The PaymentIntent object contains payment data. To ensure that this payment data is not tampered with (e.g. a customer amends the amount to be smaller), the PaymentIntent requires a HMAC verification field to be conducted in your backend using your Pay Now secret.

PaymentIntent is used in the following methods.

payment.amountnumberAmount in subunit (non-decimal)
payment.currencystringISO-4217 country codes
payment.referencestringReference or invoice number for the payment transaction/
payment.hide_card_holderbooleanDetermines if the "Card Holder" field should be shown on the page or not. If this is included and true, it must be appended to the end of the verification hash. See "Verification Value Hash Calculation" below for more details.
verificationstringHash of amount, reference, currency. See Verification Value Hash Calculation below for more details on how to calculate this value.
  payment: {
    amount: 10025,
    currency: "AUD",
    reference: "INV1121"
  verification: "xxxxxx"

Verification Value Hash Calculation


The Verification Value Hash should only ever be calculated on your backend server, and never in client-side code.

This is because your Pay Now token is a secret value that only you should know. Calculating the Verification Value Hash on the client-side (e.g. in client-side Javascript) would make your Pay Now token secret visible to public via browser developer tools.

Below is pseudo code demonstrating how the verification hash is calculated using a PayNow token. The Pay Now token can be obtained from the Fat Zebra Merchant Dashboard.

Please make sure that reference (invoice #), amount (subunit) and currency are in the correct order as shown:

shared_secret = "abc123" # Also known as your Pay Now token

invoice_no = "INV4567" # Also known as reference
amount = "1000"
currency = "AUD"
hide_card_holder = true

hmac =
data = [invoice_no, amount, currency]
data << [hide_card_holder] if hide_card_holder

# Data will be:
# INV4567:1000:AUD:true
verification = hmac_md5(shared_secret, data.join(":"))
# Expected value: c045c96c113ae660b91b60bd09feda20
# Hash will be 0a40877ca9f75152f27bf093af7fd44b if hide_card_holder is false