Hash Verification
In this section you become familiar with the following parts of the in-game payment integration procedure:
How to verify the hash.
Hash verification
It is important that you verify the hash to:
- Make sure that you accept only actual payments.
- Avoid accepting fake payment notifications that are not originating from the Spil Games payment service.
To create a hash, generate a SHA-256 hash based on the following parameters, concatenated in one single string:
Parameter | Notes |
---|---|
secret | Unique, 12 character long alphanumeric key.It is displayed in the payment administration tool, on Menu>Account>Publisher Information. |
amount | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
paid amount | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
currency code | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
SKU unit | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
SKU type | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
status | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
transaction token | Its value needs to be identical to the one included in the POST request sent by Spil Games.Unique identifier for the payment selection screen instantiation.Every time the payment selection screen is triggered, a new transaction token is generated. |
user ID | Its value needs to be identical to the one included in the POST request sent by Spil Games. |
transaction ID | Its value needs to be identical to the one included in the POST request sent by Spil Games.Every time a new payment is initiated, a new transaction ID is issued.Use this parameter and the corresponding value to verify payments on your end. |
Examples
Note
All code examples are syntactically correct, but they use dummy data values.
When you copy-paste these examples, make sure you replace the dummy data with actual, valid data.
When you copy-paste these examples, make sure you replace the dummy data with actual, valid data.
PHP POST data
This PHP code example shows how the POST data response is built.
Notice how the hash is created ($myCalculatedHash variable), and then checked against the hash value included in the POST data to verify the transaction validity (if – else conditional flow statement}:
$secret = 'd7e5aazq8klP'; // Your secret string. You use the same secret for all your games or applications. Contact Spil Games to request it.
$amount = $_POST['amount'];
$paidAmount = $_POST['paid_amount'];
$currency = $_POST['currency'];
$skuunit = $_POST['sku_unit'];
$skutype = $_POST['sku_type'];
$status = $_POST['status'];
$transactiontoken = $_POST['transaction_token'];
$userid = $_POST['user_id'];
$transactionid = $_POST['transaction_id'];
$myCalculatedHash = hash('sha256', "{$secret}{$amount}{$paidAmount}{$currency}{$skuunit}{$skutype}{$status}{$transactiontoken}{$userid}{$transactionid}");
if ($myCalculatedHash === $_POST['hash']) {
echo 'The hash checks out. The payment is valid.';
} else {
echo 'The hash is invalid. This payment does not originate from the Spil Games payment service. Do not process!';
} // End of the code example
Callback POST data example; the payment status is PAID:
(
[transaction_id] ⇒12345678 // Check this parameter to verify a transaction
[amount] ⇒ 123
[paid_amount] ⇒ 123
[game_id] ⇒ 175
[site_id] ⇒ 16
[channel_id] ⇒ 1
[package_id] ⇒ 12345
[sku_type] ⇒ MegaCoins
[sku_unit] ⇒ 100
[transaction_token] ⇒ unique-alphanumeric-string-1234
[custom_parameters] ⇒
[status] ⇒ PAID
[user_id] ⇒ phineasgauge1823
[internal_sku_name] ⇒ gamecoins
[created] ⇒ 2013-06-30 19:00:05
[lastmodified] ⇒ 2013-06-30 19:01:12
[paymentMethod] ⇒ sms
[provider] ⇒ payment-provider-name
[currency] ⇒ EUR
[hash] ⇒ f15da616592a0eb
[is_subscription] ⇒ 0
)