan standar keamanan banking ✅ Peace of mind saat mengelola transaksi

Langkah Cepat:

1. Download Google Authenticator (2 menit)

2. Login → Settings → Security (1 menit)

3. Scan QR code (30 detik)

4. Simpan recovery codes (1 menit)

5. Test login (30 detik)

Total waktu: 5 menit untuk keamanan seumur hidup!

Resources

Download Authenticator Apps:

• Google Authenticator:

  • Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

  • iOS: https://apps.apple.com/app/google-authenticator/id388497605

• Authy:

  • Android: https://play.google.com/store/apps/details?id=com.authy.authy

  • iOS: https://apps.apple.com/app/authy/id494168017

Related Articles:

• REST API Mutasi Bank - Dokumentasi Lengkap

• Webhook Signature Verification

• Best Practices Keamanan API Banking

Mutasibank Resources:

• Homepage: https://mutasibank.co.id

• API Documentation: https://mutasibank.co.id/api/docs

• Support: support@mutasibank.co.id

• WhatsApp: +62 856 120 5976

Call to Action

Belum Punya Akun Mutasibank?

Daftar sekarang dan dapatkan:

• ✅ Free trial 7 hari (tanpa biaya di awal)

• ✅ Support 34 bank Indonesia

• ✅ API lengkap dengan dokumentasi

• ✅ Webhook dengan signature verification

• ✅ 24/7 monitoring otomatis

👉 Coba Gratis 7 Hari →

Butuh Bantuan Setup 2FA?

Hubungi tim support kami:

• 💬 WhatsApp: +62 856 120 5976

• 📧 Email: support@mutasibank.co.id

• ⏱️ Response time: 1-24 jam

Tags: #2FA #TwoFactorAuthentication #Keamanan #GoogleAuthenticator #Authy #Mutasibank #SecurityTutorial #Banking #API

Share artikel ini jika bermanfaat! 🔒🚀

Protect your webhook endpoints dari spoofing attacks dengan HMAC-SHA256 signature verification

📌 TL;DR (Quick Summary)

Webhook tanpa signature verification = SANGAT BERBAHAYA! Siapa saja bisa kirim fake webhook dan manipulasi sistem Anda.

Learn how to:

• ✅ Verify HMAC-SHA256 signatures dengan benar

• ✅ Prevent replay attacks menggunakan timestamp validation

• ✅ Implement di 3 bahasa: PHP, Node.js, Python

• ✅ Production-ready code dengan error handling

• ✅ Test locally sebelum deploy

Reading time: 10 menit • Level: Intermediate • Security: Critical 🔒

Daftar Isi

1. Kenapa Webhook Signature Penting?

2. Cara Kerja HMAC-SHA256

3. Implementation Guide

4. Testing & Debugging

5. Common Mistakes

6. FAQ

Kenapa Webhook Signature Penting?

🚨 Scenario Tanpa Signature Verification:

Bayangkan Anda punya endpoint untuk auto-confirm order:

// ❌ DANGEROUS CODE - DON'T DO THIS!
<?php
// webhook.php
$data = json_decode(file_get_contents('php://input'), true);

foreach ($data['data_mutasi'] as $tx) {
    if ($tx['amount'] == 100000) {
        // Auto-confirm order
        confirmOrder($orderId);  // 😱 SIAPA SAJA BISA TRIGGER INI!
    }
}

Attacker bisa:

1. Kirim fake POST request ke endpoint Anda

2. Dengan payload yang dibuat-buat (fake transaction)

3. Trigger auto-confirm untuk order yang belum dibayar

4. FRAUD! 💸

✅ Dengan Signature Verification:

// ✅ SECURE CODE
<?php
// 1. Verify signature FIRST
if (!verifySignature($payload, $signature, $secret)) {
    die('Invalid signature'); // Reject fake webhooks
}

// 2. THEN process (only if signature valid)
$data = json_decode($payload, true);
confirmOrder($orderId); // ✅ Aman!

Benefit:

• 🔒 Only webhooks dari Mutasibank yang diterima

• 🛡️ Protect dari spoofing/fraud

• ✅ Compliance dengan security best practices

Cara Kerja HMAC-SHA256

What is HMAC?

HMAC = Hash-based Message Authentication Code

Ini adalah cara untuk "menandatangani" message dengan secret key:

Signature = HMAC-SHA256(Message, Secret Key)

Flow Diagram:

Mutasibank Server:
1. Ada transaksi baru
2. Buat payload JSON
3. Calculate: signature = hmac_sha256(payload, webhook_secret)
4. Send POST dengan headers:
   - X-Mutasibank-Signature: [signature]
   - X-Mutasibank-Timestamp: [unix_time]
   - Body: [payload]

Your Server:
5. Receive POST request
6. Extract signature dari header
7. Get raw payload dari request body
8. Calculate: expected = hmac_sha256(payload, webhook_secret)
9. Compare: expected == signature?
   - ✅ YES: Process webhook
   - ❌ NO: Reject (fake webhook!)

Headers yang Dikirim:

Implementation Guide

PHP Implementation (RECOMMENDED)

<?php
/**
 * Secure Webhook Handler with Signature Verification
 */

// ============================================================================
// CONFIGURATION
// ============================================================================

// Get from Mutasibank Dashboard → Webhook Settings
define('WEBHOOK_SECRET', getenv('WEBHOOK_SECRET'));
define('TIMESTAMP_TOLERANCE', 300); // 5 minutes

// ============================================================================
// STEP 1: EXTRACT HEADERS
// ============================================================================

$signature = $_SERVER['HTTP_X_MUTASIBANK_SIGNATURE'] ?? '';
$timestamp = $_SERVER['HTTP_X_MUTASIBANK_TIMESTAMP'] ?? 0;
$webhookId = $_SERVER['HTTP_X_MUTASIBANK_WEBHOOK_ID'] ?? '';

// ============================================================================
// STEP 2: VALIDATE HEADERS
// ============================================================================

if (empty($signature) || empty($timestamp)) {
    http_response_code(401);
    die(json_encode([
        'error' => 'Missing required headers',
        'message' => 'X-Mutasibank-Signature and X-Mutasibank-Timestamp are required'
    ]));
}

// ============================================================================
// STEP 3: CHECK TIMESTAMP (Prevent Replay Attacks)
// ============================================================================

$currentTime = time();
$timeDiff = abs($currentTime - $timestamp);

if ($timeDiff > TIMESTAMP_TOLERANCE) {
    http_response_code(401);
    die(json_encode([
        'error' => 'Request expired',
        'message' => "Timestamp outside tolerance window ({$timeDiff}s difference)"
    ]));
}

// ============================================================================
// STEP 4: GET RAW PAYLOAD
// ============================================================================

// ⚠️ IMPORTANT: Use raw input, NOT $_POST!
// Signature is calculated on exact JSON bytes
$payload = file_get_contents('php://input');

if (empty($payload)) {
    http_response_code(400);
    die(json_encode(['error' => 'Empty payload']));
}

// ============================================================================
// STEP 5: VERIFY SIGNATURE
// ============================================================================

// Calculate expected signature
$expectedSignature = hash_hmac('sha256', $payload, WEBHOOK_SECRET);

// ⚠️ Use hash_equals() for constant-time comparison
// DON'T use == or === (vulnerable to timing attacks!)
if (!hash_equals($expectedSignature, $signature)) {
    error_log("Invalid webhook signature from webhook_id: {$webhookId}");

    http_response_code(401);
    die(json_encode([
        'error' => 'Invalid signature',
        'message' => 'Signature verification failed'
    ]));
}

// ============================================================================
// ✅ SIGNATURE VALID - PROCESS WEBHOOK
// ============================================================================

$data = json_decode($payload, true);

// Log successful webhook
error_log("Webhook verified successfully: {$webhookId}");

// Process transactions
foreach ($data['data_mutasi'] as $transaction) {
    $type = $transaction['type'] == 'CR' ? 'MASUK' : 'KELUAR';

    echo "Processing [{$type}] Rp " . number_format($transaction['amount']) . "\n";

    if ($transaction['type'] == 'CR') {
        // Handle incoming transaction
        processIncomingPayment($transaction);
    } else {
        // Handle outgoing transaction
        processOutgoingPayment($transaction);
    }
}

// ============================================================================
// SEND SUCCESS RESPONSE
// ============================================================================

http_response_code(200);
echo json_encode([
    'success' => true,
    'message' => 'Webhook processed',
    'webhook_id' => $webhookId,
    'transactions_processed' => count($data['data_mutasi'])
]);

// ============================================================================
// HELPER FUNCTIONS
// ============================================================================

function processIncomingPayment($transaction) {
    // Your business logic here
    // Example: Auto-confirm order, send email, update database

    // Extract order ID from description
    // Example: "TRANSFER FROM CUSTOMER ORDER-12345"
    if (preg_match('/ORDER-(\d+)/', $transaction['description'], $matches)) {
        $orderId = $matches[1];

        // Confirm order in your database
        // DB::table('orders')->where('id', $orderId)->update(['status' => 'paid']);

        // Send notification
        // sendWhatsApp($customer, "✅ Pembayaran order #{$orderId} confirmed!");

        echo "✅ Order #{$orderId} confirmed\n";
    }
}

function processOutgoingPayment($transaction) {
    // Handle debit transactions if needed
    echo "Debit transaction logged\n";
}

📥 Download complete example

Node.js Implementation (Express)

const express = require('express');
const crypto = require('crypto');

const app = express();
app.use(express.json());
app.use(express.raw({ type: 'application/json' }));

// Configuration
const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;
const TIMESTAMP_TOLERANCE = 300; // 5 minutes

// Webhook endpoint
app.post('/webhook/mutasibank', (req, res) => {
    // Extract headers
    const signature = req.headers['x-mutasibank-signature'] || '';
    const timestamp = parseInt(req.headers['x-mutasibank-timestamp']) || 0;
    const webhookId = req.headers['x-mutasibank-webhook-id'] || '';

    // Validate headers
    if (!signature || !timestamp) {
        return res.status(401).json({
            error: 'Missing signature headers'
        });
    }

    // Check timestamp (prevent replay attacks)
    const currentTime = Math.floor(Date.now() / 1000);
    const timeDiff = Math.abs(currentTime - timestamp);

    if (timeDiff > TIMESTAMP_TOLERANCE) {
        return res.status(401).json({
            error: 'Request expired',
            message: `Timestamp outside tolerance (${timeDiff}s difference)`
        });
    }

    // Get raw payload
    const payload = JSON.stringify(req.body);

    // Calculate expected signature
    const expectedSignature = crypto
        .createHmac('sha256', WEBHOOK_SECRET)
        .update(payload)
        .digest('hex');

    // Verify signature (constant-time comparison)
    if (!crypto.timingSafeEqual(
        Buffer.from(expectedSignature),
        Buffer.from(signature)
    )) {
        console.error('Invalid signature:', webhookId);
        return res.status(401).json({
            error: 'Invalid signature'
        });
    }

    // ✅ Signature valid - process webhook
    const data = req.body;

    console.log('✅ Webhook verified:', webhookId);

    // Process transactions
    data.data_mutasi.forEach(transaction => {
        if (transaction.type === 'CR') {
            // Handle incoming payment
            processIncomingPayment(transaction);
        }
    });

    res.json({
        success: true,
        webhook_id: webhookId,
        transactions_processed: data.data_mutasi.length
    });
});

function processIncomingPayment(transaction) {
    // Extract order ID
    const match = transaction.description.match(/ORDER-(\d+)/);

    if (match) {
        const orderId = match[1];
        console.log(`✅ Order #${orderId} confirmed`);

        // Your business logic:
        // - Update database
        // - Send email
        // - Send WhatsApp notification
    }
}

app.listen(3000, () => {
    console.log('Webhook server running on port 3000');
});

📥 Download complete example

Python Implementation (Flask)

from flask import Flask, request, jsonify
import hmac
import hashlib
import time
import json
import os

app = Flask(__name__)

# Configuration
WEBHOOK_SECRET = os.getenv('WEBHOOK_SECRET').encode()
TIMESTAMP_TOLERANCE = 300  # 5 minutes

@app.route('/webhook/mutasibank', methods=['POST'])
def webhook_handler():
    # Extract headers
    signature = request.headers.get('X-Mutasibank-Signature', '')
    timestamp = int(request.headers.get('X-Mutasibank-Timestamp', 0))
    webhook_id = request.headers.get('X-Mutasibank-Webhook-Id', '')

    # Validate headers
    if not signature or not timestamp:
        return jsonify({'error': 'Missing signature headers'}), 401

    # Check timestamp (prevent replay attacks)
    current_time = int(time.time())
    time_diff = abs(current_time - timestamp)

    if time_diff > TIMESTAMP_TOLERANCE:
        return jsonify({
            'error': 'Request expired',
            'time_diff': time_diff
        }), 401

    # Get raw payload
    payload = request.get_data()

    # Calculate expected signature
    expected_signature = hmac.new(
        WEBHOOK_SECRET,
        payload,
        hashlib.sha256
    ).hexdigest()

    # Verify signature (constant-time comparison)
    if not hmac.compare_digest(expected_signature, signature):
        print(f'Invalid signature: {webhook_id}')
        return jsonify({'error': 'Invalid signature'}), 401

    # ✅ Signature valid - process webhook
    data = request.json

    print(f'✅ Webhook verified: {webhook_id}')

    # Process transactions
    for transaction in data['data_mutasi']:
        if transaction['type'] == 'CR':
            process_incoming_payment(transaction)

    return jsonify({
        'success': True,
        'webhook_id': webhook_id,
        'transactions_processed': len(data['data_mutasi'])
    })

def process_incoming_payment(transaction):
    # Extract order ID from description
    import re
    match = re.search(r'ORDER-(\d+)', transaction['description'])

    if match:
        order_id = match.group(1)
        print(f'✅ Order #{order_id} confirmed')

        # Your business logic:
        # - Update database
        # - Send notifications

if __name__ == '__main__':
    app.run(port=3000)

📥 Download complete example

Security Best Practices

✅ DO (Must Implement!)

1. Always Verify Signature

// ✅ Good
if (!hash_equals($expected, $signature)) {
    die('Invalid signature');
}

// ❌ Bad - DON'T USE ==
if ($expected == $signature) { // Vulnerable to timing attacks!
    // ...
}

2. Check Timestamp (Prevent Replay Attacks)

$tolerance = 300; // 5 minutes
if (abs(time() - $timestamp) > $tolerance) {
    die('Request expired');
}

3. Use Raw Payload

// ✅ Good
$payload = file_get_contents('php://input');

// ❌ Bad
$payload = json_encode($_POST); // Wrong! Signature won't match

4. Constant-Time Comparison

// ✅ Good (PHP)
hash_equals($expected, $signature)

// ✅ Good (Node.js)
crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))

// ✅ Good (Python)
hmac.compare_digest(expected, signature)

// ❌ Bad - ALL languages
$expected == $signature  // Timing attack vulnerable!

5. HTTPS Only

✅ https://yoursite.com/webhook
❌ http://yoursite.com/webhook (INSECURE!)

6. Store Secret Securely

# .env file
WEBHOOK_SECRET=your_64_char_secret_here

# ❌ DON'T hardcode in code
define('SECRET', 'abc123...'); // BAD!

❌ DON'T (Common Mistakes!)

1. Skip Signature Verification

// ❌ NEVER DO THIS!
$data = json_decode(file_get_contents('php://input'), true);
processWebhook($data); // 😱 No verification = DANGEROUS!

2. Use Wrong Comparison

// ❌ Vulnerable to timing attacks
if ($expected == $signature) { ... }

// ✅ Use constant-time
if (hash_equals($expected, $signature)) { ... }

3. Log Sensitive Data

// ❌ DON'T log secret!
error_log("Secret: " . WEBHOOK_SECRET);

// ❌ DON'T log signature
error_log("Signature: " . $signature);

// ✅ Log only webhook ID
error_log("Webhook received: " . $webhookId);

4. Wrong Payload

// ❌ Wrong - signature calculated on raw bytes
$payload = json_encode($_POST);

// ✅ Correct - use raw input
$payload = file_get_contents('php://input');

Testing & Debugging

Local Testing dengan cURL

Generate signature secara manual untuk testing:

#!/bin/bash

# Configuration
SECRET="your_webhook_secret_64_chars"
TIMESTAMP=$(date +%s)
PAYLOAD='{"api_key":"test","account_id":1,"data_mutasi":[{"amount":100000}]}'

# Calculate signature
SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)

# Send test webhook
curl -X POST http://localhost:8000/webhook.php \
  -H "Content-Type: application/json" \
  -H "X-Mutasibank-Signature: $SIGNATURE" \
  -H "X-Mutasibank-Timestamp: $TIMESTAMP" \
  -H "X-Mutasibank-Webhook-Id: test-webhook-123" \
  -d "$PAYLOAD"

Expected response:

{
  "success": true,
  "webhook_id": "test-webhook-123",
  "transactions_processed": 1
}

Debug Checklist

Webhook tidak terkirim?

1. ✅ URL webhook publicly accessible (bukan localhost)?

2. ✅ SSL certificate valid?

3. ✅ Port 80/443 open (firewall)?

4. ✅ Endpoint return 200 OK?

"Invalid signature" error?

Common causes:

// 1. ❌ Pakai $_POST instead of raw input
$payload = json_encode($_POST); // WRONG!
$payload = file_get_contents('php://input'); // CORRECT!

// 2. ❌ Secret salah
// Check di Mutasibank dashboard, copy exactly!

// 3. ❌ Pakai == instead of hash_equals()
if ($a == $b) // WRONG!
if (hash_equals($a, $b)) // CORRECT!

"Request expired" error?

// Server time tidak sync?
// Install NTP dan sync time
sudo ntpdate -s time.nist.gov

// Atau increase tolerance (production use 300 = 5 min)
define('TIMESTAMP_TOLERANCE', 600); // 10 minutes (for testing)

Common Mistakes & Solutions

Mistake #1: Using == for Comparison

Problem:

if ($expected == $signature) { // ❌ Timing attack vulnerable!

Why bad?

• == operator return different time tergantung berapa karakter yang match

• Attacker bisa brute-force signature character by character

• Measuring response time → gradually discover signature

Solution:

if (hash_equals($expected, $signature)) { // ✅ Constant-time

Mistake #2: Wrong Payload

Problem:

$payload = json_encode($_POST); // ❌ Signature won't match!

Why bad?

• Signature calculated on exact raw bytes dari request body

• $_POST is parsed & might change formatting

Solution:

$payload = file_get_contents('php://input'); // ✅ Raw input

Mistake #3: Not Checking Timestamp

Problem:

// ❌ No timestamp check
verifySignature($payload, $signature);
processWebhook($payload);

Why bad?

• Attacker bisa capture valid webhook

• Replay it multiple times

• Trigger duplicate processing

Solution:

// ✅ Check timestamp first
if (abs(time() - $timestamp) > 300) {
    die('Expired');
}

Mistake #4: Logging Sensitive Data

Problem:

// ❌ DON'T DO THIS!
error_log("Webhook secret: " . WEBHOOK_SECRET);
error_log("Full payload: " . $payload); // Might contain sensitive data

Solution:

// ✅ Log only non-sensitive info
error_log("Webhook ID: {$webhookId}");
error_log("Transactions count: " . count($data['data_mutasi']));

Production Deployment

Environment Variables

# .env
WEBHOOK_SECRET=your_64_character_secret_from_dashboard
API_TOKEN=your_api_token
TIMESTAMP_TOLERANCE=300
ENABLE_LOGGING=true

Server Requirements

• ✅ PHP 7.4+ / Node.js 14+ / Python 3.8+

• ✅ SSL certificate (HTTPS required)

• ✅ Port 443 open

• ✅ Firewall configured

• ✅ NTP time sync enabled

Monitoring

Log these events:

• ✅ Webhook received (dengan webhook_id)

• ✅ Signature verification success/failure

• ✅ Transactions processed count

• ❌ DON'T log: secrets, signatures, sensitive data

Alert on:

• ⚠️ Multiple signature failures (potential attack)

• ⚠️ Webhook endpoint down

• ⚠️ Processing errors

FAQ

Q: Apakah wajib implement signature verification?

A: YA, WAJIB! Tanpa ini, sistem Anda vulnerable terhadap fraud. Attacker bisa kirim fake webhooks dan manipulasi sistem Anda.

Q: Berapa tolerance timestamp yang aman?

A: 300 seconds (5 menit) adalah balance yang baik antara security dan tolerance untuk network delay. Jangan set terlalu besar (risiko replay attack).

Q: Dimana dapat webhook secret?

A: Di Mutasibank Dashboard:

1. Login → Webhook Settings

2. Create webhook atau view existing

3. Secret akan ditampilkan (64 characters)

4. Copy & simpan di .env - Tidak bisa lihat lagi setelah close!

Q: Webhook secret sama untuk semua webhook?

A: Tidak. Setiap webhook punya secret sendiri (auto-generated saat create). Jika punya multiple webhooks, simpan secret masing-masing.

Q: Bisa regenerate secret?

A: Ya, tapi:

1. Old secret langsung invalid

2. Webhook existing akan gagal verification

3. Harus update secret di server Anda

4. Coordination needed untuk zero-downtime

Q: Apa itu timing attack?

A: Timing attack adalah teknik hacking yang measure response time untuk discover secret:

// Vulnerable code:
if ($a == $b) {
    // Comparison stops at first different character
    // Different timing for different positions!
}

// Safe code:
if (hash_equals($a, $b)) {
    // Always takes same time regardless of input
    // ✅ Secure!
}

Kesimpulan

Webhook signature verification adalah critical security measure untuk protect sistem Anda dari fraud dan spoofing attacks.

Key Takeaways:

✅ Always verify HMAC-SHA256 signatures

✅ Check timestamp untuk prevent replay attacks

✅ Use constant-time comparison (hash_equals, timingSafeEqual)

✅ HTTPS only untuk webhook URLs ✅ Store secrets securely di environment variables

✅ Test thoroughly sebelum production

Implementation time: 30-60 menit untuk basic setup

Security impact: Protect dari potential fraud senilai jutaan rupiah! 🔒

🚀 Start Building Secure Webhooks

Sudah punya account Mutasibank?

• ✓ Login → Create webhook → Get secret

• ✓ Download sample code (PHP/Node.js/Python)

• ✓ Implement verification

• ✓ Test locally

• ✓ Deploy to production

👉 Daftar Gratis 7 Hari

📚 Resources

Code Examples:

• 💻 GitHub Repository

• 📖 API Documentation

• 📘 Security Guide

Support:

• 💬 WhatsApp

• 📧 support@mutasibank.co.id

Related Articles:

• REST API Mutasi Bank - Dokumentasi Lengkap

• Coming soon: Best Practices Security untuk Banking API

• Coming soon: Error Handling & Retry Logic

Questions tentang webhook security? Drop a comment below! 👇

Found this helpful? Share dengan developer friends! 🙏

Tags: #webhook #security #hmac #php #nodejs #python #api #banking #tutorial

Butuh otomasi monitoring transaksi bank untuk sistem Anda? API Mutasibank menyediakan:

• ✅ 25+ REST API endpoints untuk complete automation

• ✅ 34 bank didukung (BCA, BRI, Mandiri, BNI, BSI, dll)

• ✅ Webhook callbacks dengan HMAC-SHA256 signature security

• ✅ Code examples siap pakai: PHP, Node.js, Python

• ✅ Gratis 7 hari trial untuk testing tanpa biaya

Reading time: 15 menit • Level: Intermediate

Daftar Isi

1. Apa itu API Mutasi Bank?

2. Getting Started

3. Authentication

4. Core Endpoints

5. Code Examples

6. Webhook Integration

7. Best Practices

8. FAQ

Apa itu API Mutasi Bank?

Pernahkah Anda menghabiskan berjam-jam untuk manual checking transfer bank setiap hari? Atau kehilangan customer karena verifikasi pembayaran terlalu lama?

REST API Mutasi Bank adalah solusi untuk mengotomasi 100% proses monitoring transaksi bank. Dengan API ini, sistem Anda bisa:

🎯 Use Cases Umum:

E-Commerce & Marketplace:

• Auto-confirm order saat customer transfer

• Match nominal dengan order ID

• Kirim konfirmasi instant ke customer

Gaming & Top-Up:

• Deteksi pembayaran otomatis (5-10 menit)

• Auto-process top-up saldo

• Hemat waktu operasional hingga 80%

Fintech & Payment Gateway:

• Build payment verification system

• Multi-bank support dalam 1 API

• Real-time balance monitoring

UMKM & Retail:

• Monitor transaksi multi-cabang

• Deteksi anomali transaksi

• Laporan keuangan otomatis

🏦 Supported Banks (34 Total):

• BCA (5 variants): KlikBCA, BCA API, BCA SNAP, BCA Giro, BCA Syariah

• BRI (6 variants): BRI IB, BRI Giro, BRI CMS, IBBIZ, Qlola

• Mandiri (6 variants): Livin', Mandiri IB, Mandiri Giro, MCM Corporate

• BNI (4 variants): BNI IB, BNI Mobile, BNI Giro, BNI Direct NG

• BSI (4 variants): BSI IB, BSI CMS, BSI Remittance, BSI CUZ

• Others (9 banks): Muamalat, CIMB, Sinarmas, Permata, Jago, dll

👉 Lihat daftar lengkap bank yang didukung

Getting Started

Prerequisites

Sebelum mulai, pastikan Anda punya:

• ✅ PHP 7.4+ / Node.js 14+ / Python 3.8+

• ✅ Account Mutasibank (daftar gratis 7 hari)

• ✅ API Token (dari dashboard Mutasibank)

• ✅ Basic knowledge: HTTP, JSON, REST API

Step 1: Get Your API Token

1. Login ke mutasibank.co.id

2. Go to Dashboard → API Key

3. Copy your API token

4. Simpan di environment variable (jangan hardcode!)

# .env
MUTASIBANK_API_TOKEN=your_api_token_here

Step 2: Quick Test

Test API dengan cURL untuk memastikan token valid:

curl -X GET "https://mutasibank.co.id/api/v1/user" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

Expected response:

{
  "error": false,
  "data": {
    "name": "John Doe",
    "email": "john@example.com",
    "saldo": 100000,
    "jenis_akun": "advance"
  }
}

✅ Jika dapat response seperti ini, token Anda valid!

Authentication

Bearer Token Authentication

Semua API request memerlukan Bearer token di header:

Authorization: Bearer YOUR_API_TOKEN

Security Best Practices

❌ Bad Practice (DON'T DO THIS):

<?php
// Hardcoded token - DANGEROUS!
$token = "abc123def456ghi789";

✅ Good Practice (DO THIS):

<?php
// Store in environment variable
$token = getenv('MUTASIBANK_API_TOKEN');

// Or with Laravel
$token = env('MUTASIBANK_API_TOKEN');

// Node.js with dotenv
require('dotenv').config();
const token = process.env.MUTASIBANK_API_TOKEN;

# Python with python-dotenv
import os
from dotenv import load_dotenv

load_dotenv()
token = os.getenv('MUTASIBANK_API_TOKEN')

Error Responses

401 Unauthorized:

{
  "error": true,
  "message": "User not found"
}

Solusi: Check token Anda di dashboard, pastikan masih valid.

Core Endpoints

API Mutasibank menyediakan 25+ endpoints untuk complete automation. Berikut endpoint-endpoint utama:

1. User Management

GET /api/v1/user

Get informasi user yang sedang login (balance, package, dll).

Request:

curl -X GET "https://mutasibank.co.id/api/v1/user" \
  -H "Authorization: Bearer YOUR_TOKEN"

Response:

{
  "error": false,
  "data": {
    "name": "John Doe",
    "email": "john@example.com",
    "saldo": 100000,
    "jenis_akun": "advance"
  }
}

2. Bank Accounts

GET /api/v1/accounts

Get semua bank account yang terdaftar.

Request:

curl -X GET "https://mutasibank.co.id/api/v1/accounts" \
  -H "Authorization: Bearer YOUR_TOKEN"

Response:

{
  "error": false,
  "data": [
    {
      "id": 1,
      "unique_id": "abc123def",
      "bank_name": "Bank BCA Personal",
      "account_name": "PT Example Indonesia",
      "account_number": "1234567890",
      "is_active": true,
      "last_check": "2025-10-02 10:30:00",
      "last_balance": 5000000,
      "status": "online"
    }
  ]
}

POST /api/v1/account/create

Daftarkan bank account baru untuk di-monitor.

Request:

curl -X POST "https://mutasibank.co.id/api/v1/account/create" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "bank_id": 1,
    "account_name": "PT Example",
    "account_no": "1234567890",
    "user_banking": "your_username",
    "password_banking": "your_password",
    "schedule_minutes": 10
  }'

Response:

{
  "error": false,
  "message": "Account created successfully",
  "data": {
    "id": 123,
    "unique_id": "xyz789",
    "bank_name": "Bank BCA Personal"
  }
}

Other Account Endpoints:

• GET /api/v1/account/{id} - Get single account

• PUT /api/v1/account/{id} - Update account

• DELETE /api/v1/account/{id} - Delete account

• POST /api/v1/account/{id}/toggle - Enable/disable monitoring

• POST /api/v1/account/{id}/input_token - Input BCA token (untuk BCA)

• POST /api/v1/account/{id}/rerun - Manually trigger check

• GET /api/v1/account/{id}/log_bot - Get bot activity logs

3. Transactions (Bank Statements)

GET /api/v1/account/{id}/statements

Get transaction history dari bank account.

Parameters:

• start_date (required): Format Y-m-d (e.g., 2025-01-01)

• end_date (required): Format Y-m-d

Request:

curl -X GET "https://mutasibank.co.id/api/v1/account/1/statements?start_date=2025-10-01&end_date=2025-10-02" \
  -H "Authorization: Bearer YOUR_TOKEN"

Response:

{
  "error": false,
  "data": [
    {
      "id": "uuid-transaction-id",
      "unique_id": "TRX20251002001",
      "transaction_date": "2025-10-02",
      "description": "TRANSFER FROM JOHN DOE ORDER-12345",
      "type": "CR",
      "amount": 150000,
      "balance": 5150000
    }
  ]
}

Field explanation:

• type: CR = Credit (uang masuk), DB = Debit (uang keluar)

• amount: Nominal transaksi

• balance: Saldo setelah transaksi

• description: Keterangan dari bank

POST /api/v1/account/{id}/match

Find transaction by amount (single result).

Request:

curl -X POST "https://mutasibank.co.id/api/v1/account/1/match" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"amount": 150000}'

Use case: Match pembayaran customer dengan order amount.

POST /api/v1/account/{id}/match_multiple

Find ALL transactions yang match dengan amount (multiple results).

Use case: Untuk amount yang mungkin muncul berkali-kali (e.g., harga produk yang sama).

POST /api/v1/transaction/{id}/validate

Validate specific transaction by ID.

curl -X POST "https://mutasibank.co.id/api/v1/transaction/uuid-123/validate" \
  -H "Authorization: Bearer YOUR_TOKEN"

4. Webhooks

GET /api/v1/webhooks

List all registered webhooks.

POST /api/v1/webhook/create

Create webhook untuk receive real-time notifications.

Request:

{
  "url": "https://yoursite.com/webhook/mutasibank",
  "bank_account_id": 1,
  "description": "Production webhook"
}

Response includes:

• Webhook ID

• Webhook Secret (64 chars) - SIMPAN INI untuk signature verification!

Other Webhook Endpoints:

• PUT /api/v1/webhook/{id} - Update webhook

• DELETE /api/v1/webhook/{id} - Delete webhook

• GET /api/v1/webhook/{id} - Get webhook details

5. Other Endpoints

Categories:

• GET /api/v1/categories - Transaction categories

• POST /api/v1/category - Create category

• PUT /api/v1/category/{id} - Update category

• DELETE /api/v1/category/{id} - Delete category

Billing:

• POST /api/v1/topup - Create top-up request

📖 Lihat semua 25+ endpoints di Swagger UI

Code Examples

PHP Implementation

Install helper class:

git clone https://github.com/daffigusti/mutasi_api_sample
cd mutasi_api_sample

Basic usage:

<?php
require_once 'Helper.php';

// Initialize
$api = new MutasibankAPI('your-api-token');

// Get user info
$user = $api->getUser();
echo "Balance: Rp " . number_format($user['data']['saldo']) . "\n";

// Get all accounts
$accounts = $api->getAccounts();
foreach ($accounts['data'] as $account) {
    echo "{$account['bank_name']}: {$account['account_number']}\n";
    echo "Balance: Rp " . number_format($account['last_balance']) . "\n";
}

// Get transactions (last 7 days)
$accountId = 1;
$transactions = $api->getStatements(
    $accountId,
    date('Y-m-d', strtotime('-7 days')),
    date('Y-m-d')
);

foreach ($transactions['data'] as $tx) {
    $type = $tx['type'] == 'CR' ? 'MASUK' : 'KELUAR';
    echo "[{$type}] {$tx['description']}: Rp " . number_format($tx['amount']) . "\n";
}

// Match transaction by amount
$amount = 150000;
$match = $api->matchTransaction($accountId, $amount);

if (!$match['error']) {
    echo "Found transaction:\n";
    echo "Description: {$match['data']['description']}\n";
    echo "Date: {$match['data']['transaction_date']}\n";
} else {
    echo "Transaction not found\n";
}

// Create new account
$newAccount = $api->createAccount([
    'bank_id' => 1, // BCA
    'account_name' => 'PT Example',
    'account_no' => '1234567890',
    'user_banking' => 'username_klikbca',
    'password_banking' => 'password_klikbca',
    'schedule_minutes' => 10,
    'url_callback' => 'https://yoursite.com/webhook'
]);

print_r($newAccount);

📥 Download complete Helper.php

Node.js Implementation

const axios = require('axios');

class MutasibankAPI {
    constructor(apiToken) {
        this.baseURL = 'https://mutasibank.co.id/api/v1';
        this.token = apiToken;
        this.headers = {
            'Authorization': `Bearer ${apiToken}`,
            'Content-Type': 'application/json'
        };
    }

    // Get user info
    async getUser() {
        const response = await axios.get(`${this.baseURL}/user`, {
            headers: this.headers
        });
        return response.data;
    }

    // Get all accounts
    async getAccounts() {
        const response = await axios.get(`${this.baseURL}/accounts`, {
            headers: this.headers
        });
        return response.data;
    }

    // Get transactions
    async getStatements(accountId, startDate, endDate) {
        const response = await axios.get(
            `${this.baseURL}/account/${accountId}/statements`,
            {
                headers: this.headers,
                params: {
                    start_date: startDate,
                    end_date: endDate
                }
            }
        );
        return response.data;
    }

    // Match transaction
    async matchTransaction(accountId, amount) {
        const response = await axios.post(
            `${this.baseURL}/account/${accountId}/match`,
            { amount },
            { headers: this.headers }
        );
        return response.data;
    }
}

// Usage
const api = new MutasibankAPI(process.env.MUTASIBANK_TOKEN);

(async () => {
    // Get accounts
    const accounts = await api.getAccounts();
    console.log('Accounts:', accounts.data);

    // Get today's transactions
    const today = new Date().toISOString().split('T')[0];
    const transactions = await api.getStatements(1, today, today);
    console.log('Transactions:', transactions.data);

    // Match transaction
    const match = await api.matchTransaction(1, 150000);
    if (!match.error) {
        console.log('Found:', match.data);
    }
})();

Python Implementation

import requests
from datetime import date, timedelta
import os

class MutasibankAPI:
    def __init__(self, api_token):
        self.base_url = 'https://mutasibank.co.id/api/v1'
        self.token = api_token
        self.headers = {
            'Authorization': f'Bearer {api_token}',
            'Content-Type': 'application/json'
        }

    def get_user(self):
        response = requests.get(
            f'{self.base_url}/user',
            headers=self.headers
        )
        return response.json()

    def get_accounts(self):
        response = requests.get(
            f'{self.base_url}/accounts',
            headers=self.headers
        )
        return response.json()

    def get_statements(self, account_id, start_date, end_date):
        response = requests.get(
            f'{self.base_url}/account/{account_id}/statements',
            headers=self.headers,
            params={
                'start_date': start_date,
                'end_date': end_date
            }
        )
        return response.json()

    def match_transaction(self, account_id, amount):
        response = requests.post(
            f'{self.base_url}/account/{account_id}/match',
            headers=self.headers,
            json={'amount': amount}
        )
        return response.json()

# Usage
api = MutasibankAPI(os.getenv('MUTASIBANK_TOKEN'))

# Get user
user = api.get_user()
print(f"Balance: Rp {user['data']['saldo']:,}")

# Get accounts
accounts = api.get_accounts()
for account in accounts['data']:
    print(f"{account['bank_name']}: {account['account_number']}")

# Get last 7 days transactions
today = date.today()
last_week = today - timedelta(days=7)

transactions = api.get_statements(
    account_id=1,
    start_date=last_week.strftime('%Y-%m-%d'),
    end_date=today.strftime('%Y-%m-%d')
)

for tx in transactions['data']:
    tx_type = 'MASUK' if tx['type'] == 'CR' else 'KELUAR'
    print(f"[{tx_type}] {tx['description']}: Rp {tx['amount']:,}")

Webhook Integration

Webhook adalah cara paling efisien untuk menerima notifikasi transaksi tanpa perlu polling.

How Webhooks Work

Bank Transaction Occurs
         ↓
Mutasibank detects (5-10 min)
         ↓
Mutasibank sends POST to your URL
         ↓
Your server processes instantly

Create Webhook

$webhook = $api->createWebhook([
    'url' => 'https://yoursite.com/webhook/mutasibank',
    'bank_account_id' => 1,
    'description' => 'Production webhook for account BCA'
]);

// IMPORTANT: Save webhook secret!
$secret = $webhook['data']['secret']; // 64 characters
// Store this in environment variable

Webhook Payload

Setiap kali ada transaksi baru, Mutasibank akan POST ke URL Anda:

{
  "api_key": "your_api_token",
  "account_id": 123,
  "module": "bca",
  "account_name": "PT Example",
  "account_number": "1234567890",
  "balance": 5150000,
  "data_mutasi": [
    {
      "id": "uuid-tx-id",
      "transaction_date": "2025-10-02 14:30:00",
      "description": "TRANSFER FROM CUSTOMER ORDER-12345",
      "type": "CR",
      "amount": 150000,
      "balance": 5150000
    }
  ]
}

Webhook Security (CRITICAL!)

🔒 Selalu verifikasi signature untuk prevent fraud!

Headers yang dikirim:

X-Mutasibank-Signature: abc123...  (HMAC-SHA256 hash)
X-Mutasibank-Timestamp: 1696234567 (Unix timestamp)
X-Mutasibank-Webhook-Id: uuid-webhook-id

PHP Verification:

<?php
// Get headers
$signature = $_SERVER['HTTP_X_MUTASIBANK_SIGNATURE'] ?? '';
$timestamp = $_SERVER['HTTP_X_MUTASIBANK_TIMESTAMP'] ?? '';

// Get raw payload
$payload = file_get_contents('php://input');

// Get webhook secret (from dashboard when creating webhook)
$secret = getenv('WEBHOOK_SECRET'); // 64 chars

// Verify timestamp (prevent replay attacks)
if (abs(time() - $timestamp) > 300) { // 5 minutes tolerance
    http_response_code(401);
    die(json_encode(['error' => 'Request expired']));
}

// Calculate expected signature
$expectedSignature = hash_hmac('sha256', $payload, $secret);

// Verify signature (use constant-time comparison!)
if (!hash_equals($expectedSignature, $signature)) {
    http_response_code(401);
    die(json_encode(['error' => 'Invalid signature']));
}

// ✅ Signature valid - process webhook
$data = json_decode($payload, true);

foreach ($data['data_mutasi'] as $transaction) {
    // Your business logic here
    if ($transaction['type'] == 'CR') { // Credit (uang masuk)
        // Auto-confirm order
        $orderId = extractOrderId($transaction['description']);
        confirmOrder($orderId, $transaction['amount']);
    }
}

http_response_code(200);
echo json_encode(['success' => true]);

📥 Download complete webhook examples (PHP, Node.js, Python)

Best Practices

1. Security

✅ DO:

• Always use HTTPS for webhook URLs

• Verify HMAC signatures (use hash_equals())

• Check timestamp to prevent replay attacks

• Store secrets in environment variables

• Enable SSL verification in cURL

• Log webhook activity (without sensitive data)

❌ DON'T:

• Use HTTP for webhooks (insecure!)

• Skip signature verification (risk of fraud!)

• Use == for signature comparison (timing attack vulnerable)

• Hardcode API tokens in code

• Log sensitive data (passwords, tokens)

2. Performance

✅ Optimize dengan:

• Cache API responses (5-10 min untuk balance)

• Use webhooks instead of constant polling

• Batch operations when possible

• Implement queue for webhook processing

• Set reasonable timeouts (30 seconds)

3. Error Handling

<?php
function callAPIWithRetry($callback, $maxRetries = 3) {
    $attempt = 0;
    $delay = 1; // seconds

    while ($attempt < $maxRetries) {
        try {
            return $callback();
        } catch (Exception $e) {
            $attempt++;

            if ($attempt >= $maxRetries) {
                // Log error
                error_log("API Error after {$maxRetries} retries: " . $e->getMessage());
                throw $e;
            }

            // Exponential backoff: 1s, 2s, 4s
            sleep($delay);
            $delay *= 2;
        }
    }
}

// Usage
$accounts = callAPIWithRetry(function() use ($api) {
    return $api->getAccounts();
});

4. Production Checklist

Sebelum production, pastikan:

• [ ] API token disimpan di environment variable

• [ ] Webhook signature verification implemented

• [ ] SSL certificate valid untuk webhook URL

• [ ] Error logging & monitoring setup

• [ ] Retry logic untuk API calls

• [ ] Rate limiting awareness (60 req/min recommended)

• [ ] Queue workers running (untuk webhook processing)

• [ ] Alerting untuk critical errors

Real-World Use Case: E-Commerce Auto-Confirm

Contoh complete implementation untuk auto-confirm order:

<?php
// webhook_handler.php

// 1. Verify signature (lihat code di atas)
verifyWebhookSignature();

// 2. Parse payload
$data = json_decode(file_get_contents('php://input'), true);

// 3. Process each transaction
foreach ($data['data_mutasi'] as $transaction) {
    if ($transaction['type'] == 'CR') { // Uang masuk
        // Extract order ID from description
        // Example: "TRANSFER FROM CUSTOMER ORDER-12345"
        preg_match('/ORDER-(\d+)/', $transaction['description'], $matches);

        if (isset($matches[1])) {
            $orderId = $matches[1];

            // Find order in database
            $order = DB::table('orders')
                ->where('id', $orderId)
                ->where('total', $transaction['amount'])
                ->where('status', 'pending')
                ->first();

            if ($order) {
                // Update order status
                DB::table('orders')->where('id', $orderId)->update([
                    'status' => 'paid',
                    'payment_proof' => $transaction['id'],
                    'paid_at' => $transaction['transaction_date']
                ]);

                // Send confirmation email
                Mail::to($order->customer_email)->send(
                    new OrderConfirmedEmail($order)
                );

                // Send WhatsApp notification
                WhatsApp::send(
                    $order->customer_phone,
                    "✅ Pembayaran order #{$orderId} telah dikonfirmasi! Terima kasih."
                );

                // Log success
                Log::info('Order auto-confirmed', [
                    'order_id' => $orderId,
                    'amount' => $transaction['amount'],
                    'tx_id' => $transaction['id']
                ]);
            }
        }
    }
}

http_response_code(200);
echo json_encode(['success' => true]);

Benefit:

• ⚡ Auto-confirm dalam 5-10 menit (sesuai schedule)

• 🤖 Zero manual work

• 📉 Reduce customer complaints

• 📈 Increase customer satisfaction

FAQ

Q: Berapa rate limit API?

A: Currently tidak ada hard limit, tapi kami recommend maksimal 60 requests/minute untuk optimal performance.

Q: Apakah ada sandbox/testing environment?

A: Ya! Gunakan free 7-day trial untuk testing dengan real bank accounts. Atau bisa create test account dengan minimal balance.

Q: Bagaimana billing calculation?

A: Harga per rekening per hari:

• Standard: Rp 2.000/hari (untuk 10 bank tertentu)

• Advanced: Rp 3.500/hari (untuk 24 bank)

Monitor 10 rekening = Rp 20.000-35.000/hari.

Lihat detail pricing

Q: Support bank apa saja?

A: Total 34 bank didukung, termasuk:

• BCA (5 variants)

• BRI (6 variants)

• Mandiri (6 variants)

• BNI (4 variants)

• BSI, CIMB, Permata, Muamalat, dll

Lihat daftar lengkap

Q: Webhook retry policy?

A: Jika webhook gagal terkirim, sistem auto-retry 3 kali dengan exponential backoff:

• Retry 1: 1 second

• Retry 2: 5 seconds

• Retry 3: 25 seconds

Jika tetap gagal, akan di-queue untuk manual retry.

Q: Maximum transaction history?

A: Unlimited. Semua data transaksi disimpan permanent untuk keperluan audit dan reporting.

Q: Apakah bisa real-time?

A: Tergantung bank dan paket:

• Web scraping: 5-10 menit (sesuai schedule)

• BCA API/SNAP: Near real-time (1-2 menit)

• Webhook: Notifikasi instant setelah deteksi

Kesimpulan

REST API Mutasi Bank menyediakan solusi complete untuk otomasi monitoring transaksi bank:

✅ 25+ endpoints untuk semua kebutuhan

✅ 34 bank didukung dengan berbagai jenis rekening

✅ Webhook untuk real-time notifications

✅ Security dengan HMAC-SHA256 signatures

✅ Code examples ready-to-use untuk 3 bahasa

✅ Production-ready dengan retry logic & error handling

🚀 Ready to Automate Your Bank Monitoring?

Daftar sekarang dan dapatkan:

• ✓ 7 hari trial GRATIS tanpa biaya di awal

• ✓ Full API access dengan 25+ endpoints

• ✓ 34 banks supported (BCA, BRI, Mandiri, BNI, dll)

• ✓ Webhook integration dengan signature security

• ✓ Priority support via WhatsApp

👉 Daftar Gratis Sekarang

📚 Resources

Documentation:

• 📖 Interactive API Docs (Swagger UI)

• 💻 Sample Code Repository (GitHub)

• 📘 Postman Collection

Support:

• 💬 WhatsApp Support

• 📧 Email: support@mutasibank.co.id

• 🌐 Website: mutasibank.co.id

Related Articles:

• Coming soon: Webhook Signature Verification Tutorial

• Coming soon: Best Practices Security untuk Banking API

• Coming soon: Cara Integrasi dengan Laravel

Questions? Drop a comment below atau hubungi kami via WhatsApp! 👇

Found this helpful? Jangan lupa like dan share! 🙏

Tags: #api #rest #banking #indonesia #webhook #php #nodejs #python #tutorial #developer