Using the Validate Relay Response HTML option

Created by Richard Moore, Modified on Wed, 12 Apr 2023 at 12:02 PM by Richard Moore

This option is enabled by checking "Validate Relay Response HTML" in the "Relay Response" tab of the Administration console.

If enabled, E-xact performs an extra validation of the relay response passed back by the merchant server.  In order to pass this validation, the merchant server must calculate an HMAC-MD5 digest of the response content and include the digest as part of the response header.

To calculate this HMAC-MD5 digest, the merchant server should use:

  • key - the Transaction Key from the payment page configuration

  • message - the HTML content to be returned for the relay response

To include this digest in the relay response, the merchant server should:

  • add an HTTP header field called 'Signature'

  • set the field value to be a concatenation of the x_login value of the payment page and the digest, separated by a colon

For example, using the values in the table below:

Field Value
x_login WSP-GOODS-70
Transaction Key AL81Li7D4laXYDtpfgO_lInQ
relay response HTML content <html><head></head><body>hello from merchant server</body></html>

Following are snippets of the digest calculation in a few languages:


require 'openssl'

OpenSSL::HMAC.hexdigest('md5'), 'AL81Li7D4laXYDtpfgO_lInQ', '<html><head></head><body>hello from merchant server</body></html>')


import hmac
import hashlib

h ='AL81Li7D4laXYDtpfgO_lInQ','<html><head></head><body>hello from merchant server</body></html>',hashlib.md5)


hash_hmac('md5','<html><head></head><body>hello from merchant server</body></html>', 'AL81Li7D4laXYDtpfgO_lInQ');

the resulting HMAC-MD5 digest would be


and the Signature header for the response would look like:

Signature: WSP-GOODS-70:1ba55452cc7e799324c69af2b675346b

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article