Skip to main content
Published: June 24 2009, 1:27:00 AMUpdated: November 28 2020, 1:46:07 PM


 When an eBay user subscribes, cancels the subscription, clicks the Start button or does an EBAY_SIGNED makeRequest on your Application, eBay sends you a digitally signed addSubsriber request, removeSubscriber request, Render URL request or makeRequest document respectively. You need to verify that the document originated from eBay, and then decrypt passed user information for the subscriber or requester of the URL type Open eBay Apps.

 Detailed Description

  The following are code samples ( for most used development environments in ebay developer community) that illustrate how to ensure the obtained document is authentic. 

   Development Language    Signature  Verifier Decrypter  SignatureExtrator
      PHP    SignatureVerification.php StandardDecrypter.php  SignatureExtraction.php
      C#    SignautureVerification.cs StandardDecrypter.cs  SignatureExtraction.cs


    It is assumed  that  you have already downloaded the  public key and saved to a local file as: $publicKeyFilePath

   NOTE. For Sun JDK Developer, you need to first concatenate the multiple lines public key  into one long line before your verification code can process the public key.

********** For addSubscriber and removeSubscriber  **********


       SignatureVerification.verify($encodedSignature, $encryptedTokenValue, $publicKeyFilePath);

       StandardDecrypter.decrypt($encryptedTokenValue, $masterKeyStr)

       where $encodedSignatureaddSubscriberRequest.credentials.token.signature


                     $masterKeyStr = your application's CertID



********** For Render URL **********

   NOTE. As documented, in a render request,  the signature is in the sig parameter in the HTTP POST body. You need to assemble the string for signature verification by processing the parameters referenced in the sp parameter. The sp parameter contains a comma-separated list of the parameters that are included in the signature. The parameter values are to be URL-encoded and concatenated with "&". If any URL parameter itself has multiple values, the individual parameters are URL-encoded and concatenated with "|" prior to concatenation with "&". Please see details in the SignatureExtraction samples above.


      SignatureVerification.verify($encodedSignature, SignatureExtraction.extractSignature($request), $publicKeyFilePath );

     StandardDecrypter.decrypt($encryptedTokenValue, $masterKeyStr)

     where  $encodedSignature=URL Parameter.sig                   


                      $request:  HTTP REQUEST object

                 $masterKeyStr = your application's CertID

Additional Information

Documentation:  Authentication and Processing Requests from eBay

How well did this answer your question?
Answers others found helpful