Skip to main content

Validate order source

Validate order source

Last updated: 29-Feb-2024
Rate this article:


2Checkout provides a HASH signature enabling you to check the source and validity of placed orders in scenarios requiring customers to go through extra steps after successfully finishing the ordering process to access the purchased product/service.

An example is requiring some additional information from your customers after they place the order to let them access their subscription.

  1. The customer places the order and views the Thank you page.
  2. The customer is redirect to your website via a link containing all parameters necessary for you to validate the order.
  3. You need to check the data sent by the 2Checkout system.


2Checkout offers the following elements that you can use for validation:

  1. The securityHashSource string. securityHashSource is a serialized value of the order reference number, order status, list of products IDs, list of quantities for each product and order date.

    Example: securityHashSource components:

    • order reference number (643276 - 6 characters); 

    • the order status (AUTHRECEIVED - 12 chars);

    • two products (with IDs 123456 - 6 chars, and 234567 - 6 chars);

    • quantities for each product ( 2 x 123456 and 3 x 234567);

    • order date (2012-11-02 20:32:12 - 19 characters); 
      The esulting securityHashSource is: 664327612AUTHRECEIVED61212345662345671213192012-11-02 20:32:12 - logically divided as following (6)643276(12)AUTHRECEIVED(6)12123456(6)234567(1)2(1)3(19)2012-11-02 20:32:12.

      Explanation: (no. of chars) ref. no. value (no. of chars) order status (no. of chars for each product id) product id (no. of chars for each quantity) quantity value (no. of chars) order date value. Note: datetime stamps sent use the timezone of the 2Checkout servers.

  2. The securityHash string is created using hmac for the securityHashSource and your 2Checkout secret code. For PHP: hash_hmac('md5', $hashSource, $SECRETKEY).
  3. Order date is also offered to help with hash integrity, ensuring that it cannot be used twice. Order date can also be parsed from the securityHashSource (standard string of 19 chars).
Rate this article:

Need help?

Do you have a question? If you didn’t find the answer you are looking for in our documentation, you can contact our Support teams for more information. If you have a technical issue or question, please contact us. We are happy to help.

Not yet a Verifone customer?

We’ll help you choose the right payment solution for your business, wherever you want to sell, in-person or online. Our team of experts will happily discuss your needs.

Verifone logo