Skip to main content

Validate order source

Validate order source

Last updated: 30-Apr-2018
Rate this article:


2Checkout provides a HASH signature enabling you to check the source and validity of placed orders in scenarios requiring customers to go through extra steps after successfully finishing the ordering process to access the purchased product/service.

An example is requiring some additional information from your customers after they place the order to let them access their subscription.

  1. The customer places the order and views the Thank you page.
  2. The customer is redirect to your website via a link containing all parameters necessary for you to validate the order.
  3. You need to check the data sent by the 2Checkout system.


2Checkout offers the following elements that you can use for validation:

  1. The securityHashSource string. securityHashSource is a serialized value of the order reference number, order status, list of products IDs, list of quantities for each product and order date.

    Example: securityHashSource components:

    • order reference number (643276 - 6 characters); 

    • the order status (AUTHRECEIVED - 12 chars);

    • two products (with IDs 123456 - 6 chars, and 234567 - 6 chars);

    • quantities for each product ( 2 x 123456 and 3 x 234567);

    • order date (2012-11-02 20:32:12 - 19 characters); 
      The esulting securityHashSource is: 664327612AUTHRECEIVED61212345662345671213192012-11-02 20:32:12 - logically divided as following (6)643276(12)AUTHRECEIVED(6)12123456(6)234567(1)2(1)3(19)2012-11-02 20:32:12.

      Explanation: (no. of chars) ref. no. value (no. of chars) order status (no. of chars for each product id) product id (no. of chars for each quantity) quantity value (no. of chars) order date value. Note: datetime stamps sent use the timezone of the 2Checkout servers.

  2. The securityHash string is created using hmac for the securityHashSource and your 2Checkout secret code. For PHP: hash_hmac('md5', $hashSource, $SECRETKEY).
  3. Order date is also offered to help with hash integrity, ensuring that it cannot be used twice. Order date can also be parsed from the securityHashSource (standard string of 19 chars).
Rate this article:
Logo of Verifone