search

Checksum Generation and Validation

Paytm uses checksum signature to ensure that API requests and responses shared between your application and Paytm over network have not been tampered with. We use SHA256 hashing and AES128 encryption algorithm to ensure the safety of transaction data.

Installation procedure for Checksum utility

The checksum generation and validation utility is supported for multiple languages. The utility can be included in your application in following ways:

  • Download the Paytm checksum utility through github for your application platform and include it in your server-side module. Click the icon below to get the github link for respective language.
  • For some of the most used languages e.g. JavaPythonPHP and Node, the checksum utility can also be installed through easy steps via mavenpipcomposer and npm respectively. Refer to the steps given below.

Installing Paytm Checksum with Maven

 

Requirements

 

Java 1.7 or later.

 

Installing Paytm's Checksum utility with maven

  1. Add below maven repository to your project's POM
    <repositories>
        <repository>
            <id>my-repo1</id>
            <url> http://artifactorypg.paytm.in/artifactory/libs-release </url>
        </repository>
    </repositories>

     

  2. Add below maven dependency to your project's POM
    <dependency>
        <groupId>com.paytm</groupId>
        <artifactId>paytm-checksum</artifactId>
        <version>1.2.0</version>
    </dependency>

     

  3. Build and install locally by executing below command
    mvn install

     

Overview of checksum generation and validation

  1. Checksum is used to authenticate that the requests and responses are coming from the trusted source and the information is not tempered with.
  2. After you have installed the checksum utility in your application, you need to generate the checksum while sending request for the API where the authentication mechanism is checksum e.g. Initiate Transaction API.
  3. For checksum generation, the request parameters from the API need to be used as explained in the API document. Use the function mentioned below to create the checksum.
  4. Paytm checks the checksumhash and parameters in the API request. Paytm processes the API request only if the checksum is valid.
  5. Once the transaction is processed, Paytm creates a checksumhash with response parameters and sends it in the callback response along with other parameters.
  6. You need to validate the checksumhash in the callback and webhook response. For validating the checksum in the response, use the function as explained in validating the checksum.

Note:

  1. Please note that for creating checksum use only the parameters mentioned in the API, don't add extra parameters in the checksum creation.
  2. In case any optional parameter is present in the API request, that should also be used in checksum creation logic.

Create Checksumhash

After installing the Paytm Checksum utility using steps mentioned in Installation steps for checksum, you need to create the checksum for relevant APIs before sending the request. Please refer to the steps below.

 

Json Request
 

In Json post create checksumhash using your account's merchant key and complete request body. In this request body is passed as string.

Sample checksumhash code for common languages are mentioned below -
 

/* import checksum generation utility */
import com.paytm.pg.merchant.*;

/* initialize JSON String */
String body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/**
 * Generate checksum by parameters we have in body
 * Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys
 */

paytmChecksum = PaytmChecksum.generateSignature(body, "YOUR_MERCHANT_KEY");
System.out.println("generateSignature Returns: " + paytmChecksum);

 

 

Validate Checksum

Paytm Checksum utility also validates the checksumhash and returns the validation success or fail response. Validation of checksum is required to be done in the callback and webhook responses.

 

Json Request
 

Sample checksumhash validation code for common languages are mentioned below -

 

/* import checksum generation utility */
import com.paytm.pg.merchant.*; 

/* string we need to verify against checksum */
String body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/* checksum that we need to verify */
String paytmChecksum = "CHECKSUM_VALUE";

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
boolean isVerifySignature = PaytmChecksum.verifySignature(body, "YOUR_MERCHANT_KEY", paytmChecksum);
if (isVerifySignature) {
	System.out.append("Checksum Matched");
} else {
	System.out.append("Checksum Mismatched");
}

 

Form Post Request

 

In form post validate checksumhash using your account's merchant key and all of the API request parameters.

Note: This is used for validation of checksum in callback response of transaction.

Sample checksumhash validation code for common languages are mentioned below -

 

/* import checksum generation utility */
import com.paytm.pg.merchant.*;

String paytmChecksum = null;

/* Create a TreeMap from the parameters received in POST */
TreeMap<String, String> paytmParams = new TreeMap<String, String>();
for (Entry<String, String[]> requestParamsEntry : request.getParameterMap().entrySet()) {
    if ("CHECKSUMHASH".equalsIgnoreCase(requestParamsEntry.getKey())){
        paytmChecksum = requestParamsEntry.getValue()[0];
    } else {
        paytmParams.put(requestParamsEntry.getKey(), requestParamsEntry.getValue()[0]);
    }
}

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
boolean isVerifySignature = PaytmChecksum.verifySignature(paytmParams, "YOUR_MERCHANT_KEY", paytmChecksum);
if (isVerifySignature) {
	System.out.append("Checksum Matched");
} else {
	System.out.append("Checksum Mismatched");
}