Key generators

Overview

Product activation means sending the client an email message containing either a binary key (especially for software products) or an activation alphanumeric code for digital products like software and phone cards. The key or the code is used to unlock the subscriptions or get access to website content.

This feature is implemented by storing the keys or codes using two different types of lists:

Static lists
Dynamic lists

Static lists

Add a static list

Navigate to https://secure.avangate.com/cpanel/electronic.php under Setup.

Enter a name and select the list type: Static.

Choose the type of codes your customers receive:

A single activation code that all shoppers share.
Multiple codes that you can enter manually, one per line. You can also tweak the way that 2Checkout handles:
- Duplicates. Your list may or may not contain duplicate codes.
- Codes in the context of several units purchased. Send multiple codes according to product quantity or a single code regardless of the number of units purchased.
- Notifications when a list is running low on available codes.

Assign the products for which 2Checkout delivers codes from the list.

Delete a static list

Navigate to https://secure.2checkout.com/cpanel/electronic.php under Setup.

Click Edit on the list you want to delete.

Remove all products from the list and save the changes.

Go back to the list catalog page and click the Delete button.

In the pop-up message, confirm the deletion of the list.

Dynamic lists

Use this option if you host the key generator on your servers.

Workflow

2Checkout queries your code generator.

Your code generator creates the codes and provides them to 2Checkout.

2Checkout delivers the codes to your shoppers in fulfillment emails, on the Thank You Page, and in their myAccount.

Code generator output

For each approved order, 2Checkout queries your server with certain parameters (see parameters table) that you can use to generate codes/binary keys. Depending on the code or key format (alphanumeric or binary) the 2Checkout system expects either a:

XML file (alphanumeric code or key)
Or a binary file response (binary code or key)

Limitations

Key generators hosted on websites with self-signed certificates are not allowed.

The Skip TLS validation rule set in System settings applies only for webhook notifications (IPN/LCN/INS) and does not work for key generators.

Add a dynamic list

Navigate to https://secure.avangate.com/cpanel/electronic.php under Setup.

Enter a name and select the list type: Dynamic.

Enter the URL corresponding to the location on your server where you host your key generator.

Assign the products for which 2Checkout delivers codes from the list.

Delete a dynamic list

Navigate to https://secure.2checkout.com/cpanel/electronic.php under Setup.

Click Edit on the list you want to delete.

Remove all products from the list and save the changes.

Go back to the list catalog page and click the Delete button.

In the pop-up message, confirm the deletion of the list.

Method and parameters

2Checkout sends the following parameters to your server using HTTP/HTTPS POST using the URL you supplied when configuring the dynamic list.

Field name

Description

PID

Unique, system-generated 2Checkout product ID.

PCODE

The product code you control.

INFO

Additional information sent with the order.

REFNO

Order reference from the 2Checkout system. (maximum 9 characters)

REFNOEXT

Order reference from your own system, sent when the order has been generated

PSKU

Product SKU

TESTORDER

Specifies if the order is for testing purposes. The only possible values are YES or NO.

QUANTITY

Ordered products quantity. (number of subscriptions for example)

FIRSTNAME

Shopper first name. (maximum 40 characters allowed)

LASTNAME

Shopper last name. (maximum 40 characters allowed)

COMPANY

Shopper company name

ADDRESS

Shopper's address.

STATE

The shopper's state.

FAX

Fax number.

Shopper email address. (maximum 40 characters allowed)

PHONE

Shopper phone number.

LANG

ISO 639-1 two-letter code. The language used for transactions ("en" or "ro" for example)

COUNTRY

Shopper country. (maximum 50 characters allowed)

COUNTRY_CODE

ISO code for the shopper country.

CITY

Shopper city. (maximum 30 characters allowed)

ZIPCODE

Shopper zip code. (max 20 characters allowed)

LICENSE_TYPE

Sent for subscriptions. Possible values: - REGULAR: for new subscriptions/licenses - TRIAL: for paid trial subscriptions/licenses - RENEWAL: for renewed subscriptions/licenses - UPGRADE: for upgraded subscriptions/licenses

LICENSE_REF

Unique, system-generated subscription reference number in the 2Checkout system. Maximum 10 characters.

LICENSE_EXP

Subscription expiration date in the format: 2003-12-25 02:30:45 When the product has been purchased with the "one-time fee" (lifetime) options enabled, the value is: 9999-12-31 23:59:59 The LICENSE_EXP DateTime stamp takes into account the custom time zone you selected via https://secure.avangate.com/cpanel/account_settings.php under https://secure.avangate.com/cpanel/index_account_settings.php, or 2Checkout's default GMT+02:00

LICENSE_LIFETIME

This parameter indicates whether 2Checkout generated a lifetime subscription for the product. - 1 = lifetime subscription is on for the product - 0 = lifetime subscription is off for the product

PARTNER_CODE

Possible values: - Empty = eCommerce order - Partner code If sent, the partner code is also included when the HMAC is calculated.

TIMEZONE

The time zone you selected or the default GMT+02:00 time zone of the 2Checkout system.

Parameters LICENSE_TYPE, LICENSE_REF, LICENSE_EXP, and LICENSE_LIFETIME are not included in the debug. This is because these parameters are not used for the HASH calculation. There is no subscription created by the debug so there are no related parameters to be sent to the keygen when the debug is made, as no code needs to be generated. This process is just querying the keygen to ensure that it is working by sending the HASH which the keygen should validate and return a 200 OK response if it matches.

If you configure additional order fields and 2Checkout collects this type of info during the checkout process, it will be included in the POST request:

Additional field names for orders

Field Name

CUSTOM_FIELD_TEXT[]

CUSTOM_FIELD_VALUE[]

Additional field names for products

Field Name

CUSTOM_FIELD_714585_TEXT[]

CUSTOM_FIELD_714585_VALUE[]

If you configure per-product price options, 2Checkout also includes them in the POST request. Example: 2Checkout product ID (PID):714585

Field Name

Description

PRODUCT_OPTIONS_714585_TEXT[]

Array with all the price options texts set per product.

PRODUCT_OPTIONS_714585_VALUE[]

Array with all clients input corresponding to the text.

PRODUCT_OPTIONS_714585_PRICE[]

Array with all the prices corresponding for each option (prices are in the order currency)

PRODUCT_OPTIONS_714585_OPERATOR[]

Array with all the prices operators (ADD, SUBTRACT) corresponding for each price option

Generating the output

You can package your response as:

XML for alphanumerical codes (Basic XML or Advanced XML)
Binary attachment for binary keys
Error code sent in the HTTP headers

XML files have certain reserved characters that must be escaped in a certain way when used. The reserved characters and their corresponding escape sequences are:

& (ampersand) converted to &
< (less than) converted to <
(greater than) converted to >
" (double quote) converted to "
' (single quote) converted to '

When XML files are created, please replace these characters in the attributes and inside the nodes with the correct escape sequence to have a syntactically correct XML document. These characters are documented in the XML specification: http://www.w3.org/TR/REC-xml/

HTTP Headers

HTTP servers use a large number of response and status codes, usually transparent for the navigator. These codes tell the browser if there was an error or not. The codes are embedded in the HTTP header of the client/server communication. The success status code is 200 while any other code is an error. For example, 400 means "Bad Request" and 403 means "Forbidden". HTTP response header examples:

HTTP/1.0 400 Bad Request
HTTP/1.0 200 OK

Content-type

Set the value of the Content-Type field to text/xml in the header response when you package your response as XML.

Content-Type: text/xml

For all other values, 2Checkout treats the content as a binary key.

Basic XML Answer format sample

Use the following template for your XML file :

<?xml version="1.0" encoding="UTF-8"?>
<Data>
<code>SIMPLE_CODE 1</code>
<code>SIMPLE_CODE 2</code>
...
<code>SIMPLE_CODE N</code>
</Data>

XML tag

Description

The code you deliver for the product. Include each standalone code between tags.

Optional. A global description per delivery/fulfillment.

Binary Attachment format

If you deliver a binary file, instead of XML, set the value of Content-Disposition in the header as in the example below. Include the attached file containing the key in the body of the message. Set the filename using the 'Content-Disposition' field.

Content-Disposition: attachment; filename=key.bin

Advanced XML Answer format

If you need to attach additional installation instructions or details to the delivered codes, you can use the XML structure detailed below:

<?xml version="1.0" encoding = "UTF-8" ?>
<data>
<description>General description (for all codes below)</description>
<code>
<description>Description for CODE 1 and/or the binary.key</description>
<key>CODE1</key>
<file name="binary.key" content_type = "text/plain">
UklGRhTsCABBVkkgTElTVCQBAABoZHJsYXZpaDgAAABqBAEAgPQDAAAAAAAQAAEALQAAAAAA
AAACAAAAgD4AAEABAADwAAAAAAAAAAAAAAAAAAAAAAAAAExJU1R0AAAAc3RybHN0cmD4MQAA
</file>
</code>
<code>
<description>Description for CODE 2</description>
<key>CODE 2</key>
</code>
<code>
<description>Description for the the binary_2.key</description>
<file name = "binary_2.key" >
UklGRhTsCABBVkkgTElTVCQBAABoZHJsYXZpaDgAAABqBAEAgPQDAAAAAAAQAAEALQAAAAAA
AAACAAAAgD4AAEABAADwAAAAAAAAAAAAAAAAAAAAAAAAAExJU1R0AAAAc3RybHN0cmD4MQAA
</file>
</code>
</data>

XML tag

Description

The key you deliver for the product. Include each standalone code between tags.

If it is contained in the node, then it is treated as a global description per delivery/fulfillment. If it is embedded in the node, then it is a description for that code.

Optional field. A base64-encoded file.

A tag answer must contain at least one of the elements or .

Security

For security reasons we strongly recommend that you limit access to the key generator URL used to generate access codes or keys and grant access only to the 2Checkout server IP networks.

HASH field

Use the value of the HASH field to check data integrity.

Field Name

Description

HASH

HASH signature SHA-2/SHA-3 HMAC created using all the fields sent through HTTP/HTTPS POST.

Calculate the HASH signature

Example using the following data:

Field name

Length

Field value

PID

189645

PCODE

123

REFNO

1250747

REFNOEXT

TESTORDER

YES

QUANTITY

FIRSTNAME

John

LASTNAME

Doe

COMPANY

info@2checkout.com

LANG

COUNTRY

Netherlands

COUNTRY_CODE

CITY

Amstelveen

ZIPCODE

1181

Source string for HMAC_SHA is calculated by pre-pending each field value with its own length. The source string for the data above is:

618964531237125074703YES114John3Doe018info@2checkout.com2en11Netherlands2nl10Amstelveen41181

Secret key for this example: SECRETKEY
HASH value SHA-2: a141c737f23ccbe0e2bc88a1c81532a6
HASH value SHA-3:

Don't forget to check if the received order reference matches a valid reference order from your system.

Test orders

In the case of test orders, 2Checkout populates the TESTORDER parameter with the value YES. It is highly recommended to reply with testing codes or keys whenever receiving the above-mentioned parameter in the server request, and not codes/keys you would send to actual shoppers.

Code sample

keygen_example.php

<?php
/* Electronic Delivery */

/* pass to compute HASH. Retrieve your secret key by accessing https://secure.2checkout.com/cpanel/webhooks_api.php */
$secretKey = "AABBCCDDEEFF";

$signature = $_POST['HASH']; // HASH received

function serializeArray($array) {
    $retval = "";
    foreach ($array as $i => $value) {
        if (is_array($value)) {
            $retval .= serializeArray($value);
        }
        else {
            $size = strlen($value);
            $retval .= $size . $value;
        }
    }
    return $retval;
}

unset($_POST['HASH']);

// calculate the hash for the fields received (excluding the hash) to make sure the post is from 2Checkout and wasn't altered on the way
$sha256Hash = hash_hmac('sha256', serializeArray($_POST), $secretKey);
// only for php version > 7.1
$sha3256Hash = '';
if (in_array('sha3-256', hash_algos())) {
    $sha3256Hash = hash_hmac('sha3-256', serializeArray($_POST), $secretKey);
}

// only for php version > 7.1; remove $sha3256Hash from the array otherwise
if (!in_array($signature, array_filter([$sha256Hash, $sha3256Hash]))) {
    http_response_code(400);
    mail("your_address@example.com","BAD ElDel Signature", print_r($_POST, TRUE),"");
    echo 'Invalid signature.'; // 2Checkout logs your answer for debug purposes

    return;
}

// if valid hash continue script

// rudimentary example of business logic
// this example uses only 2Checkout ProductId to decide the output

switch($_POST['PID']) {
    case '123': //for this product your key is a binary file

        header('HTTP/1.0 200 OK',false, 200); //inform 2Checkout you received a valid post, you shouldn't have to set this header explicitly
        header('Content-Type: application/octet-stream'); //set the mime type
        header('Content-Disposition: filename=key_123.bin'); //set the file name
        readfile(dirname(__FILE__).'/key_123.zip'); //output the file

        //make sure your script doesn't output anything after this point and/or stop script execution
        exit;

    case '1234': //for this product your key is a text file

        header('HTTP/1.0 200 OK',false, 200); //inform 2Checkout you received a valid post, you shouldn't have to set this header explicitly
        header('Content-Type: text/plain'); //set the mime type
        header('Content-Disposition: filename=key_1234.txt'); //set the file name
        readfile(dirname(__FILE__).'/key_1234.log'); //output the file

        //make sure your script doesn't output anything after this point and/or stop script execution
        exit;

    case '12345': //for this product your key is a string

        //build a basic xml with the following structure:
        $basic_xml =  '<?xml version="1.0"?>
                            <data>
                                <code>12345 key</code> <!-- your string key here -->
                            </data>';

        header('HTTP/1.0 200 OK',false, 200); //inform 2Checkout you received a valid post, you shouldn't have to set this header explicitly
        header('Content-Type: text/xml');
        echo  $basic_xml; //make sure the script doesn't output anything after this point and/or stop script execution
        exit;

    case '123456': //this product is a bundle and contains several string keys

        //the xml gets a bit more complicated
        $advanced_xml ='<?xml version="1.0"?>
                            <data>
                              <description>Bundle 123456</description> <!--General description (for all codes below), it will be displayed/sent to enduser-->
                              <code>
                                  <description>key for bundle component 1</description> <!--description for CODE 1, it will be displayed/sent to enduser -->
                                  <key>bundle comp 1 </key> <!-- string key -->
                              </code>
                              <code>
                                  <description>key for bundle component 2</description> <!--description for CODE 2, it will be displayed/sent to enduser -->
                                  <key>bundle comp 2 </key> <!-- string key -->
                              </code>
                            </data>';

        header('HTTP/1.0 200 OK',false, 200); //inform 2Checkout you received a valid post, you shouldn't have to set this header explicitly
        header('Content-Type: text/xml');
        echo  $advanced_xml; //make sure the script doesn't output anything after this point and/or stop script execution
        exit;

    case '1234567': //this product is a bundle and one of the products has a string file and a file attached

        //the xml contains the new tags: file and extra
        $advanced_xml ='<?xml version="1.0"?>
                            <data>
                              <description>Bundle 123456</description> <!--General description (for all codes below), it will be displayed/sent to enduser-->
                              <code>
                                  <description>key for bundle component 1</description><!-- description for CODE 1, it will be displayed/sent to enduser -->
                                  <key>bundle comp 1 </key><!-- string key -->
                                   <file name="binary.key" content_type = "text/plain"><!-- the file name and content type will be used when offering the file for download to user.
                                   <![CDATA['.base64_encode(file_get_contents(dirname(__FILE__).'/key_p1_1234567.log')).']]>
                                   </file>
                              </code>
                              <code>
                                  <description>key for bundle component 2</description> <!--description for CODE 2, it will be displayed/sent to enduser -->
                                  <key>bundle comp 2 </key> <!-- string key -->
                                  <extra type="INSTALL_HOTLINE" label="Install hotline number">0740216669</extra> <!--the content and label of the extra tags is displayed in cpanel and sent to end-user through the electronic delivery mail-->
                                  <extra type="OPERATING_SYSTEM" label="Works on the following operating systems">Windows XP, Windows 7, Windows 8</extra> <!--the content and label of the extra tags is displayed in cpanel and sent to end-user through the electronic delivery mail-->
                              </code>
                            </data>';

        header('HTTP/1.0 200 OK',false, 200); //inform 2Checkout you received a valid post, you shouldn't have to set this header explicitly
        header('Content-Type: text/xml');
        echo  $advanced_xml; //make sure the script doesn't output anything after this point and/or stop script execution
        exit;
}