Skip to main content

Documentation Index

Fetch the complete documentation index at: https://flutterwaveinc.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

To secure payment on the client side, include a field called payload_hash in your request with a hashed value. This hash is created by encrypting some immutable values in your request. We will then compute the hash values at runtime and compare them with the value from your request to ensure your payment is indeed secure.
If you are making payments using any of the integration methods like Inline, Standard, or HTML Checkout, ensure you pass in the hash value in all your requests.
To generate the hash, follow these steps:
  1. Retrieve the transaction data (amount, currency, customer_email, and tx_ref).
  2. Create a SHA256 value of your secret key.
  3. Concatenate the values of your transaction data and your hashed secret key in this exact order, with no separators.
  4. Generate a SHA256 hash of the concatenated string in step 3.
  5. Add the generated hash from Step 4 to the payload_hash field of the checkout object, and then render the checkout page.
  6. Prompt your user to complete the payment.
  7. After completing the payment, verify the transaction as you normally would before providing value to the user.
When generating a hash, make sure to use a secure backend server that utilizes your secret key. Do not fetch the data from the request body of your HTTP request. Instead, fetch it from a secure datastore.

Request with payload hash

Below is an example of how to generate and send a payload_hash using NodeJs and Python. 
const getDataForHash  = (reference_number) => {
// Retrieve data [customer_email, tx_ref, currency, amount] from your preferred data store using a reference number or identifier of your choice.
}
const hashedSecretKey = crypto.createHash("sha256").update(process.env.FLW_SEC_KEY, 'utf8').digest("hex");
const StringToBeHashed = amount + currency + customer_email + tx_ref + hashedSecretKey;
const payload_hash = crypto.createHash("sha256").update(StringToBeHashed, 'utf8').digest("hex");

console.log(payload_hash);
Full Request
<script src="https://checkout.flutterwave.com/v3.js"></script>

<form>
 <button type="button" onclick="makePayment()">Pay Now</button>
</form>

<script>
 function makePayment() {
   const FLW_PUBLIC_KEY = process.env.FLW_PUBLIC_KEY;
     FlutterwaveCheckout({
      public_key: FLW_PUBLIC_KEY,
      amount: '100',
      tx_ref: 'YOUR_PAYMENT_REFERENCE',
      currency: 'NGN',
      customer: {
        email: 'user@example.com',
        phone_number: '09012345678',
        name: 'John Doe',
      },
      redirect_url: 'https://example_company.com/success',
      customizations: {
        title: 'Test Payments',
      },
      payload_hash: "YOUR_ENCRYPTED_HASH"
    });
 }
</script>
If any value in the payload is tampered with, causing it to be inconsistent with the generated hash, we will return an error message to the customer on the Flutterwave Checkout page once the payment is submitted. checksum Before updating your customers’ account value, make sure to verify the payment details by comparing the amount, currency, and reference on both reciepts.