For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
GuidesAPI ReferenceSDKs
GuidesAPI ReferenceSDKs
  • Get Started
    • Overview and Solutions
    • Choose an Integration
    • Quickstart
    • Branding Guidelines
    • Get Support
  • Accept Payments
    • Instant Payments
    • Trustly Pay
    • Recurring Payments
    • Scan and Pay
    • Remember Me
    • Payment Integration Checklist
  • Send Money
    • Send Payouts Using Online Banking
    • Send Payouts Using Account Information
    • International Transfers
  • Retrieve Data
    • Verify Accounts Using Online Banking
    • Verify Accounts Using Micro-Deposits
    • Retrieve Bank and User Information
    • Tokenize Bank Information
    • Trustly ID
    • Insights Data
  • Core Concepts
    • Key Concepts
    • The Establish Data Object
    • Transactions and Transaction IDs
    • Tokens and Account Security
    • Redirect URLs and Return Flow
    • Webhooks and Events
    • Content Strings
  • API Fundamentals
    • Authentication and OAuth
    • Secure Requests and Signature Validation
      • Generate request signatures
      • Validate the redirect signature
      • Validate the notification signature
      • Encrypt a field value
    • Idempotency
    • Testing
    • Status codes and type definitions
  • Manage Your Integration
    • Go-Live Checklist
    • Merchant Portal
    • Reports and Reconciliation
    • Refresh Bank Authorization
    • Override Risk Declines
    • VIP Tiers
    • Financial Institution Status
Dashboard
Products
PaymentsDataPayouts
Company
AboutCareersContact Sales

Terms of Use | Privacy Policy | © 2026 Trustly, Inc.

Developer-friendly docs for your API
GitHub|Contact Support|Business Help Center|Merchant Portal
Terms of Use|Privacy Policy|© 2026 Trustly, Inc.
Developer-friendly docs for your API
LogoLogo
North AmericaEurope
North AmericaEurope
API FundamentalsSecure Requests and Signature Validation

Validate the redirect signature

|View as Markdown|Open in Claude|
Was this page helpful?
Previous

Generate request signatures

Next

Validate the notification signature

Built with

When handling a redirect notification from the Trustly UI, you can verify the notification’s authenticity by calculating the requestSignature and comparing it to the value included in the notification payload.

If your app has been configured to receive redirect signatures using an alternative algorithm, the requestSignature included in the redirect will be prefixed with the algorithm label. For example:

requestSignature: "HmacSHA512:RuYv5esOLn2f4F4NU5bz7YGLITEtLVQrciiEm0dCrn/O1DJ9E5hLwIYTyd5DHBJBxAhdxuKp655bG/gymoPt+g=="

Confirm app-level configurations with your Trustly account manager.

To calculate a requestSignature, follow these steps:

Given the following returnUrl:

https://merchant.com/Trustly/return?transactionId=1002655801&transactionType=1&merchantReference=123123&status=2&payment.paymentType=4&payment.paymentProvider.type=1&payment.account.verified=false&panel=1&requestSignature=2uvoRTIEFWzfsbZwXokudh5P5rs%3D&instantPayoutAvail=true

  1. Remove therequestSignature parameter
    1. Strip the requestSignature parameter (including &) and it’s value from the string.
    2. Given the above example, the result would be: https://merchant.com/Trustly/return?transactionId=1002655801&transactionType=1&merchantReference=123123&status=2&payment.paymentType=4&payment.paymentProvider.type=1&payment.account.verified=false&panel=1
  2. Calculate the Signature
    1. Using your accessKey, generate a Base64-encoded HMAC-SHA1 (or alternative) hash of the remaining query parameters.
  3. Given our example, the result would be: 2uvoRTIEFWzfsbZwXokudh5P5rs=
  4. Compare the Signatures
    1. Compare the calculated hash (2uvoRTIEFWzfsbZwXokudh5P5rs=) to the decoded hash that was passed in the query string (2uvoRTIEFWzfsbZwXokudh5P5rs=).

If the signatures match, the notification is authentic.

For API versions below 1.18.0, the requestSignature included in the payload sent to the provided returnUrl endpoint is calculated using ONLY the query parameters. Remove the base url and paths from the string above before proceeding to step 2. For API versions below 1.170.0 the requestSignature included in the payload sent to the provided cancelUrl endpoint is calculated using ONLY the query parameters. Remove the base url and paths from the string above before proceeding to step 2.