3 posts / 0 new
Last post
Please provide an HMAC calculator

Could you please provide an HMAC calculator on the site which allows us to enter in all of the fields necessary and then show the output of the couple of steps and the final result? I am hoping this would help me debug things.

I got the HMAC calculation to work once with a mostly hard coded test. Now as I am modifying the code to make it functional the HMAC has stopped validating twice now and I'm not changing the calculation, just the data going into it. I can' think of why it stopped working. Last time I gave up after several hours and just reverted my code to the previous version where it was working and started over adding changes slowly but it stopped validating again and I have no idea why.

You would think this really shouldn't be that hard once you get the HMAC function working it shouldn't stop working as it is a simple formula. It would be nice to be able to verify it against a reference calculator instead of going through the whole order process just to find out it failed and no reason why.

I've tried to compare my HMAC to what you can generate on the doc pages but the way it is set up we don't have control over each item and it is hard to pull each item out of the website and use in our HMAC calculator to compare.


Re: Please provide an HMAC calculator

Hi Jamie,

Initially for your hard coded test when your HMAC was working, were you using your own api key or the api key that is there in the sandbox pages? The sandbox apikey and secret are handled differently than your api key and secret. So, it is probably not raising the HMAC validation issue there.

These are the common causes for “HMAC validation Failure”:

  1. API key and/or API secret are incorrect.
  2. Leading or trailing spaces in the API key, API secret, merchant token.
  3. Timestamp in the HTTP header is not in milliseconds.
  4. Timestamp in the HTTP header does not represent EPOCH time.
  5. Epoch time is not being calculated from UTC.
  6. Timestamp in the HTTP header is not within 5 minutes of our server time
  7. System time is not accurate.

If none of those are relevant, please post your code where you generate the HMAC?


Payeezy Team

Re: Please provide an HMAC calculator

What do you mean that the sandbox keys are handled differently than "your own" keys? How?

I have been using the same apiKey and apiSecret that I got from the MyAPI page the whole time and I only have the sandbox so far. Similarly I only have the one sandbox merchant token. They are String literals in the code and I haven't changed them. I did start pulling the Merchant token out of a database configuration but it still worked even after that. I haven't changed the HMAC calculation function.

Mostly I have been working on the JSON payload to fill it out with real data.

Would it be an issue if I have two API's defined on the MyAPI page? I've only been using one of them but at some point I created another one just do it again. They both say Sandbox in green in the upper right corner. Well, I just deleted the second one to make sure it isn't a problem.

Also, non of my attempts, both successes and failures, show up in the MyAPI analytics. Is that normal that you don't report on any sandbox transactions? Or an indication that something else is wrong?

I've reviewed the 7 items you list. Several times. And they all seem correct. The keys are cut and pasted directly from the Payeezy UI into my code. My server timestamp is within a few seconds (thousands of milliseconds) of your website and my desktop. They are the same number of digits.

I just went back to my original file that used to work and now it doesn't work anymore. The only think that I can think of that would make the old file not work is the timestamp. But I just confirmed again that the one I get from my server is close enough:

1441160376982 - My server
1441160415004 - Payeezy website
38 seconds (ignoring it probably took me 5 to 10 sec to get the Payeezy timestamp).

Something really weird is going on. I'd really like to have a HMAC calculator that I can compare my results to so I can figure try to figure out where the problem is, in the HMAC or something else.

So here is my code.

function execute( args ) : Number
var transaction_url : String = "https://api-cert.payeezy.com/v1/transactions";
// Gather request information
var apiKey : String = "Lvi24FCMNLtoLBncAzJ9YPCaTDElNi5j";
// didn't want to post secret so replaced it with x's
var apiSecret : String = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
var token : String = "fdoa-a480ce8951daa73262734cf102641994c1e55e7cdf4c02b6";

var timestamp : String = new Date().getTime().toString(); // ""
var ordernumber : String = timestamp; // For testing
// Create nonce
var randomGen : SecureRandom = new SecureRandom();
var nonce : String = randomGen.nextInt().toString();

// Create request payload
var body_obj : Object = {
"merchant_ref": "Order#"+ordernumber,
"transaction_type": "authorize",
"method": "credit_card",
"amount": "9999",
"currency_code": "USD",
"credit_card": {
"type": "visa",
"cardholder_name": "Jo Joe",
"card_number": "4111111111111111",
"exp_date": "0117",
"cvv": "411"
"billing_address": {
"street": "1234 Main St #5",
"city": "Denver",
"state_province": "CO",
"zip_postal_code": "80201",
"country": "US"

var payload : String = JSON.stringify(body_obj);
var hmac : String = getHMAC(apiKey, apiSecret, payload, token, nonce, timestamp);

var httpClient : HTTPClient = new HTTPClient();
httpClient.open("POST", transaction_url);
httpClient.setRequestHeader("Content-type", "application/json");
httpClient.setRequestHeader("apikey", apiKey);
httpClient.setRequestHeader("token", token);
httpClient.setRequestHeader("Authorization", hmac);
httpClient.setRequestHeader("nonce", nonce);
httpClient.setRequestHeader("timestamp", timestamp);
httpClient.setRequestHeader("Content-length", payload.length);

if ((httpClient.statusCode != 200) && (httpClient.statusCode != 201) && (httpClient.statusCode != 202)) {
args.ResponseMessage = "The Payeezy request returned with status code: ["
+ httpClient.statusCode + "], and message: " + httpClient.statusMessage
+ (empty(httpClient.errorText) ? "" : " :: " + httpClient.errorText);
return ERROR;
// Success

function getHMAC(apiKey, apiSecret, payload, token, nonce, timestamp) : String {
var data : String = apiKey + nonce + timestamp + token + payload;
var mac : Mac = new Mac(Mac.HMAC_SHA_256);
var hmac : String = Encoding.toBase64(Bytes(Encoding.toHex(mac.digest(data,apiSecret))));
return hmac;