Skip to main content

Signature Calculation

The signature is a critical security parameter that ensures the authenticity and integrity of your API requests and responses with Amazon Payment Services. It uses cryptographic hash algorithms to create a unique digital fingerprint for each transaction, protecting against tampering and unauthorized access.

Configuration Parameters

Before implementing signature calculation, you need to get these security settings in your merchant dashboard:

ParameterDescriptionExample
SHA TypeThe cryptographic hash algorithm used for signature generation.
Supported: SHA-256 (recommended), SHA-512, SHA-128
SHA-256
SHA Request PhraseSecret passphrase used to generate request signatures.
Note: Keep this secure and never expose in client-side code.
MySecretKey123
SHA Response PhraseSecret passphrase used by Amazon Payment Services for response signatures.
Note: Can be the same as request phrase or different for added security.
MySecretKey123

Request Signature Generation

The signature calculation follows a standardized process to ensure consistency and security:

1

Parameter Collection

Collect all request parameters (both mandatory and optional) that will be sent to Amazon Payment Services.

Example Parameters
{
"command": "PURCHASE",
"access_code": "SILgpo7pWbmzuURp2qri",
"merchant_identifier": "MxvOupuG",
"merchant_reference": "ORD-12345-2024",
"amount": "2000",
"currency": "AED",
"language": "en",
"customer_email": "customer@example.com"
}
2

Alphabetical Sorting

Sort all parameters alphabetically by parameter name (case-sensitive).

Sorted Parameters
access_code = SILgpo7pWbmzuURp2qri
amount = 2000
command = PURCHASE
currency = AED
customer_email = customer@example.com
language = en
merchant_identifier = MxvOupuG
merchant_reference = ORD-12345-2024
3

String Concatenation

Concatenate parameter names and values in the format param_name=param_value without any separators between pairs.

Concatenated String
access_code=SILgpo7pWbmzuURp2qriamount=2000command=PURCHASEcurrency=AEDcustomer_email=customer@example.comlanguage=enmerchant_identifier=MxvOupuGmerchant_reference=ORD-12345-2024
4

Phrase Wrapping

Wrap the concatenated string with your SHA Request Phrase at the beginning and end.

Wrapped String
MySecretKey123access_code=SILgpo7pWbmzuURp2qriamount=2000command=PURCHASEcurrency=AEDcustomer_email=customer@example.comlanguage=enmerchant_identifier=MxvOupuGmerchant_reference=ORD-12345-2024MySecretKey123
5

Hash Generation

Apply the selected SHA algorithm to generate the final signature hash.

Final Signature (SHA-256)
7b8c9d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e

Special Cases and Exclusions

Tokenization Requests

When processing tokenization requests, certain sensitive parameters must be excluded from signature calculation for security reasons:

  • card_security_code
  • card_number
  • expiry_date
  • card_holder_name
  • remember_me

Empty and Null Values

Handle edge cases properly in your signature calculation:

  • Empty strings: Include in signature as empty values (param_name=)
  • Null values: Exclude from signature calculation entirely

Response Signature Validation

Validating response signatures is crucial for ensuring the authenticity of responses from Amazon Payment Services:

1

Receive Response

When you receive a response from Amazon Payment Services, it will include a signature parameter along with other response data.

Sample Response
{
"command": "PURCHASE",
"access_code": "SILgpo7pWbmzuURp2qri",
"merchant_identifier": "MxvOupuG",
"merchant_reference": "ORD-12345-2024",
"amount": "2000",
"currency": "AED",
"fort_id": "149295435400084008",
"response_message": "Success",
"response_code": "14000",
"status": "14",
"signature": "7B8C9D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E"
}
2

Extract Signature

Store the received signature value and remove it from the response parameters before validation and use your SHA Response Phrase to calculate what the signature should be using the same steps as above.

3

Compare Signatures

Compare the received signature with your calculated signature to verify authenticity.

Signature Implementation

Here are practical examples for calculating request signatures in different programming languages:

<?php
function calculateSignature() {
// Set your request SHA phrase here
$requestShaPhrase = "MySecretKey123";
$signatureString = $requestShaPhrase;

// Get form data (simulate $_POST data)
$formData = [
'command' => 'PURCHASE',
'access_code' => 'SILgpo7pWbmzuURp2qri',
'merchant_identifier' => 'MxvOupuG',
'merchant_reference' => 'ORD-12345-2024',
'amount' => '2000',
'currency' => 'AED',
'language' => 'en',
'customer_email' => 'customer@example.com'
];

Common Issues and Solutions

Parameter Sorting

Issue: Incorrect alphabetical sorting
Solution: Ensure case-sensitive sorting by parameter name

String Encoding

Issue: Character encoding problems
Solution: Use UTF-8 encoding consistently

Hash Algorithm

Issue: Wrong SHA algorithm used
Solution: Match the algorithm configured in your dashboard

Parameter Exclusion

Issue: Including excluded parameters
Solution: Remove sensitive card data for tokenization

Try it yourself

Signature Calculator

Input Parameters (Key/Value)

Support

Need help with signature calculation implementation? Contact our technical support team at merchantsupport-ps@amazon.com.

Was this page helpful?

Thanks for your feedback!