Any messages (requests and responses) between FreedomPay and the merchant are signed. To form a signature, you must concatenate with the delimiter ;
- name of the called script (from the last / to the end or ?)
- all message fields in alphabetical order, including a random string pg_salt, consisting of an arbitrary number of digits and Latin letters, while: a. for nested tags, this rule is applied recursively (XML only) b. fields with the same name are taken in the order in which they appear in the message
- and payment password secret_key, which is set in the store settings and is known only to the merchant and FreedomPay.
It is necessary to calculate md5 from the string received as a result of concatenation and add it to the request or response as an additional parameter pg_sig
. The MD5 hash is written as a lowercase hexadecimal string (32 characters).
Any party can add additional parameters to the request or response that are not specified in the documentation. These parameters are also involved in the signature calculation. The message is not signed, and accordingly the pg_salt
fields are missing only in one case - when FreedomPay could not identify the merchant and therefore does not know its secret_key. In this case, the pg_error_code
field (numerical error code) takes the value 101.