Developer Resources
Need Help?In Europe? Go to EU docs
Start typing to search…

Validate the redirect signature

When handling a redirect notification from the Trustly UI, you can verify the notification's authenticity by calculating the requestSignature and comparing it to the value included in the notification payload.

If your app has been configured to receive redirect signatures using an alternative algorithm, the requestSignature included in the redirect will be prefixed with the algorithm label. For example:

requestSignature: "HmacSHA512:RuYv5esOLn2f4F4NU5bz7YGLITEtLVQrciiEm0dCrn/O1DJ9E5hLwIYTyd5DHBJBxAhdxuKp655bG/gymoPt+g=="

Confirm app-level configurations with your Trustly account manager.

To calculate a requestSignature, follow these steps:

Given the following returnUrl:

https://merchant.com/Trustly/return?transactionId=1002655801&transactionType=1&merchantReference=123123&status=2&payment.paymentType=4&payment.paymentProvider.type=1&payment.account.verified=false&panel=1&requestSignature=2uvoRTIEFWzfsbZwXokudh5P5rs%3D&instantPayoutAvail=true

  1. Remove therequestSignature parameter
    1. Strip the requestSignature parameter (including &) and it's value from the string.
    2. Given the above example, the result would be: https://merchant.com/Trustly/return?transactionId=1002655801&transactionType=1&merchantReference=123123&status=2&payment.paymentType=4&payment.paymentProvider.type=1&payment.account.verified=false&panel=1
  2. Calculate the Signature
    1. Using your accessKey, generate a Base64-encoded HMAC-SHA1 (or alternative) hash of the remaining query parameters.
  3. Given our example, the result would be: 2uvoRTIEFWzfsbZwXokudh5P5rs=
  4. Compare the Signatures
    1. Compare the calculated hash (2uvoRTIEFWzfsbZwXokudh5P5rs=) to the decoded hash that was passed in the query string (2uvoRTIEFWzfsbZwXokudh5P5rs=).

If the signatures match, the notification is authentic.

For API versions below 1.18.0, the requestSignature included in the payload sent to the provided returnUrl endpoint is calculated using ONLY the query parameters. Remove the base url and paths from the string above before proceeding to step 2. For API versions below 1.170.0 the requestSignature included in the payload sent to the provided cancelUrl endpoint is calculated using ONLY the query parameters. Remove the base url and paths from the string above before proceeding to step 2.