Signature Configuration

In order to improve security details, we provided the default mechanism for generating signature parameter when sending payment result notifications. This parameter is optional and you should use it only if you want to add an additional security level to the payment notifications in order to counter eventual outside attacks and breaches.

It consists of 3 steps:

  • All parameters are sorted alphabetically by name.
  • Values of the sorted parameters are concatenated.
  • One of available algorithms is applied on the resulted string which will generate sign parameter (using the signature key which is predefined on the service, which will be known only to you and Centili, and it should be defined with both parties involved).

Available hashing algorithms are: SHA1, SHA256 and MD5.

📘

Note:

The 'sign' parameter, nor signature key should NOT be the part of concatenated list.

Example of the hashing procedure

List of the parameters that needs to be sent:

  • mnocode=RS_VIP
  • reference=12345678
  • enduserprice=1.00
  • transactionid=1488787
  • phone=4366124567
  • country=rs
  • status=success
  • revenue=8.0564
  • service=fc865026b76093fa8cae153740af25c8

Sorted list (alphabeticaly, by name):

  • country=rs
  • enduserprice=1.00
  • mnocode=RS_VIP
  • phone=4366124567
  • reference=12345678
  • revenue=8.0564
  • service=fc865026b76093fa8cae153740af25c8
  • status=failed
  • transactionid=1488787

All the parameters gathered into one string:

rs1.00RS_VIP4366124567123456788.0564fc865026b76093fa8cae153740af25c8failed1488787

If we assume that the signature key is "centili", the calculated HMAC-SHA1 hash in lowercase characters will look as the example below:

d68f3fe4ee821250c65a50e208a9f7be927701d4

Finally, signature parameters are added to the GET request:

reference=12345678&country=rs&mnocode=RS_VIP&price=1.00&phone=4366124567&revenue=8.0564&service=fc865026b76093fa8cae153740af25c8&status=success&transactionid=1488787&sign=d68f3fe4ee821250c65a50e208a9f7be927701d4

🚧

Keep in mind

Service parameter (API key) is not the same as signature key.

❗️

Note:

Example above is primarily for sign parameter explanation purposes.
List of parameters received in the actual notification may include some additional parameters that can be found in the parameter list for corresponding notification/redirection system. All parameters within the notification/redirection will be included in sign parameter calculation, including query parameters that are pre-attached to the notification/redirect URL.