# Transaction Validation Once you've received a response that signifies a completed transaction, such as a [payment completion redirect](/creditguard/payment-page-integration/integrating-hyps-payment-page-and-accepting-payment.md#handle-payment-completion-redirect), you may want to validate the transaction. Validation is not required, but if you're bound by regulatory requirements or simply want to double-check that the transaction has not been altered in transit, you can validate it. There are two ways to validate a transaction: 1. By comparing the MAC (message authentication code) received from Hyp with the MAC that you calculate yourself. 2. By making an additional API call, providing the transaction ID and receiving a response that confirms the outcome of the transaction. ## Validating a transaction using the MAC The preferred way of validating a transaction is by comparing the MAC (message authentication code) that Hyp provides in the [payment completion redirect](/creditguard/payment-page-integration/integrating-hyps-payment-page-and-accepting-payment.md#handle-payment-completion-redirect) with the MAC that you calculate yourself. This method does not introduce any network latency and can be safely used to validate all transactions. In the query string that Hyp passes in the payment completion redirect, one of the parameters, `responseMac`, is the transaction MAC that Hyp calculates. You should use several of the other parameters, along with your merchant password, to calculate the MAC on your end, and then compare it to `responseMac`. If they're identical, the transaction is valid. First, concatenate the following values in this exact order: 1. Your merchant password. 2. `txId` (transaction ID) from the payment completion redirect. 3. `errorCode` (if received; `000` otherwise). 4. `cardToken` (if received; an empty string otherwise). 5. `cardExp` (if received; an empty string otherwise). 6. `personalId` (if received; an empty string otherwise). 7. `uniqueId` (your unique merchant ID). If any parameters are empty, use an empty string instead. One notable exception is `errorCode`: if it's empty, use the value `000`. Hash the resulting string using SHA-256, convert it to Base64, and compare the resulting value with `responseMac`. For a hands-on example of validating a transaction using the MAC in a sample Express.js application, see [Basic Integration Flow: Hello World With a Full Working Charge](/creditguard/introduction/basic-integration-flow-hello-world-with-a-full-working-charge.md). ## Validating a transaction using an API call You can also validate a transaction by making an additional API call, which is a variation of a [transaction inquiry](/creditguard/inquiring-transactions/overview.md). This call adds network latency compared to the MAC validation method, but the upside is that it provides more information about the transaction (card type, issuer, etc.) if that's what you're looking for. To validate a transaction, send a [standard Hyp API request](/creditguard/introduction/request-and-response-general-structure.md). In the `int_in` parameter, include an XML payload with the `inquireTransactions` command. The XML payload should look like this: ```xml 2000 ENG inquireTransactions {terminalNumber} mpiTransaction {mid} {txId} ``` The `command` element should be set to `inquireTransactions`, and the `inquireTransactions` element must include the following child elements: * `terminalNumber`: a unique number assigned to you as a merchant during [registration](/creditguard/introduction/prerequisites-and-requirements.md). * `mid`: merchant ID assigned to you as a merchant during [registration](/creditguard/introduction/prerequisites-and-requirements.md). * `mpiTransactionId`: the transaction ID that is returned as the `txId` parameter in the [payment completion redirect](/creditguard/payment-page-integration/integrating-hyps-payment-page-and-accepting-payment.md#handle-payment-completion-redirect). * `queryName`: must be set to `mpiTransaction`. If the transaction is found, the response will look like this:

Show response

```xml inquireTransactions 2025-08-18 18:40 119536912 000 Permitted transaction Permitted transaction 2000 Eng f1504d81-c564-4f93-a13d-c904789e8597 b84e39d4-2697-43f8-a268-ce4e54e2c7ca 11400 ILS 8062977 1092880571131111 EN 0 SUCCEEDED 00 SUCCESS 000 Permitted transaction doDeal 2025-08-18 18:40 119536911 000 Permitted transaction Permitted transaction Host Result Remote 00-SUCCESS 2000 Eng 000 Permitted transaction 0882819014 1092880571131111 411111 411111******1111 16 XXXXXXXXXXXX1111 0327 Foreign Credit Foreign Visa Alphacard RegularDebit RegularCredit ILS Internet 11400 0 AutoComm Absent NotValidated CreditCompany 8062977 40 086 318 7 169.150.226.170 1eee7e8a-b1f2-4b5c 300012 119536889 Jenny Parkington AshraitEmv 01 4121 599434237938 Absent 52 25081818401308828199114 CreditCompanyAuthorized 0 CGD 0 001101 x 0 00 1111000000 SUG_ISKA NoAuthNumber 0 100 00 SUCCESS 1eee7e8a-b1f2-4b5c 0327 ```

In the success response, the `row` element inside `inquireTransactions` contains values you can compare with those from the [payment completion redirect](/creditguard/payment-page-integration/integrating-hyps-payment-page-and-accepting-payment.md#handle-payment-completion-redirect). The table below shows how the redirect parameters map to response elements: | Payment completion redirect | Response | | --------------------------- | ---------------- | | `uniqueID` | `uniqueid` | | `cardExp` | `cardExpiration` | | `cardToken` | `cardId` | | `cardMask` | `cardMask` | | `authNumber` | `authNumber` | | `cgUid` | `cgUid` | If all the values match, the transaction is valid. If the API call does not find a transaction with the given `mpiTransactionId`, the transaction is invalid and the response looks like this:

Show response

```xml inquireTransactions 2025-08-18 15:09 119533238 689 MPI Transaction not found (used for reports) MPI Transaction not found (used for reports) MPI Transaction not found (used for reports) 2000 Eng ```

Note that, like other transaction inquiries, this API call is not intended for every transaction. Use it only when you need to verify specific transactions and retrieve extended details about them. If you need to validate all transactions, use the MAC validation method instead. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/creditguard/advanced-security-guidelines/transaction-validation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.