> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://amer.developers.trustly.com/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://amer.developers.trustly.com/_mcp/server. # Validate the notification signature The request signature is calculated as a HMAC-SHA1 of the request parameters using `accessKey` as the signing key. To calculate, follow these steps: 1. Read the entire `POST` request body. `merchantId=1002463580&merchantReference=cb180040-7210-4ab9-97b7-415824754802&paymentType=2&transactionType=3&eventId=1002593570&eventType=Authorize&objectId=1002593555&objectType=Transaction&message=&timeZone=Etc%2FUTC&createdAt=1556234040954&accessId=M8RaHgEjBE54zuFYMRQq&paymentProviderTransaction.status=AC100&paymentProviderTransaction.statusMessage=AC100&status=2&statusMessage=Authorized` 2. Decode the string using `UTF-8`. `merchantId=1002463580&merchantReference=cb180040-7210-4ab9-97b7-415824754802&paymentType=2&transactionType=3&eventId=1002593570&eventType=Authorize&objectId=1002593555&objectType=Transaction&message=&timeZone=Etc/UTC&createdAt=1556234040954&accessId=M8RaHgEjBE54zuFYMRQq&paymentProviderTransaction.status=AC100&paymentProviderTransaction.statusMessage=AC100&status=2&statusMessage=Authorized` 3. Using your `accessKey`, calculate the signature and generate a Base64 encoded HMAC-SHA1 (or alternative) hash. `EYN3GXasrVU1vQ1uyYz22NNQdy4=` 4. Grab the `Authorization` header and remove the `Basic ` prefix. `TThSYUhnRWpCRTU0enVGWU1SUXE6RVlOM0dYYXNyVlUxdlExdXlZejIyTk5RZHk0PQ==` 5. Decode the Base64 string to get a `accessId:signature` string. `M8RaHgEjBE54zuFYMRQq:EYN3GXasrVU1vQ1uyYz22NNQdy4=` If your app has been configured to receive redirect signatures using an alternative algorithm, the requestSignature included in the redirect will be prefixed with the algorithm label. For example: `requestSignature: "HmacSHA512:RuYv5esOLn2f4F4NU5bz7YGLITEtLVQrciiEm0dCrn/O1DJ9E5hLwIYTyd5DHBJBxAhdxuKp655bG/gymoPt+g=="` Confirm app-level configurations with your Trustly account manager. 6. Split the decoded string on the `:` to the get the signature. `EYN3GXasrVU1vQ1uyYz22NNQdy4=` 7. Compare the values calculated in Steps 3 (`EYN3GXasrVU1vQ1uyYz22NNQdy4=`) and 6 (`EYN3GXasrVU1vQ1uyYz22NNQdy4=`). If they match, the request is valid. If they do not match and the failures continue for a long period of time, contact Trustly. You can use the example Header and Request above, with an `accessKey` of `vMBWAvMXdPM27F9qZEkr` to confirm your signature verification code is working properly. > Example code for validating the notification signature ```javascript const decodeURI = (encodedString) => { // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent#decoding_query_parameters_from_a_url // decodeURIComponent cannot be used directly to parse query parameters from a URL. It needs a bit of preparation return decodeURIComponent(encodedString.replace(/\+/g, ' ')); } const isValidSignature = (request, header, apiKey) => { const test = Crypto.createHmac('sha1', apiKey).update(decodeURI(request)).digest('base64'); const auth = Buffer.from(header, 'base64').toString('utf8').split(':'); return test === auth[1]; } ```