Merchant Redirect

For all Bank, Card and Crypto collection requests, a redirect URL is a mandatory parameter. This is the URL that DusuPay redirects to when the status of the transaction changes. Details follow..

Redirect URL Structure

The final redirect URL would look like the following. DusuPay basically appends the redirect parameters to the URL that's set in the initial collection request

https://redirect_url?id=&reference=&internal_reference=&status=&message=&signature=

Below is a description of all the query parameters that DusuPay appends

Parameter

Type

Description

id

integer

The transaction ID generated by DusuPay

reference

string

The merchant reference for this particular transaction

internal_reference

string

The internal reference generated by DusuPay for this transaction

status

string

The transaction status. Values can be one of; PENDING, CANCELLED, FAILED or COMPLETED. These are described here

message

string

The message describing the status

signature

string

The RSA signature generated by DusuPay. This can optionally be verified by the merchant to ensure that the redirect comes from DusuPay before giving value/service to the customer

We strongly recommend that merchants check for the availability of these parameters in the URL and also confirm that the references correspond to the data already available in their systems. This is one other way to ascertain the legitimacy of the redirect

Redirect Signature Verification (Optional)

This section describes the steps taken to verify the signature using sample query parameters. Assume that the redirect URL is as follows;

https://www.redirecturl.com?id=226&reference=2e474cf19b71&internal_reference=DUSUPAY405GZM1G5JXGA71IK&status=COMPLETED&message=Transaction%20Completed%20Successfully&signature=c0K46co6bmQkoDW8XjEWQ7nBAteBo5E0HLKnLaJr8g5tQO2suVgB1gzp1y5fjCl8EOUt77hw9XealtkyBLk7VcYJoN6PVjxpHO3kCim_3rmWZqxhISy9jVnl03ZCz9GG7Tn4NS8PU14hgn9gF1wrfXMwUpiCezcVcBxg-m0L6XSqckLTudGTb7mJgIpYCRdrj2FbpFzhB1e2xCJ5NbSc4nXA9_XrylTnD1wiO_iFEkD5ZbaH-IfYnTN7SOt6slgvrgsMGe4PI2PiHSuW97xf21n4Lt0pB1MVpKYIA5CHJORvxv8yAxODJGnKT93VxjIdfFd1Kkh-QfkC4upyXBbPlJKmRAcaCcUgVYQccrbuEgZ_ouVLdyo6h1q4-l7AKKl7W0Nx-U_HbhpvAUCe4kLHX9CyeJgDA8xB1fkyVTbpBTbw4h0iTP_98VUy0jCMJMYWkObPLI9K1FMYFgfFgdDy6LMIPb4-dBlPkevH9ZIPKE2N60vQFd9zRH2-J8LGCemqncVZlbi6jIzmy1Z2ylPQ772-fhT9tPJGlMsPw7bLcsRrDGulwHgO1dxHXpKJcb0OjkIxlQgTfHqLyyuqgyWcJJkoAmWMwmtnhIdJUmiD7V_UdZ3lLVP52VhEUqJhlWzVX7AmvK00WUkffut8uqgAqKbsSwgPEffp6RZxPvjJJAA

The signature string used in the example is valid and you can test verification with it. You can directly copy it from the section below

c0K46co6bmQkoDW8XjEWQ7nBAteBo5E0HLKnLaJr8g5tQO2suVgB1gzp1y5fjCl8EOUt77hw9XealtkyBLk7VcYJoN6PVjxpHO3kCim_3rmWZqxhISy9jVnl03ZCz9GG7Tn4NS8PU14hgn9gF1wrfXMwUpiCezcVcBxg-m0L6XSqckLTudGTb7mJgIpYCRdrj2FbpFzhB1e2xCJ5NbSc4nXA9_XrylTnD1wiO_iFEkD5ZbaH-IfYnTN7SOt6slgvrgsMGe4PI2PiHSuW97xf21n4Lt0pB1MVpKYIA5CHJORvxv8yAxODJGnKT93VxjIdfFd1Kkh-QfkC4upyXBbPlJKmRAcaCcUgVYQccrbuEgZ_ouVLdyo6h1q4-l7AKKl7W0Nx-U_HbhpvAUCe4kLHX9CyeJgDA8xB1fkyVTbpBTbw4h0iTP_98VUy0jCMJMYWkObPLI9K1FMYFgfFgdDy6LMIPb4-dBlPkevH9ZIPKE2N60vQFd9zRH2-J8LGCemqncVZlbi6jIzmy1Z2ylPQ772-fhT9tPJGlMsPw7bLcsRrDGulwHgO1dxHXpKJcb0OjkIxlQgTfHqLyyuqgyWcJJkoAmWMwmtnhIdJUmiD7V_UdZ3lLVP52VhEUqJhlWzVX7AmvK00WUkffut8uqgAqKbsSwgPEffp6RZxPvjJJAA
  1. Form the string payload to be used in the signature verification. This is obtained by concatenating values of the redirect data in the format; id:internal_reference:status:redirect_url where redirect_url is the value you set for the redirect_url parameter when making the initial collection request in this case, that value is https://www.redirecturl.com

2. The string payload in our example would therefore be the following;

226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.redirecturl.com

3. Download the public key and store it in a file as described here.

4. Use the stored public key to verify the signature as described in the sample source codes below

JavaScript
PHP
JavaScript
const crypto = require('crypto');
const fs = require('fs');
function isValidSignature() {
const strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.redirecturl.com";
const signature = "signature-from-query-params";
const publicKeyFile = "path-to-file/dusupay.public.key.pem";
const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');
const verify = crypto.createVerify("SHA512");
verify.write(strPayload);
verify.end();
/*true or false*/
return verify.verify(publicKey, signature, 'base64');
}
PHP
<?php
public function isValidSignature() {
$file = "path-to-file/dusupay.public.key.pem";
$keyContent = file_get_contents($file);
$publicKey = openssl_get_publickey($keyContent);
$strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.redirecturl.com";
$signature = base64_decode("signature-from-query-params");
/*true or false*/
return openssl_verify($strPayload, $signature, $publicKey) == 1;
}
?>