On This Page
REST API

Generating the Signature Hash

The signature hash is a Base64-encoded HMAC SHA-256 hash of the header fields and their values. The following information must be included in the signature hash:
  • Date
    : From the header, the date and time in the RFC1123 format.
    For example:
    Date: Thu, 18 Jul 2023, 22:18:03.
  • Digest
    : The Base64-encoded SHA-256 hash of the message body. See Generating a Hash of the Message Body.
    For example:
    Digest: SHA-256=gXWufV4Zc7VkN9Wkv9jh/JuAVclqDusx3vkyo3uJFWU=
    .
    Do not include the digest with GET requests.
  • Host
    : From the header, the endpoint host.
    For example:
    apitest.cybersource.com
    .
  • v-c-merchant-id
    : From the header, the merchant ID associated with the request.
    For example:
    v-c-merchant-id: mymerchantid
    .
  • request-target
    : The HTTP method and endpoint resource path.
    For example:
    request-target: post /pts/v2/payments/
    .
Follow these steps to generate the signature hash value:
  1. Generate a byte array of the secret key generated previously. See Creating a Shared Secret Key Pair.
  2. Generate the HMAC SHA-256 key object using the byte array of the secret key.
  3. Concatenate a string of the required information listed above.
    For more information, see
    Creating the Validation String
     below.
  4. Generate a byte array of the validation string.
  5. Use the HMAC SHA-256 key object to create the HMAC SHA-256 hash of the validation string byte array.
  6. Base64 encode the HMAC SHA-256 hash.

Example: Signature Hash

signature=”OuKeDxj+Mg2Bh9cBnZ/25IXJs5n+qj93FvPKYpnqtTE=”

Creating the Validation String

To create the validation string, concatenate the required information in the same order as listed in the signature header field parameter. Each item must be on a separate line, and each line should be terminated with a new line character
/n
.
Validation String Example
host: 
apitest.cybersource.com
/n
date: Thu, 18 Jul 2019 00:18:03 GMT/n
request-target: post /pts/v2/payments//n
digest: SHA-256=gXWufV4Zc7VkN9Wkv9jh/JuAVclqDusx3vkyo3uJFWU=/n
v-c-merchant-id: mymerchantid

Sample Code: Generating a Signature Hash in C#

private static string GenerateSignatureFromParams(string signatureParams, string secretKey) {
var sigBytes = Encoding.UTF8.GetBytes(signatureParams);
var decodedSecret = Convert.FromBase64String(secretKey);
var hmacSha256 = new HMACSHA256(decodedSecret);
var messageHash = hmacSha256.ComputeHash(sigBytes);
return Convert.ToBase64String(messageHash);
}

Sample Code: Generating a Signature Hash in Java

public static String GenerateSignatureFromParams(String keyString, 
String signatureParams) throws InvalidKeyException, NoSuchAlgorithmException {
byte[] decodedKey = Base64.getDecoder().decode(keyString);
SecretKey originalKey = new SecretKeySpec(decodedKey, 0, decodedKey.length, "HmacSHA256");
Mac hmacSha256 = Mac.getInstance("HmacSHA256");
hmacSha256.init(originalKey);
hmacSha256.update(signatureParams.getBytes());
byte[] HmachSha256DigestBytes = hmacSha256.doFinal();
return Base64.getEncoder().encodeToString(HmachSha256DigestBytes);}