search

Checksum Generation and Validation

Paytm uses checksum signature to ensure that API requests and responses shared between your application and Paytm over network have not been tampered with. We use SHA256 hashing and AES128 encryption algorithm to ensure the safety of transaction data.

Installation procedure for Checksum utility

The checksum generation and validation utility is supported for multiple languages. The utility can be included in your application in following ways:

  • Download the Paytm checksum utility through github for your application platform and include it in your server-side module. Click the icon below to get the github link for respective language.
  • For some of the most used languages e.g. JavaPythonPHP and Node, the checksum utility can also be installed through easy steps via mavenpipcomposer and npm respectively. Refer to the steps given below.
    Note: The checksum should be generated only from your backend server. Do not try to generate the checksum from your frontend.

Installing Paytm Checksum with Maven

Note: It is supported on Java 1.7 or later.

 

  1. Add the below maven dependency to your project's POM.
    <dependency>
        <groupId>com.paytm.pg</groupId>
        <artifactId>paytm-checksum</artifactId>
        <version>1.2.1</version>
    </dependency>
  2. Build and install locally by executing the below command:
    mvn install

Installing Paytm Checksum utility with npm

  1. To install Node Paytm Checksum utility available on npmjs.com, run below command
    npm install paytmchecksum

    OR

    Add the below lines to package.json of your project.

    "dependencies": {
        ...
        "paytmchecksum": "^1.5.0"
        ...
    }
  2. Run the below command on the command line to install dependencies to your project.
    npm install
  3. To start using Checksum functions, add the following lines in your project.
    const Paytm = require('paytmchecksum');

Installing Paytm Checksum utility with composer

  1. To install PHP Paytm Checksum utility available on packagist.org, run the below command:
    composer require paytm/paytmchecksum

    OR

    Add the below lines to composer.json of your project.

    "require": {
        ...
        "paytm/paytmchecksum": "*"
        ...
    }
  2. To enable autoloading, add the below lines to composer.json of your project.
    "autoload": {
        "psr-4": {
        "paytm\\paytmchecksum\\": "paytmchecksum/"
        }
    } 
  3. Run the below command on the command line to install dependencies to your project.
    composer install
  4. Run the below command on the command line to autoload files in your project.
    composer dumpautoload -o
  5. To start using Checksum functions, add the below lines in your project.
    require_once('vendor/autoload.php');
    use paytm\checksum\PaytmChecksumLibrary;

Installing Paytm Checksum utility with pip

Install Python package by using the below command:

pip install paytmchecksum

Overview of checksum generation and validation

  1. Checksum is used to authenticate that the requests and responses are coming from the trusted source and the information is not tempered with.
  2. After you have installed the checksum utility in your application, you need to generate the checksum while sending request for the API where the authentication mechanism is checksum e.g. Initiate Transaction API.
  3. For checksum generation, the request parameters from the API need to be used as explained in the API document. Use the function mentioned below to create the checksum.
  4. Paytm checks the checksumhash and parameters in the API request. Paytm processes the API request only if the checksum is valid.
  5. Once the transaction is processed, Paytm creates a checksumhash with response parameters and sends it in the callback response along with other parameters.
  6. You need to validate the checksumhash in the callback and webhook response. For validating the checksum in the response, use the function as explained in validating the checksum.

Note:

  1. Please note that for creating checksum use only the parameters mentioned in the API, don't add extra parameters in the checksum creation.
  2. In case any optional parameter is present in the API request, that should also be used in checksum creation logic.
  3. Each API call needs new checksum created for that API having all the attributes used for that particular API call. Paytm will validate this checksum against the requested API body.

Create Checksumhash

After installing the Paytm Checksum utility using the steps mentioned in the Installation steps for checksum, you need to create the checksum for relevant APIs before sending the request. Please refer to the steps below.

 

Json Request
 

In Json post create checksumhash using your account's merchant key and complete request body. In this request body is passed as string.

Sample checksumhash code for common languages are mentioned below:
 

/* import checksum generation utility */
import com.paytm.pg.merchant.*;

/* initialize JSON String */
String body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}";

/**
 * Generate checksum by parameters we have in body
 * Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys
 */

paytmChecksum = PaytmChecksum.generateSignature(body, "YOUR_MERCHANT_KEY");
System.out.println("generateSignature Returns: " + paytmChecksum);
 
/* import checksum generation utility */
var PaytmChecksum = require("./PaytmChecksum");

/* initialize JSON String */ 
body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}"

/**
* Generate checksum by parameters we have
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
var paytmChecksum = PaytmChecksum.generateSignature(body, "YOUR_MERCHANT_KEY");
paytmChecksum.then(function(result){
	console.log("generateSignature Returns: " + result);
}).catch(function(error){
	console.log(error);
});
/* import checksum generation utility */
require_once("./PaytmChecksum.php");

/* initialize JSON String */  
$body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}";

/**
* Generate checksum by parameters we have in body
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
$paytmChecksum = PaytmChecksum::generateSignature($body, 'YOUR_MERCHANT_KEY');
echo sprintf("generateSignature Returns: %s\n", $paytmChecksum);
# import checksum generation utility
import PaytmChecksum 

# initialize JSON String
body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}"

# Generate checksum by parameters we have
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys
paytmChecksum = PaytmChecksum.generateSignature(body, "YOUR_MERCHANT_KEY")
print("generateSignature Returns:" + str(paytmChecksum))
/* initialize JSON String */
string body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}";

/**
* Generate checksum by parameters we have in body
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/

paytmChecksum = Paytm.Checksum.generateSignature(body, "YOUR_MERCHANT_KEY");
Response.Write("generateSignature Returns: " + paytmChecksum);
# import checksum generation utility
require './PaytmChecksum.rb'

# initialize JSON String
body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}"

# Generate checksum by parameters we have
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys

paytmChecksum = PaytmChecksum.new.generateSignature(body, "YOUR_MERCHANT_KEY")
puts "generateSignature Returns: %s\n" %[paytmChecksum]
#!/usr/bin/perl 

# import checksum generation utility
use PaytmChecksum;

# initialize JSON String 
$body = "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}";

# Generate checksum by parameters we have in body
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
my $paytmChecksum = PaytmChecksum::generateSignature($body,'YOUR_MERCHANT_KEY');
printf("generateSignature Returns: %s\n", $paytmChecksum);
/* import checksum generation utility */
import ("./paytm")

/* initialize JSON String */  
body := "{/*YOUR_COMPLETE_REQUEST_BODY_HERE*/}"

/**
* Generate checksum by parameters we have
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
paytmChecksum := PaytmChecksum.GenerateSignatureByString(body, "YOUR_MERCHANT_KEY")
fmt.Printf("GenerateSignatureByString Returns: %s\n", paytmChecksum)

Form Post Request (Used only in redirection flows like Pre-auth, Auto-debit)

 

In form post, create the checksumhash using your account's merchant key and all of the API request parameters.

Sample checksumhash code for common languages are mentioned below:

/* import checksum generation utility */
import com.paytm.pg.merchant.*;

/* initialize an hash */
TreeMap<String, String> paytmParams = new TreeMap<String, String>();
paytmParams.put("MID", "YOUR_MID_HERE");
paytmParams.put("ORDERID", "YOUR_ORDERID_HERE");
/**
 * Generate checksum by parameters we have
 * Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys
 */
String paytmChecksum = PaytmChecksum.generateSignature(paytmParams, "YOUR_MERCHANT_KEY");
System.out.println("generateSignature Returns: " + paytmChecksum);
/* import checksum generation utility */
var PaytmChecksum = require("./PaytmChecksum");

var paytmParams = {};

/* initialize an array */
paytmParams["MID"] = "YOUR_MID_HERE";
paytmParams["ORDERID"] = "YOUR_ORDER_ID_HERE";

/**
* Generate checksum by parameters we have
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
var paytmChecksum = PaytmChecksum.generateSignature(paytmParams, "YOUR_MERCHANT_KEY");
paytmChecksum.then(function(checksum){
	console.log("generateSignature Returns: " + checksum);
}).catch(function(error){
	console.log(error);
});
/* import checksum generation utility */
require_once("./PaytmChecksum.php");

/* initialize an array */
$paytmParams = array();

/* add parameters in Array */
$paytmParams["MID"] = "YOUR_MID_HERE";
$paytmParams["ORDERID"] = "YOUR_ORDERID_HERE";

/**
* Generate checksum by parameters we have
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
$paytmChecksum = PaytmChecksum::generateSignature($paytmParams, 'YOUR_MERCHANT_KEY');
echo sprintf("generateSignature Returns: %s\n", $paytmChecksum);
# import checksum generation utility
import PaytmChecksum

# initialize an Hash/Array
paytmParams = {}

paytmParams["MID"] = "YOUR_MID_HERE"
paytmParams["ORDERID"] = "YOUR_ORDER_ID_HERE"

# Generate checksum by parameters we have
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys
paytmChecksum = PaytmChecksum.generateSignature(paytmParams, "YOUR_MERCHANT_KEY")
print("generateSignature Returns:" + str(paytmChecksum))
/* initialize an array */
Dictionary<string, string> paytmParams = new Dictionary<string, string>();

/* add parameters in Array */
paytmParams.Add("MID", "YOUR_MID_HERE");
paytmParams.Add("ORDER_ID", "YOUR_ORDER_ID_HERE");

/**
* Generate checksum by parameters we have
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
String paytmChecksum = Paytm.Checksum.generateSignature(paytmParams, "YOUR_MERCHANT_KEY");
Response.Write("generateSignature Returns: " + paytmChecksum);
# import checksum generation utility
require './PaytmChecksum.rb'

# initialize an array
paytmParams = Hash.new

paytmParams["MID"] = "YOUR_MID_HERE"
paytmParams["ORDERID"] = "YOUR_ORDER_ID_HERE"

# Generate checksum by parameters we have
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys

paytmChecksum = PaytmChecksum.new.generateSignature(paytmParams, "YOUR_MERCHANT_KEY")
puts "generateSignature Returns: %s\n" %[paytmChecksum]
#!/usr/bin/perl 

# import checksum generation utility
use PaytmChecksum;

# initialize an hash
my $paytmParams = {
            "MID" => "YOUR_MID_HERE",
            "ORDER_ID" => "YOUR_ORDER_ID_HERE"
            };

# Generate checksum by parameters we have
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys
my $paytmChecksum = PaytmChecksum::generateSignature($paytmParams,'YOUR_MERCHANT_KEY');
printf("generateSignature Returns: %s\n", $paytmChecksum);
/* import checksum generation utility */
import ("./paytm")

/* initialize an map */	
paytmParams := make(map[string]string)

paytmParams = map[string]string{
	"MID": "YOUR_MID_HERE",
	"ORDER_ID": "YOUR_ORDER_ID_HERE",
}

/**
* Generate checksum by parameters we have
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
paytmChecksum := PaytmChecksum.GenerateSignature(paytmParams, "YOUR_MERCHANT_KEY")
fmt.Printf("generateSignature Returns: %s\n", paytmChecksum)

Validate Checksum

Paytm Checksum utility also validates the checksumhash and returns the validation success or fail response. Validation of checksum is required to be done in the callback and webhook responses.

 

Json Request
 

Sample checksumhash validation code for common languages are mentioned below:

 

/* import checksum generation utility */
import com.paytm.pg.merchant.*; 

/* string we need to verify against checksum */
String body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/* checksum that we need to verify */
String paytmChecksum = "CHECKSUM_VALUE";

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
boolean isVerifySignature = PaytmChecksum.verifySignature(body, "YOUR_MERCHANT_KEY", paytmChecksum);
if (isVerifySignature) {
	System.out.append("Checksum Matched");
} else {
	System.out.append("Checksum Mismatched");
}
/* import checksum generation utility */
var PaytmChecksum = require("./PaytmChecksum");

/* string we need to verify against checksum */
var body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/* checksum that we need to verify */
var paytmChecksum = "CHECKSUM_VALUE";

var isVerifySignature = PaytmChecksum.verifySignature(body, config.PAYTM_MERCHANT_KEY, paytmChecksum);
if (isVerifySignature) {
	console.log("Checksum Matched");
} else {
	console.log("Checksum Mismatched");
}
/* import checksum generation utility */
require_once("PaytmChecksum.php");

/* string we need to verify against checksum */  
$body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/* checksum that we need to verify */
$paytmChecksum = "CHECKSUM_VALUE";

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
$isVerifySignature = PaytmChecksum::verifySignature($body, 'YOUR_MERCHANT_KEY', $paytmChecksum);
if($isVerifySignature) {
	echo "Checksum Matched";
} else {
	echo "Checksum Mismatched";
}
# import checksum generation utility
import PaytmChecksum 

# string we need to verify against checksum
body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}"

#checksum that we need to verify
paytmChecksum = "CHECKSUM_VALUE"

# Verify checksum
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 

isVerifySignature = PaytmChecksum.verifySignature(body, "YOUR_MERCHANT_KEY", paytmChecksum)
if isVerifySignature:
	print("Checksum Matched")
else:
	print("Checksum Mismatched")
/* string we need to verify against checksum */
string body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/* checksum that we need to verify */
string paytmChecksum = "CHECKSUM_VALUE";

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
bool isVerifySignature = Paytm.Checksum.verifySignature(paytmParams, "YOUR_MERCHANT_KEY", paytmChecksum);
if (isVerifySignature) {
	Response.Write("Checksum Matched");
} else {
	Response.Write("Checksum Mismatched");
}
# import checksum generation utility
require './PaytmChecksum.rb'

# string we need to verify against checksum
body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}"

# checksum that we need to verify
paytmChecksum = "CHECKSUM_VALUE"

# Verify checksum
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys

isVerifySignature = PaytmChecksum.new.verifySignature(request.request_parameters, "YOUR_MERCHANT_KEY", paytmChecksum)
if isVerifySignature
	puts "Checksum Matched"
else
	puts "Checksum Mismatched"
#!/usr/bin/perl 
# import checksum generation utility
use PaytmChecksum;

# string we need to verify against checksum
$body = "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

# checksum that we need to verify
$paytmChecksum = "CHECKSUM_VALUE";

# Verify checksum
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 

my $isVerifySignature = PaytmChecksum::verifySignature($paytmParams, "YOUR_MERCHANT_KEY", $paytmchecksum);

if($isVerifySignature){
	printf("Checksum Matched");
}else{
	printf("Checksum Mismatched");
}
/* import checksum generation utility */
import ("./paytm")

/* string we need to verify against checksum */
body := "{"\mid\":"\YOUR_MID_HERE\","\orderId\":"\YOUR_ORDER_ID_HERE\"}";

/* checksum that we need to verify */
paytmChecksum := "CHECKSUM_VALUE";

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
isVerifySignature := PaytmChecksum.VerifySignature(paytmParams, "YOUR_MERCHANT_KEY", paytmChecksum)
if isVerifySignature {
	fmt.Println("Checksum Matched")
} else {
	fmt.Println("Checksum Mismatched")
}

Form Post Request

 

In form post validate checksumhash using your account's merchant key and all of the API request parameters.

Note: This is used for validation of checksum in callback response of transaction.

Sample checksumhash validation code for common languages are mentioned below:

 

/* import checksum generation utility */
import com.paytm.pg.merchant.*;

String paytmChecksum = null;

/* Create a TreeMap from the parameters received in POST */
TreeMap<String, String> paytmParams = new TreeMap<String, String>();
for (Entry<String, String[]> requestParamsEntry : request.getParameterMap().entrySet()) {
    if ("CHECKSUMHASH".equalsIgnoreCase(requestParamsEntry.getKey())){
        paytmChecksum = requestParamsEntry.getValue()[0];
    } else {
        paytmParams.put(requestParamsEntry.getKey(), requestParamsEntry.getValue()[0]);
    }
}

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
boolean isVerifySignature = PaytmChecksum.verifySignature(paytmParams, "YOUR_MERCHANT_KEY", paytmChecksum);
if (isVerifySignature) {
	System.out.append("Checksum Matched");
} else {
	System.out.append("Checksum Mismatched");
}
/* import checksum generation utility */
var PaytmChecksum = require("./PaytmChecksum");

paytmChecksum = request.body.CHECKSUMHASH;
delete request.body.CHECKSUMHASH;

var isVerifySignature = PaytmChecksum.verifySignature(request.body, config.PAYTM_MERCHANT_KEY, paytmChecksum);
if (isVerifySignature) {
	console.log("Checksum Matched");
} else {
	console.log("Checksum Mismatched");
}
/* import checksum generation utility */
require_once("PaytmChecksum.php");

$paytmParams = $_POST;

$paytmChecksum = $_POST['paytmChecksum'];
unset($paytmParams['paytmChecksum']);

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
$isVerifySignature = PaytmChecksum::verifySignature($paytmParams, 'YOUR_MERCHANT_KEY', $paytmChecksum);
if($isVerifySignature) {
	echo "Checksum Matched";
} else {
	echo "Checksum Mismatched";
}
# import checksum generation utility
import PaytmChecksum

paytmParams = dict()
paytmParams = request.form.to_dict()
paytmChecksum = paytmChecksum
paytmChecksum = paytmParams['CHECKSUMHASH']
paytmParams.pop('CHECKSUMHASH', None)

# Verify checksum
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
isVerifySignature = PaytmChecksum.verifySignature(paytmParams, "YOUR_MERCHANT_KEY",paytmChecksum)
if isVerifySignature:
	print("Checksum Matched")
else:
	print("Checksum Mismatched")
String paytmChecksum = "";

/* Create a Dictionary from the parameters received in POST */
Dictionary<String, String> paytmParams = new Dictionary<String, String>();

foreach (string key in Request.Form.Keys) {
	if (key.Equals("CHECKSUMHASH")) {
            paytmChecksum = Request.Form[key];
        } else {
            paytmParams.Add(key.Trim(), Request.Form[key].Trim());
	}
}

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
bool isVerifySignature = Paytm.Checksum.verifySignature(paytmParams, "YOUR_MERCHANT_KEY", paytmChecksum);
if (isVerifySignature) {
	Response.Write("Checksum Matched");
} else {
	Response.Write("Checksum Mismatched");
}
# import checksum generation utility
require './PaytmChecksum.rb'

paytmChecksum = request.request_parameters['CHECKSUMHASH']
request.request_parameters.delete(:CHECKSUMHASH)

# Verify checksum
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys

isVerifySignature = PaytmChecksum.new.verifySignature(request.request_parameters, "YOUR_MERCHANT_KEY", paytmChecksum)
if isVerifySignature
	puts "Checksum Matched"
else
	puts "Checksum Mismatched"
#!/usr/bin/perl 

# import checksum generation utility
use PaytmChecksum; 

my $paytmParams = params;
my $paytmchecksum= $paytmParams->{CHECKSUMHASH};
delete $paytmParams->{'CHECKSUMHASH'};

# Verify checksum
# Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 

my $isVerifySignature = PaytmChecksum::verifySignature($paytmParams, "YOUR_MERCHANT_KEY", $paytmchecksum);

if($isVerifySignature){
	printf("Checksum Matched");
}else{
	printf("Checksum Mismatched");
}
/* import checksum generation utility */
import ("./paytm")

/* r := *http.Request */
r.ParseForm()

paytmParams := r.Form
paytmChecksum := paytmParams["CHECKSUMHASH"]

if _, ok := paytmParams["CHECKSUMHASH"]; ok {
	delete(paytmParams, "CHECKSUMHASH")
}

/**
* Verify checksum
* Find your Merchant Key in your Paytm Dashboard at https://dashboard.paytm.com/next/apikeys 
*/
isVerifySignature := PaytmChecksum.VerifySignature(paytmParams, "YOUR_MERCHANT_KEY", paytmChecksum)

if isVerifySignature {
	fmt.Println("Checksum Matched")
} else {
	fmt.Println("Checksum Mismatched")
}