Computing the signature

To be able to compute the signature, you must have:
  • all the fields that start withvads_
  • the signature algorithm chosen in the shop configuration
  • the key

The key value is available in your Merchant Back Office via Settings > Shop > Keys tab.

The signature algorithm is defined in your Merchant Back Office via Settings > Shop > Configuration tab.

For maximum security, it is recommended to use HMAC-SHA-256 algorithm and an alphanumeric key.

The use of SHA-1 algorithm is deprecated but maintained for compliance reasons.

To compute the signature:

  1. Sort the fields whose name begins withvads_alphabetical order.
  2. Make sure that all the fields are encoded in UTF-8.
  3. Concatenate the values of these fields separating them with the " character+”.
  4. Concatenate the result with the test or production key separating them with the “ character+”.
  5. According to the signature algorithm defined in your shop configuration:
    1. If your shop is configured to use “SHA-1”, apply the SHA-1 hash function to the chain obtained during the previous step. Deprecated.
    2. If your shop is configured to use “HMAC-SHA-256”, compute and encode in Base64 format the message signature using the HMAC-SHA-256 algorithm with the following parameters:
      • the SHA-256 hash function,
      • the test or production key (depending on the value of the fieldvads_ctx_mode) as a shared key,
      • the result of the previous step as the message to authenticate.
  6. Save the result of the previous step in the fieldsignature.
Example of parameters sent to the payment gateway:
<form method="POST" action="https://paiement.systempay.fr/vads-payment/">
<input type="hidden" name="vads_action_mode" value="INTERACTIVE" />
<input type="hidden" name="vads_amount" value="5124" />
<input type="hidden" name="vads_ctx_mode" value="TEST" />
<input type="hidden" name="vads_currency" value="978" />					
<input type="hidden" name="vads_page_action" value="PAYMENT" />
<input type="hidden" name="vads_payment_config" value="SINGLE" />
<input type="hidden" name="vads_site_id" value="12345678" />
<input type="hidden" name="vads_trans_date" value="20170129130025" />
<input type="hidden" name="vads_trans_id" value="123456" />
<input type="hidden" name="vads_version" value="V2" />
<input type="hidden" name="signature" value="ycA5Do5tNvsnKdc/eP1bj2xa19z9q3iWPy9/rpesfS0="/>					
<input type="submit" name="pay" value="Pay"/>
</form>

This sample form is analyzed as follows:

  1. We sort in alphabetical order the fields whose name begins withvads_ :
    • vads_action_mode
    • vads_amount
    • vads_ctx_mode
    • vads_currency
    • vads_page_action
    • vads_payment_config
    • vads_site_id
    • vads_trans_date
    • vads_trans_id
    • vads_version
  2. We concatenate the value of these fields with the " character+" :
    INTERACTIVE+5124+TEST+978+PAYMENT+SINGLE+12345678+20170129130025+123456+V2
  3. The value of the test key is added at the end of the chain and separated with the " character.+”. In this example, the test key is1122334455667788
    INTERACTIVE+5124+TEST+978+PAYMENT+SINGLE+12345678+20170129130025+123456+V2+1122334455667788
  4. If you use the SHA-1 algorithm, apply it to the obtained chain.

    The result that must be transmitted in the signature field is:59c96b34c74b9375c332b0b6a32e6deeec87de2b

  5. If your shop is configured to use “HMAC-SHA-256”, compute and encode in Base64 format the message signature using the HMAC-SHA-256 algorithm with the following parameters:
    • the SHA-256 hash function,
    • the test or production key (depending on the value of the fieldvads_ctx_mode) as a shared key,
    • the result of the previous step as the message to authenticate.

    The result that must be transmitted in the signature field is:

    ycA5Do5tNvsnKdc/eP1bj2xa19z9q3iWPy9/rpesfS0=