> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://amer.developers.trustly.com/llms.txt.
> For full documentation content, see https://amer.developers.trustly.com/llms-full.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://amer.developers.trustly.com/_mcp/server.

# Validate the redirect signature

When handling a redirect notification from the Trustly UI, you can verify the notification's authenticity by calculating the requestSignature and comparing it to the value included in the notification payload.

If your app has been configured to receive redirect signatures using an alternative algorithm, the requestSignature included in the redirect will be prefixed with the algorithm label. For example:

`requestSignature: "HmacSHA512:RuYv5esOLn2f4F4NU5bz7YGLITEtLVQrciiEm0dCrn/O1DJ9E5hLwIYTyd5DHBJBxAhdxuKp655bG/gymoPt+g=="`

Confirm app-level configurations with your Trustly account manager.

To calculate a `requestSignature`, follow these steps:

Given the following `returnUrl`:

`https://merchant.com/Trustly/return?transactionId=1002655801&transactionType=1&merchantReference=123123&status=2&payment.paymentType=4&payment.paymentProvider.type=1&payment.account.verified=false&panel=1&requestSignature=2uvoRTIEFWzfsbZwXokudh5P5rs%3D&instantPayoutAvail=true`

1. **Remove the`requestSignature` parameter**
   1. Strip the `requestSignature` parameter (including `&`) and it's value from the string.
   2. Given the above example, the result would be: `https://merchant.com/Trustly/return?transactionId=1002655801&transactionType=1&merchantReference=123123&status=2&payment.paymentType=4&payment.paymentProvider.type=1&payment.account.verified=false&panel=1`
2. **Calculate the Signature**
   1. Using your `accessKey`, generate a Base64-encoded HMAC-SHA1 (or alternative) hash of the remaining query parameters.
3. Given our example, the result would be: `2uvoRTIEFWzfsbZwXokudh5P5rs=`
4. **Compare the Signatures**
   1. Compare the calculated hash (`2uvoRTIEFWzfsbZwXokudh5P5rs=`) to the decoded hash that was passed in the query string (`2uvoRTIEFWzfsbZwXokudh5P5rs=`).

If the signatures match, the notification is authentic.

For API versions below **1.18.0**, the `requestSignature` included in the payload sent to the provided `returnUrl`  endpoint is calculated using ONLY the query parameters. Remove the base url and paths from the string above before proceeding to step 2.
For API versions below **1.170.0** the `requestSignature` included in the payload sent to the provided `cancelUrl` endpoint is calculated using ONLY the query parameters. Remove the base url and paths from the string above before proceeding to step 2.