1 of 2

Callback Verification

HMAC Security Hash (optional)

HMAC Security Hash

Our server will always add a custom header, X-Ayetstudios-Security-Hash, containing a SHA256 HMAC hash of the request parameters and your publisher api key. Your API key can be found in your dashboard at ayetstudios.com under settings.

To verify the hash, perform the following steps:

Get all request parameters
Order the request parameters alphabetically
Build and compare the HMAC hash using the ordered request parameter string and your API key

PHP Example:

// Retrieve the GET parameters
$params = $_GET;

// URL-encode each parameter value
$encodedParams = array_map('urlencode', $params);

// Sort the parameters alphabetically by key
ksort($encodedParams, SORT_STRING);

// Build the sorted query string
$sortedQueryString = http_build_query($encodedParams, '', '&');

// Compute the HMAC hash using your API key
$apiKey = 'YOUR PUBLISHER API KEY';
$computedHash = hash_hmac('sha256', $sortedQueryString, $apiKey);

// Compare with the header-provided hash
if (isset($_SERVER['HTTP_X_AYETSTUDIOS_SECURITY_HASH']) &&
    $_SERVER['HTTP_X_AYETSTUDIOS_SECURITY_HASH'] === $computedHash) {
    // Valid signature: process the callback
} else {
    // Invalid signature: reject the callback
}

Example HMAC calculation

Assuming the below is the callback we sent to you:

https://your-site.com/postback/?transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561&amount=0.10&payout=1.50&user_id=testuser123456&click_id=1234abcd5678021

1) Get all request parameters

Strip away your domain and order the request parameters alphabetically.

In this example the parameters are already ordered alphabetically.

amount=0.10
click_id=1234abcd5678021
payout=1.50
transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561
user_id=testuser123456

2) Order the request parameters alphabetically

This is the ordered request parameter string for the HMAC hash calculation:

amount=0.10&click_id=1234abcd5678021&payout=1.50&transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561&user_id=testuser123456

Your API Key from the ayeT dashboard:

9f2228fea0d8e7ce10b2ac36053db14c

Important: Make sure you URL-encode every parameter value. This is crucial because special characters (like spaces) must be encoded (e.g. a space should become +) in order to match the original string that was hashed.

3) Build and compare the HMAC hash using the ordered request parameter string and your API key

Hashing the ordered request parameter string with your Secret Key (API Key) with SHA256, you will get the following HASH Key:

3191f052846df1beee6c1d42030fee7448ff8fc47a417bf714c2e0a1308fc010

Compare the HASH Key you calculated to the X-Ayetstudios-Security-Hash our server will always add as custom header for each conversion.

HMAC Security Hash (optional)

HMAC Security Hash

To verify the hash, perform the following steps:

Get all request parameters
Order the request parameters alphabetically
Build and compare the HMAC hash using the ordered request parameter string and your API key

PHP Example:

// Retrieve the GET parameters
$params = $_GET;

// URL-encode each parameter value
$encodedParams = array_map('urlencode', $params);

// Sort the parameters alphabetically by key
ksort($encodedParams, SORT_STRING);

// Build the sorted query string
$sortedQueryString = http_build_query($encodedParams, '', '&');

// Compute the HMAC hash using your API key
$apiKey = 'YOUR PUBLISHER API KEY';
$computedHash = hash_hmac('sha256', $sortedQueryString, $apiKey);

// Compare with the header-provided hash
if (isset($_SERVER['HTTP_X_AYETSTUDIOS_SECURITY_HASH']) &&
    $_SERVER['HTTP_X_AYETSTUDIOS_SECURITY_HASH'] === $computedHash) {
    // Valid signature: process the callback
} else {
    // Invalid signature: reject the callback
}

Example HMAC calculation

Assuming the below is the callback we sent to you:

https://your-site.com/postback/?transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561&amount=0.10&payout=1.50&user_id=testuser123456&click_id=1234abcd5678021

1) Get all request parameters

Strip away your domain and order the request parameters alphabetically.

In this example the parameters are already ordered alphabetically.

amount=0.10
click_id=1234abcd5678021
payout=1.50
transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561
user_id=testuser123456

2) Order the request parameters alphabetically

This is the ordered request parameter string for the HMAC hash calculation:

amount=0.10&click_id=1234abcd5678021&payout=1.50&transaction_id=8ee08f32ae611231b0a49d1bd66e9bf193132561&user_id=testuser123456

Your API Key from the ayeT dashboard:

9f2228fea0d8e7ce10b2ac36053db14c

3) Build and compare the HMAC hash using the ordered request parameter string and your API key

Hashing the ordered request parameter string with your Secret Key (API Key) with SHA256, you will get the following HASH Key:

3191f052846df1beee6c1d42030fee7448ff8fc47a417bf714c2e0a1308fc010

Compare the HASH Key you calculated to the X-Ayetstudios-Security-Hash our server will always add as custom header for each conversion.