2Checkout Documentation


The MD5 hash is provided to help you verify the authenticity of the passback to your approved URL. The hash is computed using the secret word on the Site Management page and is returned using the key parameter. To validate against the hash, you need to make a string that contains the information described below and pass it in as the value to your scripting languages MD5 function.

UPPERCASE(MD5_ENCRYPTED(Secret Word + Seller ID + order_number + Sale Total))

The secret word is set by yourself on the Site Managment page. The vendor number is your numerical vendor/seller ID number. The order number is the order number for the sale. The total is the numerical value for the total amount of the sale. Each of our community supported libraries provides a binding to validate the hash on a notification message.

Demo Sales

Please note that the MD5 hash that we return on demo sales is intentionally broken as we use a “1” for the order number when we compute the hash instead of the actual value being returned through the `order_number` parameter. You will need to account for this on your end if you are testing with demo sales by computing the compare hash like below:

UPPERCASE(MD5_ENCRYPTED(Secret Word + Seller ID + 1 + Sale Total))

Example Validation

Below is an example PHP script that validates the hash.

$hashSecretWord = 'tango'; //2Checkout Secret Word
$hashSid = 1303908; //2Checkout account number
$hashTotal = '1.00'; //Sale total to validate against
$hashOrder = $_REQUEST['order_number']; //2Checkout Order Number
$StringToHash = strtoupper(md5($hashSecretWord . $hashSid . $hashOrder . $hashTotal));
if ($StringToHash != $_REQUEST['key']) {
$result = 'Fail - Hash Mismatch';
} else {
$result = 'Success - Hash Matched';

echo $result;