To ensure that your read-only fields cannot be tampered with, you can sign your links using the procedure below.
To do this, you’ll need the salt for your Instamojo account.
You can get this by logging into your Instamojo account and visiting instamojo.com/developers.
To enable signature for a link, please contact us at firstname.lastname@example.org.
If you do not, anyone can remove the URL query-string parameters and be able to make a payment with a value that is less than what you expect.
Once permanent tamper-proofing is enabled, we will refuse to accept payments on links that are not signed.
Tamper-proofing step by step example
For the purpose of this example, we assume you’re trying to make the following link tamper-proof:
https://www.instamojo.com/demo/demo-offer/?data_name=Aditya+ Senguptaemail@example.com&data_phone=9821485060& data_amount=123.45&data_readonly=data_name&data_readonly=data_email&data_readonly=data_phone&data_readonly=data_amount
- Arrange the read-only fields in the alphabetical order of their keys.
If you have any keys with upper-case letters, convert them to lower-case letters first. In this example, you would get the following order: (a) data_amount (b) data_email (c) data_name (d) data_phone
- Using the order above, replace the keys by their respective values.
In this example, you would get the values below in the following order: (a) 123.45 (b) firstname.lastname@example.org (c) Aditya Sengupta (d) 9821485060
- Concatenate the above values into a single string, with each value separated by a pipe character, i.e, the | character.
Using the above example, you get the following string: email@example.com|Aditya Sengupta|9821485060 4. Use the above string as the message for the HMAC-SHA1 algorithm5 and the salt for your Instamojo account as the salt for the algorithm. The output of this will be the signature we need.
For example, if your salt is “abcde”, the signature you would generate using the string from the previous step as the message is: 6f905be9811990707f9d833da8e93bfebb23abbc Once you have the signature using the above procedure, you add it as the value of the data_sign key in the URL.
The URL would then be:
Note that the above URL will not actually work since the salt for the demo account is not actually “abcde”.
Don’t forget to URL encode the query-string parameters!
The following url has tamper-proofing enabled:
Try modifying any of the parameters and the link will throw an error.
Eg: Below is the case when the amount has been changed to 50 (from 123.45), the link doesn't work.
For any questions, email firstname.lastname@example.org