In order to improve security details, we provided the default mechanism for generating signature parameter when sending payment result notifications. This parameter is optional and you should use it only if you want to add an additional security level to the payment notifications in order to counter eventual outside attacks and breaches.
It consists of 3 steps:
- All parameters are sorted alphabetically by name.
- Values of the sorted parameters are concatenated.
- One of available algorithms is applied on the resulted string which will generate sign parameter (using the signature key which is predefined on the service, which will be known only to you and Centili, and it should be defined with both parties involved).
Available hashing algorithms are: SHA1, SHA256 and MD5.
The 'sign' parameter, nor signature key should NOT be the part of concatenated list.
List of the parameters that needs to be sent:
Sorted list (alphabeticaly, by name):
All the parameters gathered into one string:
If we assume that the signature key is "centili", the calculated HMAC-SHA1 hash in lowercase characters will look as the example below:
Finally, signature parameters are added to the GET request:
Keep in mind
Service parameter (API key) is not the same as signature key.
Example above is primarily for sign parameter explanation purposes.
List of parameters received in the actual notification may include some additional parameters that can be found in the parameter list for corresponding notification/redirection system. All parameters within the notification/redirection will be included in sign parameter calculation, including query parameters that are pre-attached to the notification/redirect URL.
Updated about a year ago