Resources - Global

Status Verification

The signature parameter in the return_url gives the HMAC signaturelink icon computed using the algorithm specified by the signature_algorithm parameter. The HMAC is calculated using the following algorithm:

  • Get all the parameters (key=value pairs) from the return_url.

  • It is assumed that the parameters in the return_url are converted into key/value pairs.

  • All parameters except signature and signature_algorithm are used in the following steps.

  • Percentage encode each key and value pairs.

  • Sort the list of parameters alphabetically (ASCII based sort) by encoded key.

  • For each key/value pair:

    • Append the encoded key to the output string.

    • Append the '=' character to the output string.

    • Append the encoded value to the output string.

    • If there are more than one key/value pairs, append a '&' character to the output string.

  • Percentage encode the generated string.

  • The HMAC of the string can be calculated using the Response Key configured in merchant settingslink icon.

  • Percentage encode the generated hash, validate against the signature in response (the signature should percentage decoded once before comparing with the generated hash).

To enable the signature generation at JusPay end for the payment response, you must first create a response key under Settings of Juspay dashboard [https://dashboard.expresscheckout.juspay.in/link icon]. Once you have created a key successfully, navigate to Settings-->General (https://dashboard.expresscheckout.juspay.in/link icon) section and select "Yes" for the option "Use signed response".

Once you have completed the above two steps, all the redirection to your website from JusPay will have the signature and the algorithm.

The signature algorithm used by JusPay is HMAC-SHA256. The algorithm is explicitly passed as an argument so that verification is accurate. Newer or more secure algorithms might be introduced in the future.

It is also possible to check the status using the order status API. Based on the response object, a success confirmation page or failure message can be shown to the customer. Since this is an authenticated call, done from the server side, signature verification is not required.

Last updated 2 years ago