Response Signature Validation
Last updated
Last updated
This page was prepared to provide detailed guidance on implementing response signature validation using iyzico's API. Response signature validation is essential for ensuring the authenticity and integrity of data exchanged between merchants and iyzico, particularly in financial transactions. By following the instructions on generating and validating HMAC SHA256 signatures, developers can secure their applications against tampering and unauthorized access. This enhances the overall security of the transaction process, protecting both merchants and customers.
The signature
parameter will be used to validate the service response by utilizing specific response parameters and the merchant's secretKey, thereby enhancing service security between merchant and iyzico using HMAC SHA256.
The signature
parameter exists on following endpoints;
Non-3DS
/payment/auth
paymentId, currency, basketId, conversationId, paidPrice, price
Non-3DS PreAuth
/payment/preauth
paymentId, currency, basketId, conversationId, paidPrice, price
Non-3DS PostAuth
/payment/postauth
paymentId, currency, basketId, conversationId, paidPrice, price
Retrieve Payment Result
/payment/detail
paymentId, currency, basketId, conversationId, paidPrice, price
3DS Initialize
/payment/3dsecure/initialize
paymentId , conversationId
3DS PreAuth Initialize
/payment/3dsecure/initialize/preauth
paymentId, conversationId
3DS Auth
/payment/3dsecure/auth
paymentId, currency, basketId, conversationId, paidPrice, price
3DS v2 Auth
/payment/v2/3dsecure/auth
paymentId, currency, basketId, conversationId, paidPrice, price
3DS PostAuth
/payment/postauth
paymentId, currency, basketId, conversationId, paidPrice, price
Retrieve Payment Result
/payment/detail
paymentId, currency, basketId, conversationId, paidPrice, price
callbackURL
conversationData , conversationId, mdStatus, paymentId, status
CheckoutForm Initialize
/payment/iyzipos/checkoutform/initialize/auth/ecom
conversationId, token
Pay with iyzico Initialize
/payment/pay-with-iyzico/initialize
conversationId, token
CheckoutForm PreAuth Initialize
/payment/iyzipos/checkoutform/initialize/preauth/ecom
conversationId, token
Retrieve Payment Result
/payment/iyzipos/checkoutform/auth/ecom/detail
paymentStatus, paymentId, currency, basketId, conversationId, paidPrice, price, token
Refund
/payment/refund
paymentId, price, currency, conversationId
Amount Base Refund
/v2/payment/refund
paymentId, price, currency, conversationId
Payment Request
Payment Response
Signature Comparison
So lets begin with Payment Request;
Assuming you have a full request with the variables conversationId
, price
, paidPrice
, currency
, and basketId
, relatively. Our focus will be on these variables for the signature implementation in the /payment/auth
endpoint.
We need to focus on conversationId
, price
, paidPrice
, paymentId
, currency
, and basketId
. Even if the entire response covers multiple details, these are the key elements.
At last, it is time to check if signatures are matching, for this sample we have used;
/payment/auth
endpoint
paymentId
currency
basketId
conversationId
paidPrice
price
variables
So lets check if those matches by the HMAC SHA 256 algorithm;
Let's verify if they match using the HMAC-SHA-256 algorithm:
The signature
value from response is
836c3a6c8db86c81043f2ca74edb13518b54a813f454f8dd762f0dd658610173
hashedSignature value from the method;
836c3a6c8db86c81043f2ca74edb13518b54a813f454f8dd762f0dd658610173
Both values are equal, confirming the response from iyzico.
In the context of iyzico's response signature validation refer to zeros that appear after the decimal point in price parameters. These trailing zeros need to be included in the validation process to ensure the accuracy of the HMAC SHA256 signature algorithm. For an instance, a price of "price":"50.00"
should be treated as "50"
during signature creation and validation.
For instance, consider the following values received from the service response;
"price":"10"
after trailing zeros it should be 10
"price":"10.0"
after trailing zeros it should be 10
"price":"10.5"
after trailing zeros it should be 10.5
"price":"10.50"
after trailing zeros it should be 10.5
"price":"10.510"
after trailing zeros it should be 10.51
"price":"10.5105"
after trailing zeros it should be 10.5105
"price":"10.51050"
after trailing zeros it should be 10.5105
In this section, we are going to investigate how to extract signature
value for a payment request, {{baseUrl}}/payment/auth
specifically. Sample covers following steps, relatively;
If there is a price
parameter among the parameters that make up the signature
value, the relevant parameter should be set to trailingZero before the hashString to be encrypted. Please find details below at section.
Considering that you successfully received a response from the above, the expected response payload will be as follows:
/payment/auth
endpoint signature , relatively;