Computing the signature
- all the fields that start with vads_
- the signature algorithm chosen in the shop configuration
- the key
The value of the key is available in your Merchant Back Office via Settings > Shop > Keys tab.
The signature algorithm is defined in your Merchant Back Office via Settings > Shop > Configuration tab.
For maximum security, it is recommended to use HMAC-SHA-256 algorithm and an alphanumeric key.
The use of SHA-1 algorithm is deprecated but maintained for compliance reasons.
Warning: you must not use the REST API keys for computing the signature of your payment form.
Only the use of the HMAC-SHA-256 algorithm is implemented in our code sample.
To compute the signature:
- Sort the fields that start with vads_ alphabetically.
- Make sure that all the fields are encoded in UTF-8.
- Concatenate the values of these fields separating them with the “+” character.
- Concatenate the result with the test or production key separating them with a “+”.
- According to the signature algorithm defined in your shop configuration:
- if your shop is configured to use “SHA-1”, apply the SHA-1 hash function to the chain obtained during the previous step. Deprecated.
- if your shop is configured to use “HMAC-SHA-256”, compute and encode in Base64 format the message signature using the HMAC-SHA-256 algorithm with the following parameters:
- the SHA-256 hash function,
- the test or production key (depending on the value of the vads_ctx_mode field) as a shared key,
- the result of the previous step as the message to authenticate.
- Save the result of the previous step in the signature field.
<form method="POST" action="https://scelliuspaiement.labanquepostale.fr/vads-payment/entry.silentInit.a"> <input type="hidden" name="vads_action_mode" value="INTERACTIVE" /> <input type="hidden" name="vads_amount" value="5124" /> <input type="hidden" name="vads_ctx_mode" value="TEST" /> <input type="hidden" name="vads_currency" value="978" /> <input type="hidden" name="vads_page_action" value="PAYMENT" /> <input type="hidden" name="vads_payment_config" value="SINGLE" /> <input type="hidden" name="vads_site_id" value="12345678" /> <input type="hidden" name="vads_trans_date" value="20170129130025" /> <input type="hidden" name="vads_trans_id" value="123456" /> <input type="hidden" name="vads_version" value="V2" /> <input type="hidden" name="signature" value="ycA5Do5tNvsnKdc/eP1bj2xa19z9q3iWPy9/rpesfS0="/> <input type="submit" name="pay" value="Pay"/> </form>
This sample form is analyzed as follows:
- The fields whose names start with vads_ are sorted alphabetically:
- vads_action_mode
- vads_amount
- vads_ctx_mode
- vads_currency
- vads_page_action
- vads_payment_config
- vads_site_id
- vads_trans_date
- vads_trans_id
- vads_version
- The values of these fields are concatenated using the “+” character:
INTERACTIVE+5124+TEST+978+PAYMENT+SINGLE+12345678+20170129130025+123456+V2
- The value of the test key is added at the end of the chain and separated with the “+” character. In this example, the test key is 1122334455667788
INTERACTIVE+5124+TEST+978+PAYMENT+SINGLE+12345678+20170129130025+123456+V2+1122334455667788
- If you use the SHA-1 algorithm, apply it to the obtained chain.
The result that must be transmitted in the signature field is: 59c96b34c74b9375c332b0b6a32e6deeec87de2b
- If your shop is configured to use “HMAC-SHA-256”, compute and encode in Base64 format the message signature using the HMAC-SHA-256 algorithm with the following parameters:
- the SHA-256 hash function,
- the test or production key (depending on the value of the vads_ctx_mode field) as a shared key,
- the result of the previous step as the message to authenticate.
The result that must be transmitted in the signature field is:
ycA5Do5tNvsnKdc/eP1bj2xa19z9q3iWPy9/rpesfS0=