The HMAC-MD5 Hash

HMAC-MD5 is a standard mechanism for generating a digital signature. The only requirement is that both the sender (you) and receiver (TrialPay) know a unique, secret key. In this case, the secret key is your Notification Key.

To find your notification key:

  1. Go to and log into your merchant account.
  2. Click the My Account link in upper-right corner.
  3. Locate your notification key in the Notification Preferences section.

To generate the HMAC-MD5, use the message string and your Notification Key as the two variables in your scripting language’s HMAC-MD5 function.

For example:

HMAC-MD5 {message-string, notification_key}

Your script should generate a unique, HMAC-MD5 hexadecimal value. This is your hmac INPUT tag’s value. Since your notification key is unique, the generated HMAC-MD5 value will also be unique.

When the HTML form button sends us your product information, we will generate our own HMAC-MD5 value using themessage value and the notification key we have on file for you. If the HMAC-MD5 value we generate matches the hmac value the button included, we know that you sent the data, and that it has not been tampered with.

For more information on using HMAC-MD5 for message authentication, refer to:

Platform Reference Sample Code
Java javax.crypto.Mac.getInstance(“MD5”)
PHP hash_hmac(‘md5’, $message, $notification_key)

TABLE 6 HMAC-MD5 Reference Web Sites