Generate the Signature for the iFrame

Knowledge Center > Billing and Payments > Hosted Payment Pages > Hosted Checkout Pages > Create Checkout Pages on Your Website > Generate the Signature for the iFrame

Generate the Signature for the iFrame

Zuora Hosted Checkout Pages are no longer under active development. Customers should use Payment Pages 2.0 for their secure payment acceptance requirements.


This section describes the steps that you need to take to dynamically generate the security signature of the hosted iFrame.

View iFrame Code

After configuring and saving your Checkout page, you can view the generated iFrame URL, the Page ID, and the API Security Key.

To view the Checkout page information:

  • In the Hosted Checkout pages list, click View for the page you just created.


The Usage Information section includes the information that you will need in order to embed the Checkout pages into your website.

  • HTML Code - The HTML code that includes the iFrame URL so that you can embed it on your webpage.
  • Page ID - The unique identifier ID for each hosted page that is created. The Page ID can also be found within the URL of the iFame.
  • API Security Key - A security key that will be used to validate the callback response for the hosted page. This key is unique for each tenant and should not be shared publicly.

zcheckout pic1.jpg

Besides the Page ID and API Security Key, there are several additional components that need to be set to generate the iFrame.

  • Timestamp - Create a timestamp in UTC (GMT) format in milliseconds, for example, 1316846058955.

The iFrame URL from the Usage Information section is valid for 30 minutes after it is generated. You must add logic to dynamically generate the timestamp/token when calling the hosted page.

  • Token - The token is a random alphanumeric token of 32 characters that has not been used in the past 48 hours, for example, 7av18bEz97Jrq9K6z0QPyvJpIqIxSmZc. Every page submission consumes a token. Once a token have been consumed, it is blacklisted for 48 hours. When a Hosted Checkout Page needs to be reloaded, for example, after an unsuccessful submission, a new token must be created to generate a new iFrame.
  • API Security Key - You will use the API security key to generate the signature. The API security key is the only parameter used in signature generation that is not transmitted in the public URL. You must include the Hosted Pages API security key with the signature.

Generate a Signature

To generate the signature for the URL, create a string that concatenates the following input values:

  • ID (Page ID)
  • Tenant ID
  • Timestamp
  • Token
  • API security key

Use the following format for the string:


Do not add a space or other character between the token and the API security key. 

For example, using the following values:

  • Id: 4028e697325f8e970132603326446b33
  • Tenant: 10514
  • Timestamp: 1316846058955
  • Token: 7av18bEz97Jrq9K6z0QPyvJpIqIxSmZc
  • API security key: PEq1yiahIyFO6XxpyuCWyLoG4ym_HAklH2-FfAisLuk=

The resulting concatenated string would look like the following:


Encode the String

After you generate the signature for the URL, you must encode the resulting string.

To encode the URL signature:

  1. Encode the signature string in the UTF-8 format.
  2. Generate a hash using MD5 and convert it to Base16. PHP generates MD5 as Base16 by default, so this step is necessary for language such as Java and .NET which generate MD5 Base10 by default. A sample result after this step would be "856832ff9bac443d486e608783d78e57".
  3. Convert the string to Base64 in URL Safe Mode. Base 64 in URL Safe Mode refers a base 64 format that is safe to be used in URL, altering the available alphabet of the base 64 which replaces + and / with - and _ (respectively). The sample resulting output should be "ODU2ODMyZmY5YmFjNDQzZDQ4NmU2MDg3ODNkNzhlNTc=".

The result from the step 3 above is the signature to be used for the iFrame URL.

What's Next

Next, Embed and Submit the iFrame.

Last modified


This page has no custom tags.


(not set)