Computing the IPN signature

The signature is computed by following the same logic as for creating the payment request.

The data submitted by the payment gateway is encoded in UTF-8. Any alteration of received data will result in a signature computation error.

You must compute the signature with the fields received in the notification and not the ones that you transmitted in the payment request.

  1. Take all the fields whose name starts with vads_.
  2. Sort these fields alphabetically.
  3. Concatenate the values of these fields separating them with the “+” character.
  4. Concatenate the result with the test or production key separating them with a “+”.
  5. According to the signature algorithm defined in your shop configuration:
    1. If your shop is configured to use “SHA-1”, apply the SHA-1 hash function to the chain obtained during the previous step. Deprecated.
    2. If your shop is configured to use “HMAC-SHA-256”, compute and encode in Base64 format the message signature using the HMAC-SHA-256 algorithm with the following parameters:
      • the SHA-256 hash function,
      • the test or production key (depending on the value of the vads_ctx_mode field) as a shared key,
      • the result of the previous step as the message to authenticate.
Examples in PHP:
function getSignature ($params,$key)
     *Function that computes the signature.
     * $params: table containing the fields received in the IPN.
     * $key : TEST or PRODUCTION key
    //Initialization of the variable that will contain the string to encrypt
    $signature_contents = "";
    //Sorting fields alphabetically
    foreach($params as $name=>$value){
        //Recovery of vads_ fields
        if (substr($name,0,5)=='vads_'){
            //Concatenation with "+"
            $signature_contents .= $value."+";
    //Adding the key at the end
    $signature_contents .= $key;
    //Encoding base64 encoded chain with HMAC-SHA-256 algorithm
    $sign = base64_encode(hash_hmac('sha256',$signature_contents, $key, true));
    return $sign;