Home » Php » sha256 – Problems encoding Amazon Flexible Payments secret string in PHP

sha256 – Problems encoding Amazon Flexible Payments secret string in PHP

Posted by: admin July 12, 2020 Leave a comment


I am trying to use Amazon Payment Services, and they require me to do something like this:

Here is the complete signature so you can see I added the signature method:

$string_to_sign = "GET\n

and then I encrypt it like below.

$encoded_string_to_sign = URLEncode(Base64_Encode(hash_hmac("sha256", $string_to_sign, 'my_secret_key')));

I do that, but then I get an error from them saying:

Caller Input Exception: The following input(s) are either invalid or absent:[signatureMethod]

Any idea what might be going wrong here?

Here is the entire code for this: (the variables are assigned values above)

$string_to_sign = 'GET

    $encoded_string_to_sign = URLEncode(Base64_Encode(hash_hmac("sha256", $string_to_sign, 'my_secret_key')));

$amazon_request_sandbox = 'https://authorize.payments-sandbox.amazon.com/cobranded-ui/actions/start?SignatureVersion=2&returnUrl='.$return_url.'&paymentReason='.$payment_reason.'&callerReference=YourCallerReference&callerKey='.$my_access_key_id.'&transactionAmount=4.0&pipelineName=SingleUse&SignatureMethod=HmacSHA256&Signature='.$encoded_string_to_sign;

//echo $amazon_request_sandbox; - use this if you want to see the resulting request and paste it into the browser

header('Location: '.$amazon_request_sandbox);


How to&Answers:

Check if you included &SignatureMethod=HmacSHA256 on the request

This kind of errors has 3 basic natures:

  • Missing Keys/Values
  • Typos on Keys/Values
  • Incorrect encoding or spaces on Keys/Values

Hope that helps!



The only piece that wasn’t suggested was that you need to use rawurlencode() on the transactionAmount that’s part of the $string_to_sign.

Most other answers are a piece of the problem. For instance, you need to add a new line to the $string_to_sign after the GET (which you have), after the authorize.payments-sandbox.amazon.com, and after the /cobranded-ui/actions/start. You also need to set the $raw_output parameter to true in the hash_hmac() function.

I’ve included a complete working rewrite of your code (replace <Your_Access_Key> and <Your_Secret_Key>):

$return_url = rawurlencode('http://problemio.com');
$payment_reason = 'donation';
$transaction_amount = rawurlencode('4.0');

$secret_key = '<Your_Secret_Key>';
$my_access_key_id = '<Your_Access_Key>';

$string_to_sign = 'GET
SignatureMethod=HmacSHA256&SignatureVersion=2&callerKey=' . $my_access_key_id . '&callerReference=YourCallerReference&paymentReason=' . $payment_reason . '&pipelineName=SingleUse&returnUrl=' . $return_url . '&transactionAmount=' . $transaction_amount;

$encoded_string_to_sign = URLEncode(Base64_Encode(hash_hmac("sha256", $string_to_sign, $secret_key, true)));

$amazon_request_sandbox = 'https://authorize.payments-sandbox.amazon.com/cobranded-ui/actions/start?SignatureVersion=2&returnUrl=' . $return_url . '&paymentReason=' . $payment_reason . '&callerReference=YourCallerReference&callerKey=' . $my_access_key_id . '&transactionAmount=4.0&pipelineName=SingleUse&SignatureMethod=HmacSHA256&Signature=' . $encoded_string_to_sign;

However, I strongly suggest that you use the PHP library provided by the FPS community which can be downloaded here. I use this in production code and have never had an issue. Using the FPS library, your code would look like the following:


require_once 'CBUISingleUsePipeline.php';
require_once 'CBUIPipeline.php';

$secret_key = '<Your_Secret_Key>';
$my_access_key_id = '<Your_Access_Key>';

$return_url = 'http://problemio.com';
$transaction_amount = '4.0';
$caller_reference = '<Your_Caller_Reference>';
$payment_reason = 'donation';

$base = 'https://authorize.payments-sandbox.amazon.com/cobranded-ui/actions/start';

$pipeline = new Amazon_FPS_CBUISingleUsePipeline($my_access_key_id, $secret_key);
$pipeline->setMandatoryParameters($caller_reference, $return_url, $transaction_amount);
$pipeline->addParameter('paymentReason', $payment_reason);
$uRL = $pipeline->getURL($base);



Have you set your signature method? from the AWS documentation:

You must set the SignatureMethod request parameter to either
HmacSHA256 or HmacSHA1 to indicate which signing method you’re using


I don’t believe you need to base64 encode the hash (after all, it’s already being urlencoded) — try removing Base64_Encode.


Your $string_to_sign variable is missing a ‘?’ between start and SignatureMethod for your encoded Signature.

Signature version 2 is an enhanced signing method for both Amazon
Simple Pay and Amazon Flexible Payments Service.

For inbound requests (from your application to Amazon Payments), it
uses the entire request URI as the basis for the signature, with
encryption based on the unique security credentials for your account.

For outbound requests (from Amazon Payments to your application),
Amazon signs the response which you can verify using the
VerifySignature API


As @Jonathan Spooner mentioned already and what I use is the function varifySignature() located in


which can be downloaded here. It also has an example as to how to use it in


It makes the whole process much easier. It may be worth a shot…


Have you tried this

base64_encode(hash_hmac(‘sha256’, $Request, $AmazonSecretKey, true));

Pass a boolean to pass it as a raw output.


You’re most definitely missing the last parameter for hash_hmac which has to be set true to get RFC 2104-compliant HMAC signature:

    hash_hmac($hash, $data, $key, true)

And in the complete example you’re missing new lines in $string_to_sign.