Step 7. Validate the signature (optional)
After an order is placed, you should validate the signature in the return URL to ensure that it came from Amazon.
To validate the returned signature, complete the following tasks:
- Construct the string to sign.
- Sign the string with your Amazon MWS secret access key.
- Generate the signature on your server and compare with the returned signature.
To create a valid signature, you need to construct the string to sign according to the Amazon MWS V2 signature spec. The string consists of the following elements, with each section separated by a new line:
- The HTTP action. For generating the signature on your server, the request is always GET.
- The domain name of the request URL for your server's return URL file.
- The request domain, which is the qualified pathway to your server's return URL file.
- Sorted parameters in query string format, with the URL encoded parameter name and value.
Include only the parameters that were in the return URL from Amazon.
The following example shows what your string to sign might look like. Note that if your server's return URL is http://your-domain.com/path/success-file.html, the domain URL and request domain would be as shown in the following example.
GET your-domain.com /path/validatesignature.html AWSAccessKeyId=AKIAEXAMPLE&SignatureMethod=HmacSHA256&SignatureVersion=2&amount=99.00¤cyCode=USD&orderReferenceId=S01-999999-9999999&paymentAction=AuthorizeAndCapture&resultCode=Success&sellerId=A2MQTZXEXAMPLE&sellerOrderId=1234