Signature Calculation
Copy page
Copy page as Markdown for LLMs
Open in ChatGPT
Ask questions about this page
Open in Claude
Ask questions about this page
The signature is a critical security parameter that ensures the authenticity and integrity of your API requests and responses with Amazon Payment Services. It uses cryptographic hash algorithms to create a unique digital fingerprint for each transaction, protecting against tampering and unauthorized access.
Configuration Parameters
Before implementing signature calculation, you need to get these security settings in your merchant dashboard:
Parameter | Description | Example |
---|---|---|
SHA Type | The cryptographic hash algorithm used for signature generation. Supported: SHA-256 (recommended), SHA-512, SHA-128 | SHA-256 |
SHA Request Phrase | Secret passphrase used to generate request signatures. Note: Keep this secure and never expose in client-side code. | MySecretKey123 |
SHA Response Phrase | Secret passphrase used by Amazon Payment Services for response signatures. Note: Can be the same as request phrase or different for added security. | MySecretKey123 |
Request Signature Generation
The signature calculation follows a standardized process to ensure consistency and security:
Parameter Collection
Collect all request parameters (both mandatory and optional) that will be sent to Amazon Payment Services.
{
"command": "PURCHASE",
"access_code": "SILgpo7pWbmzuURp2qri",
"merchant_identifier": "MxvOupuG",
"merchant_reference": "ORD-12345-2024",
"amount": "2000",
"currency": "AED",
"language": "en",
"customer_email": "customer@example.com"
}
Alphabetical Sorting
Sort all parameters alphabetically by parameter name (case-sensitive).
access_code = SILgpo7pWbmzuURp2qri
amount = 2000
command = PURCHASE
currency = AED
customer_email = customer@example.com
language = en
merchant_identifier = MxvOupuG
merchant_reference = ORD-12345-2024
String Concatenation
Concatenate parameter names and values in the format param_name=param_value
without any separators between pairs.
access_code=SILgpo7pWbmzuURp2qriamount=2000command=PURCHASEcurrency=AEDcustomer_email=customer@example.comlanguage=enmerchant_identifier=MxvOupuGmerchant_reference=ORD-12345-2024
Phrase Wrapping
Wrap the concatenated string with your SHA Request Phrase at the beginning and end.
MySecretKey123access_code=SILgpo7pWbmzuURp2qriamount=2000command=PURCHASEcurrency=AEDcustomer_email=customer@example.comlanguage=enmerchant_identifier=MxvOupuGmerchant_reference=ORD-12345-2024MySecretKey123
Hash Generation
Apply the selected SHA algorithm to generate the final signature hash.
7b8c9d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e
Special Cases and Exclusions
Tokenization Requests
When processing tokenization requests, certain sensitive parameters must be excluded from signature calculation for security reasons:
card_security_code
card_number
expiry_date
card_holder_name
remember_me
Empty and Null Values
Handle edge cases properly in your signature calculation:
- Empty strings: Include in signature as empty values (
param_name=
) - Null values: Exclude from signature calculation entirely
Response Signature Validation
Validating response signatures is crucial for ensuring the authenticity of responses from Amazon Payment Services:
Receive Response
When you receive a response from Amazon Payment Services, it will include a signature
parameter along with other response data.
{
"command": "PURCHASE",
"access_code": "SILgpo7pWbmzuURp2qri",
"merchant_identifier": "MxvOupuG",
"merchant_reference": "ORD-12345-2024",
"amount": "2000",
"currency": "AED",
"fort_id": "149295435400084008",
"response_message": "Success",
"response_code": "14000",
"status": "14",
"signature": "7B8C9D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E"
}
Extract Signature
Store the received signature value and remove it from the response parameters before validation and use your SHA Response Phrase to calculate what the signature should be using the same steps as above.
Compare Signatures
Compare the received signature with your calculated signature to verify authenticity.
Signature Implementation
Here are practical examples for calculating request signatures in different programming languages:
<?php
function calculateSignature() {
// Set your request SHA phrase here
$requestShaPhrase = "MySecretKey123";
$signatureString = $requestShaPhrase;
// Get form data (simulate $_POST data)
$formData = [
'command' => 'PURCHASE',
'access_code' => 'SILgpo7pWbmzuURp2qri',
'merchant_identifier' => 'MxvOupuG',
'merchant_reference' => 'ORD-12345-2024',
'amount' => '2000',
'currency' => 'AED',
'language' => 'en',
'customer_email' => 'customer@example.com'
];
Common Issues and Solutions
Parameter Sorting
Issue: Incorrect alphabetical sorting
Solution: Ensure case-sensitive sorting by parameter name
String Encoding
Issue: Character encoding problems
Solution: Use UTF-8 encoding consistently
Hash Algorithm
Issue: Wrong SHA algorithm used
Solution: Match the algorithm configured in your dashboard
Parameter Exclusion
Issue: Including excluded parameters
Solution: Remove sensitive card data for tokenization
Try it yourself
Signature Calculator
Input Parameters (Key/Value)
Support
Need help with signature calculation implementation? Contact our technical support team at merchantsupport-ps@amazon.com.