13. Callback Signature Verification

To ensure that the callback data received at your CALLBACK_URL is genuinely sent by SADAD and has not been tampered with, merchants must verify the checksumhash included in the callback payload.

This verification step is mandatory for security and compliance.

Callback Payload Format (Important)

Callback data is sent as HTTP POST
Content-Type: application/x-www-form-urlencoded
Payload is NOT JSON

Example callback payload received by merchant:

MID=7015085&ORDERID=ORD-20251216-001&RESPCODE=3&RESPMSG=Txn+Success&STATUS=TXN_SUCCESS&
TXNAMOUNT=150.00&transaction_number=SD2883696582255&transaction_status=3&
checksumhash=4532c38dcbeac04f1e58766428116728a03d1ae28c566fc3abbcad687821b819

Verification Logic (High Level)

Store the received checksumhash in a temporary variable
Remove checksumhash from the received parameters
Sort the remaining parameters alphabetically by key
Create a string starting with your Secret Key
Append the values only (no keys, no separators)
Generate a SHA256 hash
Compare the generated hash with the received checksumhash

If both hashes match, the callback is authentic.

PHP Verification Example

<?php
$secretKey = "YOUR_SECRET_KEY";

// Copy POST data
$params = $_POST;

// Store and remove checksumhash
$receivedHash = $params['checksumhash'];
unset($params['checksumhash']);

// Sort parameters by key
ksort($params);

// Build string
$string = $secretKey;
foreach ($params as $value) {
    $string .= $value;
}

// Generate hash
$generatedHash = hash('sha256', $string);

// Compare
if (strtolower($generatedHash) === strtolower($receivedHash)) {
    // Callback is valid
    http_response_code(200);
    echo "OK";
} else {
    // Invalid callback
    http_response_code(400);
    echo "INVALID CHECKSUM";
}
?>

Common Verification Mistakes

❌ URL-decoding values before hashing
❌ Including checksumhash in the hash calculation
❌ Sorting by values instead of keys
❌ Performing verification on client-side code

Important Notes

caution

Always perform verification server-side
Do not trust callback data without checksum validation
Use Test Secret Key for sandbox transactions
Use Live Secret Key for production transactions

Relationship with Webhooks

Callback → customer-facing redirection
Webhook → server-to-server notification

Both use the same checksum verification logic.

👉 For webhook verification, refer to: Webhook Configuration & Payload

Recommended Implementation Flow

If you have questions about callback validation, contact SADAD Support at
📧 [email protected]

Callback Payload Format (Important)​

Verification Logic (High Level)​

PHP Verification Example​

Common Verification Mistakes​

Important Notes​

Relationship with Webhooks​

Recommended Implementation Flow​