How do I validate signature response?

Signature Response: 

After the redirect, the authenticity should be verified using the signature in the response. The signatureparameter in the return_url gives the HMAC signature computed using the algorithm specified by thesignature_algorithm parameter. The HMAC is calculated using the following algorithm:

  • Get all the parameters (key=value pairs) from the return_url.
  • It is assumed that the parameters in the return_url are converted into key/value pairs.
  • All parameters except signature and signature_algorithm is used in the following steps.
  • Percentage encode each key and value pairs.
  • Sort the list of parameters alphabetically (ASCII based sort) by encoded key.
  • For each key/value pair:
    • Append the encoded key to the output string.
    • Append the ‘=’ character to the output string.
    • Append the encoded value to the output string.
    • If there are more than one key/value pairs, append a ‘&’ character to the output string.
  • Percentage encode the generated string.
  • The HMAC of the string can be calulated using the secret key configured in merchant settings.
  • Percentage encode the generated hash, validate against the signature in response (the signatureshould percentage decoded once before comparing with the generated hash).

To enable the signature generation at JusPay end for the payment response, you must first create a response key here: https://merchant.juspay.in/settings/api-keys. Once you have created a key successfully, navigate to General settings section and select “Yes” for the option “Use signed response”.

Once you have completed the above two steps, all the redirection to your website from JusPay will have signature and the algorithm.

Signature algorithm used by JusPay is HMAC-SHA256. The algorithm is explicitly passed as an argument so that verification is accurate. Newer or more secure algorithms might be introduced in future.

It is also possible to check the status using the order/status API. Based on the response object, a success confirmation page or failure message can be shown to the customer. Since this is an authenticated call, done from the server side, signature verification is not required.

Was this article helpful?