How signatures work

urlencode( base64( SHA256( value1 + value2 + … + PersonalHashKey ) ) )
Values are concatenated in the exact same order as the URL query string, using raw (un-encoded) values. URL-encode only when building the URL string, never before hashing. Fields like client_phoneNum, url_redirect, notification_url, CP26, and terms_url must be URL-encoded in the URL but their original values go into the hash.

See Signature guide for the full step-by-step walkthrough.

Validator

The signature parameter is excluded from the hash automatically.
Used only client-side — never transmitted.
Enables field-by-field comparison showing exactly which value is wrong or out of order.
If provided, shows a match / doesn't match result.
 

Common causes of signature mismatch

  • Hashing a URL-encoded value — Always hash the raw value. Fields like client_phoneNum, url_redirect, notification_url, CP26, and terms_url contain special characters and must be URL-encoded in the URL, but their original values go into the hash.
  • Parameter order mismatch — URL query string order and signature concat order must be identical.
  • Missing or extra parameter — Present in the URL but absent from the concat, or vice versa.
  • Hardcoded literal vs. variable — Some modes use a fixed literal (e.g. "0" for trans_type). Verify it matches the URL value.
  • Numeric formatting"100" vs "100.0" produce different hashes.
  • PersonalHashKey whitespace — Check for leading/trailing spaces.
Signature Guide

Step-by-step walkthrough of the signature process.
Test Cards

Use our test cards to complete your integration.
Status Codes

Learn about reply codes and their meaning.