To ensure that your read-only fields cannot be tampered with, you can
sign your links using the procedure below.** **
To do this, you’ll need the salt for your Instamojo account.
You can get this by logging into your Instamojo account and
To enable signature for a link, please contact us at
If you do not, anyone can remove the URL query-string parameters and be
able to make a payment with a value that is less than what you expect.
Once permanent tamper-proofing is enabled, we will refuse to accept
payments on links that are not signed.
Tamper-proofing step by step example
For the purpose of this example, we assume you’re trying to make the
following link tamper-proof:
- Arrange the read-only fields in the alphabetical order of their keys.
If you have any keys with upper-case letters, convert them to lower-case
letters first. In this example, you would get the following order: (a)
data_amount (b) data_email (c) data_name (d) data_phone
- Using the order above, replace the keys by their respective values.
In this example, you would get the values below in the following order:
(a) 123.45 (b) email@example.com (c) Aditya Sengupta (d) 9821485060
- Concatenate the above values into a single string, with each value
separated by a pipe character, i.e, the | character.
Using the above example, you get the following string:
firstname.lastname@example.org|Aditya Sengupta|9821485060 4. Use the above
string as the message for the HMAC-SHA1 algorithm5 and the salt for your
Instamojo account as the salt for the algorithm. The output of this will
be the signature we need.
For example, if your salt is “abcde”, the signature you would generate
using the string from the previous step as the message is:
6f905be9811990707f9d833da8e93bfebb23abbc Once you have the signature
using the above procedure, you add it as the value of the data_sign key
in the URL.
The URL would then be:
Note that the above URL will not actually work since the salt for the
demo account is not actually “abcde”.
Don’t forget to URL encode the query-string parameters!** **
The following url has tamper-proofing enabled:
Try modifying any of the parameters and the link will throw an
Eg: Below is the case when the amount has been changed to 50 (from
123.45), the link doesn’t work.
For any questions, email@example.com