To continue receiving payouts, you need to secure your account by turning on two-step authentication. If two-step authentication is not turned on your payouts will be paused. Learn more

Clarity on HMAC SHA256 signature calculation

7 0 2

This is in regard to the HPSDK (hosted payments SDK)

According to this documentation the x_signature field is calculated from 

a string of all key-value pairs that start with x_ prefix, sorted alphabetically, and concatenated without separators

The x_signature can be tested by using this tool here where one can fill in the message fields, key and then check the signature against their own to ensure the calculation is correct. We did this, and can confirm that our signature calculation agreed with the demo (see this example) however, when we receive a payment request message from Shopify to our gateway, the signature appears to be invalid.

Is the instruction above which indicates that the message in the HMAC calculation is "a string of all key-value pairs that start with x_ prefix" correct? I noticed that there are a few other fields being sent in the request that are not covered in the documentation. See the below Shopify request form post:

- utf8=✓
- authenticity_token=TGxzrJxAOmNLWXycL9TQo69q/zAqX5lJgYxiKIgOd/JHLRISI0wIkRGCTNqUCb4riA1Hrynjf/5VvZ/wyu5RpQ==

- x_reference=385372422164
- x_account_id=1241
- x_amount=15.75
- x_currency=USD
- x_url_callback=
- x_url_complete=
- x_shop_country=ZW
- x_shop_name=xxxxxxxx
- x_test=true
- x_customer_first_name=xxxxxxxx
- x_customer_last_name=xxxxxxxx
- x_customer_email=xxxxxxxx
- x_customer_billing_country=xxxxxxxx
- x_customer_billing_city=xxxxxxxx
- x_customer_billing_address1=xxxxxxxx
- x_customer_shipping_country=xxxxxxxx
- x_customer_shipping_first_name=xxxxxxxx
- x_customer_shipping_last_name=xxxxxxxx
- x_customer_shipping_city=xxxxxxxx
- x_customer_shipping_address1=xxxxxxxx
- x_invoice=#385372422164
- x_description=webdevzw - #385372422164
- x_url_cancel=
- x_signature=da5089b9e1d40817989512c4ecc3bc17ec189554823c2ac88497bc1955b0342e

Any help would be greatly appreciated.

Replies 2 (2)
Shopify Staff
Shopify Staff
1561 81 334

Hey James.

To clarify, you need only alphabetically sort all fields beginning with x_,  sort them alphabetically, and join them into a single string with no spearators for computation. Following those rules, you shouldn't have to worry about if more/fewer fields beginning with x_ are provided as the above algorithm should safely still apply.


Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

7 0 2

Thanks for your response Alex - spot on. Sorry to have been a moron, we were using a GUID as our secret key directly to byte array which meant it was in fact UPPERCASE characters, whilst our Shopify payment method setup was being given the GUID as a string in lowercase (facepalm)

Fixed and working like a charm using ASP.Net C#