JavaScript is disabled. Some features may not work. You can also read the static version: View text version

Status Verification

The signature parameter in the return_url gives the HMAC signature computed using the algorithm specified by the signature_algorithm parameter. The HMAC is calculated using the following algorithm:

Get all the parameters (key=value pairs) from the return_url.
It is assumed that the parameters in the return_url are converted into key/value pairs.
All parameters except signature and signature_algorithm are used in the following steps.
Percentage encode each key and value pairs.
Sort the list of parameters alphabetically (ASCII based sort) by encoded key.
For each key/value pair:
- Append the encoded key to the output string.
- Append the '=' character to the output string.
- Append the encoded value to the output string.
- If there are more than one key/value pairs, append a '&' character to the output string.
Percentage encode the generated string.

The HMAC of the string can be calculated using the Response Key configured in merchant settings.

Percentage encode the generated hash, validate against the signature in response (the signature should percentage decoded once before comparing with the generated hash).

To enable the signature generation at HDFC SmartGateway end for the payment response, you must first create a response key under Settings of HDFC SmartGateway dashboard. Once you have created a key successfully, navigate to Settings-->General (https://dashboard.smartgateway.hdfc.bank.in/settings) section and select "Yes" for the option "Use signed response".

Once you have completed the above two steps, all the redirection to your website from HDFC SmartGateway will have the signature and the algorithm.

The signature algorithm used by HDFC SmartGateway is HMAC-SHA256. The algorithm is explicitly passed as an argument so that verification is accurate. Newer or more secure algorithms might be introduced in the future.

It is also possible to check the status using the order status API. Based on the response object, a success confirmation page or failure message can be shown to the customer. Since this is an authenticated call, done from the server side, signature verification is not required.

Initialize the secretKey variable with the value Response key. Remember to update the secretKey variable with the correct secret key value before deploying.