Signing URLs

To ensure the security of requests, Vendo requires a digital signature for specific URL actions. This signature confirms that the request was generated by an authorized merchant using a Shared Secret.

The Signature Logic

The signature is a Base64URL-encoded HMAC-SHA1 hash.

The hash is calculated using:

• Key: Your Shared Secret.
• Data: The URL Path + the Query String (everything starting from the first / and including all parameters except the signature itself).

Signing Algorithm

Follow these three steps precisely to ensure your signature matches the Vendo system:

1. Prepare the "Signing String"

   Concatenate the URL path and the query string.

   • Example URL: https://secure.vendoservices.com/v/checkout?edition_id=123&click_id=abc
   • Signing String: /v/checkout?edition_id=123&click_id=abc

2. Generate the HMAC-SHA1 (Raw Binary)

   Generate the HMAC-SHA1 hash of the string using your Shared Secret.

   Critical: Your HMAC function must return the raw binary output. Do not use the hexadecimal string output.

3. Base64URL Encode & Clean

   Convert the binary hash into a URL-safe string:

   • Base64 Encode the binary hash.
   • Replace + with - (minus).
   • Replace / with _ (underscore).
   • Strip all = (equals) padding characters from the end.

4. Append the result as the signature query parameter.

Example

If you need to sign the url https://secure.vend-o.com/v/signup?site=1&offers=123 with your shared secret 3HDW9B, the resulting signed URL will be:

https://secure.vend-o.com/v/signup?site=1&offers=123&signature=UrYz6hgkRcRHmPksyIjTt_jFJ-g

Vendo SDK for PHP

You can use Vendo's SDK for PHP to easily sign your requests to Vendo.

Steps

1. Install the SDK using composer: composer require vendoservices/vendo-sdk.
2. Check the code examples in the code repository.