Accertify Hash Algorithm

\<font color="#78b5c7">\</font> topic type reference purpose provide the authoritative hashing algorithm required by apis for hash‑required fields audience api integrators and client developers implementing apis applies to apis that require hashed field submission does not apply to apis that do not require hashed field submission use the hash algorithm to hash specific sensitive fields before submitting them to apis this algorithm is required for fields designated as hash required when to use this algorithm hash the clear text value prior to sending it to the api for fields that require hashing the api reference explicitly identifies hash‑required fields common examples include giftcardnumber hashedpassword if a field requires hashing and you submit a value that appears to be plain text, the api may reject the request high level algorithm (normative) given an input string s (the clear text value), compute the hash as follows encode s to bytes using utf‑8 compute bytekey = sha 256(s bytes) (a 32 byte digest) compute hmac = hmac sha256(key=bytekey, message=s bytes) return base64encode(hmac) using url safe base64 (per the java implementation) if the input is blank/empty, return an empty string why this looks unusual this algorithm uses a derived key (sha 256(input)) and then hmacs the original input using that derived key that is intentional and must be followed exactly to match platform expectations full algorithm (java and c#) public static string hash(string rawsearchvalue) { base64 base64 = new base64(integer max value, new byte\[]{}, true); messagedigest sha256; mac hmacsha256; try { sha256 = messagedigest getinstance("sha 256"); hmacsha256 = mac getinstance("hmacsha256"); } catch (nosuchalgorithmexception e) { throw new runtimeexception(e getmessage(), e); } if (stringutils isnotblank(rawsearchvalue)) { try { byte\[] value = rawsearchvalue getbytes(utf 8); sha256 reset(); byte\[] bytekey = sha256 digest(value); hmacsha256 init(new secretkeyspec(bytekey, "sha 256")); return base64 encodeasstring(hmacsha256 dofinal(value)); } catch (invalidkeyexception ex) { throw new runtimeexception("invalid key, error " + ex getmessage(), ex); } } return stringutils empty; } important notes uses utf‑8 input bytes uses base64( , urlsafe=true) → url safe base64 encoding returns empty string for blank input using system; using system security cryptography; using system text; public class accertifyhashtester { private static string hash(string inputvalue) { byte\[] hmachash; using (sha256 shahash = sha256 create()) { encoding enc = encoding utf8; byte\[] bytekey = shahash computehash(enc getbytes(inputvalue)); var hmacinstance = new hmacsha256(bytekey); hmachash = hmacinstance computehash(getbytesfromstring(inputvalue)); } return system convert tobase64string(hmachash); } private static byte\[] getbytesfromstring(string text) { var encoding = new system text utf8encoding(); return encoding getbytes(text); } public static void main(string\[] args) { console writeline(hash(args\[0])); } } encoding requirement the accertify hash algorithm requires url‑safe base64 encoding of the hmac output implementations must use url‑safe base64 encoding (rfc 4648, §5) to produce valid hashes note on c# implementation the c# example uses standard base64 encoding as written if your integration requires url‑safe base64 output, you must transform the encoded value accordingly (for example, replacing + with , / with , and removing padding characters)