The request is sent by HTTPS POST from an HTML form to the environment URL.
SHA-512 signature
Generate purchaseVerification by concatenating, without separators:
Apply SHA-512 to the resulting text and send the hexadecimal hash.
Process the return
The merchant response URL receives an HTTP POST with the transaction data. Before changing the order:
- Read the returned parameters.
- Recalculate the signature, adding
authorizationResult before the key.
- Compare the calculated signature with
purchaseVerification.
- Verify that the operation number, amount, and currency match the original order.
- Process the transaction idempotently to support repeated notifications.
Do not mix integration and production endpoints or keys. Never expose the SHA-2 key in HTML or JavaScript; generate signatures on the server.
Safari
The popup issue described in the source applies to JavaScript Modal invocations. A pure Redirect submits the form directly. If your implementation combines both behaviors, open any window from an explicit user action and test the flow in Safari.
Continue to parameters and notifications →