7. Signature Generation (Request)

SADAD requires merchants to generate a SHA256 signature to ensure the authenticity and integrity of each payment request.

The signature must be generated server-side using your Secret Key and sent along with the transaction request.

---

Exact Steps

1. Collect all mandatory parameters except signature
2. Sort parameters alphabetically by key name
3. Prefix the string with your Secret Key
4. Concatenate only the parameter values (no keys, no separators)
5. Generate a SHA256 hash
6. Convert the hash output to uppercase

---

Code Samples (Primary Languages)

PHP

<?php
$secretKey = "YOUR_TEST_SECRET_KEY";
$params = [
  "CALLBACK_URL"=>"https://yoursite.com/callback",
  "MOBILE_NO"=>"97412345678",
  "ORDER_ID"=>"ORD-20251216-001",
  "TXN_AMOUNT"=>"150.00",
  "WEBSITE"=>"MYSHOP",
  "email"=>"[email protected]",
  "merchant_id"=>"123456",
  "txnDate"=>"2025-12-16"
];
ksort($params);
$string=$secretKey;
foreach($params as $v){$string.=$v;}
echo strtoupper(hash('sha256',$string));
?>

JavaScript (Node.js)

const crypto = require('crypto');

const secretKey = 'YOUR_TEST_SECRET_KEY';
const params = {
  CALLBACK_URL:'https://yoursite.com/callback',
  MOBILE_NO:'97412345678',
  ORDER_ID:'ORD-20251216-001',
  TXN_AMOUNT:'150.00',
  WEBSITE:'MYSHOP',
  email:'[email protected]',
  merchant_id:'123456',
  txnDate:'2025-12-16'
};

const signature = crypto
  .createHash('sha256')
  .update(secretKey + Object.keys(params).sort().map(k => params[k]).join(''))
  .digest('hex')
  .toUpperCase();

console.log(signature);

Python

import hashlib

secret="YOUR_TEST_SECRET_KEY"
params={
 "CALLBACK_URL":"https://yoursite.com/callback",
 "MOBILE_NO":"97412345678",
 "ORDER_ID":"ORD-20251216-001",
 "TXN_AMOUNT":"150.00",
 "WEBSITE":"MYSHOP",
 "email":"[email protected]",
 "merchant_id":"123456",
 "txnDate":"2025-12-16"
}

s = secret + ''.join(params[k] for k in sorted(params))
print(hashlib.sha256(s.encode()).hexdigest().upper())

Java

import java.security.*;
import java.util.*;

String secret="YOUR_TEST_SECRET_KEY";

Map<String,String> p=new TreeMap<>();
p.put("CALLBACK_URL","https://yoursite.com/callback");
p.put("MOBILE_NO","97412345678");
p.put("ORDER_ID","ORD-20251216-001");
p.put("TXN_AMOUNT","150.00");
p.put("WEBSITE","MYSHOP");
p.put("email","[email protected]");
p.put("merchant_id","123456");
p.put("txnDate","2025-12-16");

String s = secret + String.join("", p.values());

MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] h = md.digest(s.getBytes());

StringBuilder sb = new StringBuilder();
for(byte b : h) sb.append(String.format("%02X", b));
System.out.println(sb);

.NET (C#)

using System.Security.Cryptography;
using System.Text;

string secret="YOUR_TEST_SECRET_KEY";

var p=new SortedDictionary<string,string>{
{"CALLBACK_URL","https://yoursite.com/callback"},
{"MOBILE_NO","97412345678"},
{"ORDER_ID","ORD-20251216-001"},
{"TXN_AMOUNT","150.00"},
{"WEBSITE","MYSHOP"},
{"email","[email protected]"},
{"merchant_id","123456"},
{"txnDate","2025-12-16"}
};

string s = secret + string.Concat(p.Values);

using var sha = SHA256.Create();
Console.WriteLine(
  BitConverter.ToString(sha.ComputeHash(Encoding.UTF8.GetBytes(s)))
  .Replace("-", "")
);

---

Additional Language Examples

Ruby / Rails

require 'digest'
secret="YOUR_TEST_SECRET_KEY"
params={
 "CALLBACK_URL"=>"https://yoursite.com/callback",
 "MOBILE_NO"=>"97412345678",
 "ORDER_ID"=>"ORD-20251216-001",
 "TXN_AMOUNT"=>"150.00",
 "WEBSITE"=>"MYSHOP",
 "email"=>"[email protected]",
 "merchant_id"=>"123456",
 "txnDate"=>"2025-12-16"
}
puts Digest::SHA256.hexdigest(secret + params.sort.to_h.values.join).upcase

Go

import (
 "crypto/sha256"
 "fmt"
 "sort"
)
s := secret + sortedValues
fmt.Printf("%X", sha256.Sum256([]byte(s)))

Kotlin

val s = secret + params.values.joinToString("")
val hash = MessageDigest.getInstance("SHA-256").digest(s.toByteArray())
println(hash.joinToString("") { "%02X".format(it) })

Swift

let s = secret + params.sorted{$0.key<$1.key}.map{$0.value}.joined()
print(SHA256.hash(data: s.data(using:.utf8)!))

PowerShell

$hash = [System.Security.Cryptography.SHA256]::Create()

C / C++ / Objective-C / R / Clojure / OCaml

Use the platform cryptographic library to generate:

SHA256(secret_key + concatenated_sorted_parameter_values)

---

Important Notes

caution

• Do not URL-encode values before signature generation
• Do not include the signature parameter in the hash
• Parameter order must be alphabetical by key
• Signature generation must always be done server-side