# HMAC Security Hash (optional) ## HMAC Security Hash Our server will always add a custom header, **X-Ayetstudios-Security-Hash**, containing a SHA256 HMAC hash of the request parameters and your publisher api key.\ Your API key can be found in your dashboard at ayetstudios.com under settings. To verify the hash, perform the following steps: 1. Get all request parameters 2. Order the request parameters alphabetically 3. Build and compare the HMAC hash using the ordered request parameter string and your API key PHP example: ```php // Retrieve the GET parameters $params = $_GET; // Sort the parameters alphabetically by key ksort($params, SORT_STRING); // Build the sorted query string $sortedQueryString = http_build_query($params, '', '&'); // Compute the HMAC hash using your API key $apiKey = 'YOUR PUBLISHER API KEY'; $computedHash = hash_hmac('sha256', $sortedQueryString, $apiKey); // Compare with the header-provided hash if (isset($_SERVER['HTTP_X_AYETSTUDIOS_SECURITY_HASH']) && $_SERVER['HTTP_X_AYETSTUDIOS_SECURITY_HASH'] === $computedHash) { // Valid signature: process the callback } else { // Invalid signature: reject the callback } ``` Javascript example: ```typescript import crypto from "crypto"; // Retrieve the GET parameters from the request URL const url = new URL(request.url); const params = url.searchParams; // Sort the parameters alphabetically by key const sorted = new URLSearchParams( [...params.entries()].sort(([a], [b]) => a.localeCompare(b)) ); // Build the sorted query string const sortedQueryString = sorted.toString(); // Compute the HMAC hash using your API key const apiKey = "YOUR PUBLISHER API KEY"; const computedHash = crypto .createHmac("sha256", apiKey) .update(sortedQueryString) .digest("hex"); // Compare with the header-provided hash const securityHash = request.headers.get("X-Ayetstudios-Security-Hash"); if (securityHash === computedHash) { // Valid signature: process the callback } else { // Invalid signature: reject the callback } ``` Python example: ```python import hmac import hashlib from urllib.parse import urlparse, parse_qs, urlencode # Retrieve the GET parameters from the request URL params = parse_qs(urlparse(request.url).query, keep_blank_values=True) # Sort the parameters alphabetically by key and flatten values sorted_params = sorted(params.items()) # Build the sorted query string sorted_query_string = urlencode([(k, v[0]) for k, v in sorted_params]) # Compute the HMAC hash using your API key api_key = "YOUR PUBLISHER API KEY" computed_hash = hmac.new( api_key.encode(), sorted_query_string.encode(), hashlib.sha256 ).hexdigest() # Compare with the header-provided hash security_hash = request.headers.get("X-Ayetstudios-Security-Hash") if security_hash == computed_hash: # Valid signature: process the callback pass else: # Invalid signature: reject the callback pass ``` ## Example HMAC calculation Assuming the below is the callback we sent to you: 
https://your-site.com/postback/?transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561&amount=0.10&payout=1.50&user_id=testuser123456&click_id=1234abcd5678021&offer_name=TEST+OFFER
**1) Get all request parameters** Strip away your domain and get the request parameters. ``` transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561 amount=0.10 payout=1.50 user_id=testuser123456 click_id=1234abcd5678021 offer_name=TEST OFFER ``` **2) Sort the parameters alphabetically and URL-encode the values** This is crucial because special characters (like spaces) must be encoded (e.g. a space should become +) in order to match the original string that was hashed. ``` amount=0.10&click_id=1234abcd5678021&offer_name=TEST+OFFER&payout=1.50&transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561&user_id=testuser123456 ``` Your API Key from the ayeT dashboard: ``` 9f2228fea0d8e7ce10b2ac36053db14c ``` {% hint style="danger" %} I**mportant:** Make sure you URL-encode every parameter value. This is crucial because special characters (like spaces) must be encoded (e.g. a space should become +) in order to match the original string that was hashed. {% endhint %} **3) Build and compare the HMAC hash using the ordered request parameter string and your API key** Hashing the **ordered request parameter string** with your Secret Key (API Key) with SHA256, you will get the following HASH Key: ``` 62a32725866780ada1dec3d62232645f2801e05a91df7b0202e9b780f804f04b ``` Compare the HASH Key you calculated to the **X-Ayetstudios-Security-Hash** our server will always add as a custom header for each conversion.