Checksum

Flutterwave ensures secure payment on the client side by using a hashed value in a field called payload_hash. This hash is created by encrypting some immutable values in your request. We compute the hash at runtime and compare it to the value that has been passed in your request to ensure that the payment is secure.

💡 If you are making a payment using Flutterwave Checkout via any of these integration methods (Inline, Standard, or HTML Checkout), ensure that you pass the hash in all your requests.

To generate the hash, follow these steps:

  1. Retrieve the following data for the hash: amount, currency, customer_email, tx_ref
  2. Create a sha256 value of your secret key
  3. Concatenate the values of the transaction amount, currency, your customer's email, transaction reference, and your hashed secret key in this exact order, with no separators.
  4. Generate a SHA256 hash of the concatenated string in step 3.
  5. Add the generated hash from step 4 to the payload_hash field of the FlutterwaveCheckout object, and then render the checkout.
  6. Instruct the user to complete the payment.
  7. After completing the payment, verify the transaction as you normally would before providing value to the user.

When generating a hash, make sure to use a secure backend server that utilizes your secret key. Do not fetch the data from the request body of your HTTP request. Instead, fetch it from a secure datastore.

const getDataForHash  = (reference_number) => {
// Retrieve data [customer_email, tx_ref, currency, amount] from your preferred data store using a reference number or identifier of your choice.
}
const hashedSecretKey = crypto.createHash("sha256").update(process.env.FLW_SEC_KEY, 'utf8').digest("hex");
const StringToBeHashed = amount + currency + customer_email + tx_ref + hashedSecretKey;
const payload_hash = crypto.createHash("sha256").update(StringToBeHashed, 'utf8').digest("hex");

console.log(payload_hash);

import hashlib, os
from dotenv import load_dotenv

load_dotenv()

secretKey = os.getenv('SECRET_KEY')
publicKey = os.getenv('PUBLIC_KEY')

data = {
    # enter your request payload here
}

def shaEncryption(input):
    encoded_bytes = input.encode()
    sha256 = hashlib.sha256()
    sha256.update(encoded_bytes)
    encryptedString = sha256.hexdigest()
    return encryptedString

hashedSecretKey = shaEncryption(secretKey)
StringToBeHashed = str(data["amount"]) + data["currency"] + data["customer"]["email"] + data["tx_ref"] + hashedSecretKey
payload_hash = shaEncryption(StringToBeHashed)
print(payload_hash)


<script src="https://checkout.flutterwave.com/v3.js"></script>

<form>
 <button type="button" onclick="makePayment()">Pay Now</button>
</form>

<script>
 function makePayment() {
   const FLW_PUBLIC_KEY = process.env.FLW_PUBLIC_KEY;
     FlutterwaveCheckout({
      public_key: FLW_PUBLIC_KEY,
      amount: '100',
      tx_ref: 'YOUR_PAYMENT_REFERENCE',
      currency: 'NGN',
      customer: {
        email: 'user@example.com',
        phone_number: '09012345678',
        name: 'John Doe',
      },
      redirect_url: 'https://example_company.com/success',
      customizations: {
        title: 'Test Payments',
      },
      payload_hash: "YOUR_ENCRYPTED_HASH"
    });
 }
</script>

If any value in the payload is tampered with, causing it to be inconsistent with the generated hash, we will return an error message to the customer on the Flutterwave Checkout once the payment is submitted.

Before giving value, verify the payment details and compare the amount, currency, and reference as you normally would.

Loading...