Developer Resources
Need Help?In Europe? Go to EU docs
Start typing to search…

Validate the notification signature

The request signature is calculated as a HMAC-SHA1 of the request parameters using accessKey as the signing key. To calculate, follow these steps:

  1. Read the entire POST request body.

merchantId=1002463580&merchantReference=cb180040-7210-4ab9-97b7-415824754802&paymentType=2&transactionType=3&eventId=1002593570&eventType=Authorize&objectId=1002593555&objectType=Transaction&message=&timeZone=Etc%2FUTC&createdAt=1556234040954&accessId=M8RaHgEjBE54zuFYMRQq&paymentProviderTransaction.status=AC100&paymentProviderTransaction.statusMessage=AC100&status=2&statusMessage=Authorized

  1. Decode the string using UTF-8.

merchantId=1002463580&merchantReference=cb180040-7210-4ab9-97b7-415824754802&paymentType=2&transactionType=3&eventId=1002593570&eventType=Authorize&objectId=1002593555&objectType=Transaction&message=&timeZone=Etc/UTC&createdAt=1556234040954&accessId=M8RaHgEjBE54zuFYMRQq&paymentProviderTransaction.status=AC100&paymentProviderTransaction.statusMessage=AC100&status=2&statusMessage=Authorized

  1. Using your accessKey, calculate the signature and generate a Base64 encoded HMAC-SHA1 (or alternative) hash.

EYN3GXasrVU1vQ1uyYz22NNQdy4=

  1. Grab the Authorization header and remove the Basic prefix.

TThSYUhnRWpCRTU0enVGWU1SUXE6RVlOM0dYYXNyVlUxdlExdXlZejIyTk5RZHk0PQ==

  1. Decode the Base64 string to get a accessId:signature string.

M8RaHgEjBE54zuFYMRQq:EYN3GXasrVU1vQ1uyYz22NNQdy4=

If your app has been configured to receive redirect signatures using an alternative algorithm, the requestSignature included in the redirect will be prefixed with the algorithm label. For example:

requestSignature: "HmacSHA512:RuYv5esOLn2f4F4NU5bz7YGLITEtLVQrciiEm0dCrn/O1DJ9E5hLwIYTyd5DHBJBxAhdxuKp655bG/gymoPt+g=="

Confirm app-level configurations with your Trustly account manager.

  1. Split the decoded string on the : to the get the signature.

EYN3GXasrVU1vQ1uyYz22NNQdy4=

  1. Compare the values calculated in Steps 3 (EYN3GXasrVU1vQ1uyYz22NNQdy4=) and 6 (EYN3GXasrVU1vQ1uyYz22NNQdy4=). If they match, the request is valid. If they do not match and the failures continue for a long period of time, contact Trustly.

You can use the example Header and Request above, with an accessKey of vMBWAvMXdPM27F9qZEkr to confirm your signature verification code is working properly.

Example code for validating the notification signature

const decodeURI = (encodedString) => {
  // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent#decoding_query_parameters_from_a_url
  // decodeURIComponent cannot be used directly to parse query parameters from a URL. It needs a bit of preparation
  return decodeURIComponent(encodedString.replace(/\+/g, ' '));
}

const isValidSignature = (request, header, apiKey) => {
  const test = Crypto.createHmac('sha1', apiKey).update(decodeURI(request)).digest('base64');
  const auth = Buffer.from(header, 'base64').toString('utf8').split(':');
  return test === auth[1];
}