Overview

Oceanpayment uses SHA256 signatures to protect the integrity and authenticity of payment requests and responses. This means the merchant generates a SHA256 hash of the request parameters, and the receiving side verifies the returned signature to ensure the data has not been tampered with during transmission.

Note

• The structure for generating and verifying signatures varies across integration methods.
• secureCode Management: The secureCode in signature generation and verification—must be kept secure at all times. Never expose it or store it in client-side or other insecure environments. Ensure that it is obtained only through official Oceanpayment channels.

Signature Generation (Merchant Side)

When sending a payment request to Oceanpayment:

1. Collect all required non-empty request parameters.
2. Concatenate the parameters into a string according to the integration-specific rules.
3. Generate the SHA256 hash of the concatenated string and send it as signValue to the Oceanpayment gateway.

Signature Verification (Merchant Side)

When receiving a payment result notification from Oceanpayment or retrieving a response via an API query, merchants must verify the authenticity of the data to ensure it originates from Oceanpayment and has not been tampered with.

1. Collect and parse all parameters returned by Oceanpayment.
2. Compare the returned signValue with the hash you generate locally.
3. If the two values match exactly, the verification succeeds, confirming the data is complete and from Oceanpayment.
4. If they do not match, the data may have been altered during transmission or come from an untrusted source, and should be treated as invalid.

Where Signature Verification Occurs

1. Real-time verification

• Typically performed on the backend when receiving pay_url or MOTO_url. This is not the final payment result (a redirection to the payment page or 3D verification page may still be required).
• It can also be used for directly returned payment results via XML.

2. Synchronous verification (backUrl)

• Verification relies on the backUrl parameter in the transaction request. Use form submission to receive the payment result and verify the signature.
• This signature structure is consistent across all integration methods.

3. Asynchronous verification (noticeUrl)

• For asynchronous notifications, refer to the Webhook notification section for signature verification.

Signature Format

Integration Method	Signature Generation	Signature Verification(real-time response)	Signature Verification(synchronously returns backUrl)
Hosted Checkout- Merchant Control Redirect	account+terminal+backUrl+order_number +order_currency+order_amount+billing_firstName +billing_lastName+billing_email+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+payment_id+pay_url +pay_results+pay_details+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+card_number+payment_id +payment_authType+payment_status+payment_details +payment_risk+secureCode
Hosted Checkout- Oceanpayment Auto Redirect	account+terminal+backUrl+order_number +order_currency+order_amount+billing_firstName +billing_lastName+billing_email+secureCode	/	account+terminal+order_number+order_currency +order_amount+order_notes+card_number+payment_id +payment_authType+payment_status+payment_details +payment_risk+secureCode
Embedded Checkout	account+terminal+order_number+order_currency +order_amount+billing_firstName+billing_lastName +billing_email+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+card_number+payment_id +payment_authType+payment_status+payment_details +payment_risk+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+card_number+payment_id +payment_authType+payment_status+payment_details +payment_risk+secureCode
Server to server	Please contact Oceanpayment technical support. techservice@oceanpayment.com.cn	Please contact Oceanpayment technical support.	Please contact Oceanpayment technical support.
Link	account+terminal+backUrl+order_number +order_currency+order_amount+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+payment_id+MOTO_url +MOTO_results+MOTO_details+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+card_number+payment_id +payment_authType+payment_status+payment_details +payment_risk+secureCode
POS	account+terminal+order_number+order_currency +order_amount+billing_firstName+billing_lastName +billing_email+secureCode	account+terminal+order_number+order_currency +order_amount+order_notes+card_number+payment_id +payment_authType+payment_status+payment_details +payment_risk+secureCode	/

Special Character Handling

To ensure consistent signature verification, all fields included in the signature must meet the following requirements; otherwise, the generated signatures on both sides may not match:

• Trim leading and trailing spaces, and escape or replace the characters: double quotes ("), less-than (<), greater-than (>), and single quotes (').
• Fields must be concatenated in the exact order specified by Oceanpayment when generating the signature.

//PHP
function OceanHtmlSpecialChars($parameter){
  //Remove spaces at the beginning and end
  $parameter = trim($parameter); 
  //Replace symbols with empty
  $parameter = str_replace(array("<",">","'","\""),array(" "," "," "," "),$parameter); 
  return $parameter;
}

Hash Signature Example

Signature Generation

//PHP
$signValue = hash("sha256",$account.$terminal.$backUrl.$order_number.$order_currency.$order_amount.$billing_firstName.$billing_lastName.$billing_email.$secureCode);  

Signature Verification

//PHP
$back_signValue = $_REQUEST['signValue'];
$local_signValue = hash("sha256",$account.$terminal.$order_number.$order_currency.$order_amount.$order_notes.$card_number.$payment_id.$payment_authType.$payment_status.$payment_details.$payment_risk.$secureCode);
if (strtolower($local_signValue) == strtolower($back_signValue)){
  //Processing payment results
}else{
  //Signature verification failed
}