To ensure that the response you are receiving is genuine, we are sending a custom header Signature including an HMAC signature hashed by Profile ServerKey for you to validate and verify the response.


In this article you will be going to know how to perform this via:


via Callbacks and IPNs URLs


To Keep your Callback/IPN URL secure and to verify the response we are sending a custom header Signature including HMAC signature of the entire request body hashed by Profile ServerKey. To validate and verify the Signature locally kindly follow the below steps:


  1. Calculate the Hash (sha256 algorithm) of the whole payload received.
  2. Compare the calculated in step 1 with the signature payload received.



Sample PHP Code:

function is_genuine($payload, $requestSignature, $serverKey)
    {
        $signature = hash_hmac('sha256', $payload, $serverKey);

        if (hash_equals($signature, $requestSignature) === TRUE) {
            // VALID Redirect
            return true;
        } else {
            // INVALID Redirect
            return false;
        }
    }

via The Return URL


To validate and verify the response received when the customer is redirected back to the provided return URL after the payment, unlike IPN/Callback, the response received on the return page should be run through a longer validation process. To validate and verify the Signature locally kindly follow the below steps:


Assuming that your server key is "SGJNZ96JLG-JDMKHGRWT9-RWRK2KJNRJ", and this is the raw content you received with the POST return URL redirection:


acquirerMessage=&acquirerRRN=&cartId=cart_11111&customerEmail=email%40domain.com&respCode=G84718&respMessage=Authorised&respStatus=A&signature=7a181a32c768621eb6966107752ee70205a01f1c4403a3d13c0ff604f591f988&token=&tranRef=TST2215201242166



  1. Remove the signature parameter from the response. You are expected to have a result like the one shown below:

    acquirerMessage=&acquirerRRN=&cartId=cart_11111&[email protected]&respCode=G84718&respStatus=A&token=&tranRef=TST2215201242166&respMessage=Authorised


  2. After that, remove any empty parameters as well sent you in this response. You are expected to have a result like the one shown below:

    cartId=cart_11111&[email protected]&respCode=G84718&respStatus=A&tranRef=TST2215201242166&respMessage=Authorised


  3. Then sort the response by the keys of the sent parameters. You will have a result like the one shown below:

    cartId=cart_11111&[email protected]&respCode=G84718&respMessage=Authorised&respStatus=A&tranRef=TST2215201242166


  4. Then perform a url_encoding to the parameters (key and values), so that you can have a result like the one shown below:

    cartId=cart_11111&customerEmail=email%40domain.com&respCode=G84718&respMessage=Authorised&respStatus=A&tranRef=TST2215201242166



  5. Hash the final result you have (as shown in the previous step) using the "sha256" scheme along with your ServerKey as a key. You will have a result like the one shown below:

    7a181a32c768621eb6966107752ee70205a01f1c4403a3d13c0ff604f591f988


  6. Compare this result with the signature payload received.




Sample PHP Code:

function is_valid_redirect($post_values)
    {
        if (empty($post_values) || !array_key_exists('signature', $post_values)) {
            return false;
        }

        $serverKey = $this->server_key;

        // Request body include a signature post Form URL encoded field
        // 'signature' (hexadecimal encoding for hmac of sorted post form fields)
        $requestSignature = $post_values["signature"];
        unset($post_values["signature"]);
        $fields = array_filter($post_values);

        // Sort form fields
        ksort($fields);

        // Generate URL-encoded query string of Post fields except signature field.
        $query = http_build_query($fields);

        return $this->is_genuine($query, $requestSignature, $serverKey);
    }


 private function is_genuine($data, $requestSignature, $serverKey)
    {
        $signature = hash_hmac('sha256', $data, $serverKey);

        if (hash_equals($signature, $requestSignature) === TRUE) {
            // VALID Redirect
            return true;
        } else {
            // INVALID Redirect
            return false;
        }
    }