In-App payment information forwarding

You can define an optional URL where Fortumo makes an HTTP GET request with payment information every time your mobile payment application sends a payment message or billing status of the message changes. Most of the request parameters are similar to those of Mobile Payments / Premium SMS API, but there are some small differences. The answer from your server does not affect payment processing, the request is for informational purposes only.

Parameters

user_id: An unique end-user id from the mobile application point of view. It could be an internal SIM card identification or a specific username defined by the application.
service_name: A service description for end-user. Does not have to be the same as your service name in Fortumo.
product_name: Description of the product end-user is paying for.
payment_code: An unique payment identifier generated by the mobile application.
sender: Message sender's phone number in international format without the plus sign. For example, 4560123456 or 358401234567. In some countries, due to end-user privacy protection rules, this parameter may be blank or encrypted by mobile operator.
country: The country code of the sender's mobile operator. Two character codes are used according to ISO 3166-1 standard (SE for Sweden, FI - Finland, NO - Norway, LT - Lithuania, LV - Latvia, EE - Estonia etc). Please also note that this is NOT necessarily the actual location of the sender. For example the sender with a Swedish phone, could be sending a message while being roaming in Norway, and you would still have SE in the country field.
price: The end user price of the message in the local currency, including VAT.
currency: The local currency symbol according to ISO 4217 (EUR, SEK, NOK, DKK, LTL, LVL, EEK, USD, GBP etc).
service_id: A string that identifies this Fortumo service. For example f7fa12b381d290e268f99e382578d64a. If you have many services with the same URL, then you can use this field to determine which service the message is for.
message_id: A string that is unique for each message that your service receives.
keyword: The keyword part of the message. Thus if the message was TXT f7fa12b381d290e268f99e382578d64a text1 text2 text3 text4, then this parameter is TXT.
shortcode: The short code that the message was sent to.
operator: Name of the sender's mobile network operator.
credit_name: Description of the product end-user is paying for.
credit_amount: Description of the product end-user is paying for.
billing_type: Can be MO or MT. Read more about billing types in Fortumo FAQ.
status: Payment status, which is either pending, ok or failed.
confirmation_code: A few-digit confirmation code that is generated on successful payment. This parameter will be empty if status parameter is not OK. The mobile application will check if confirmation code of a payment exists. If it exists, the application will proceed with the payment.
test: This parameter is present only when message is sent through Fortumo testing interface by yourself and it's value is always 'true'.
sig: Request signature that you may check, to make sure the request is originating from Fortumo. See below under Security to find out how.

Security

It is important to make sure that the service script is called by Fortumo and not someone else. There are several security measures, that satisfy most of the service providers:

Check whether the IP address of the server making the request belongs to one of Fortumo's servers. Our current IP addresses are 81.20.151.38, 81.20.148.122, 79.125.125.1 and 209.20.83.207. We will let you know by e-mail when they change. In PHP you can check this with $_SERVER["REMOTE_ADDR"] variable.
Choose not so obvious name for your directory or script. For example http://yourdomain.com/sms.php is not as good as http://yourdomain.com/go850g3oigjrtog/sms.php.
Check that the attached signature matches. All the requests are signed with the shared secret only known to you and Fortumo. You can see the secret from the service settings page. The signature is added as sig parameter and is calculated as md5 checksum of the request parameters and secret concatenated together. You can make the same calculation and check whether the sig parameter in the request matches the one that you calculated. See the PHP example below to find out exactly how the calculation is made.
NB! You can find two different shared secrets from the service general info page. Use the secret named "Secret". The other one, named "In-application secret", is used by the mobile application.

Try it out!

Confident enough?

english