Skip to content



This hook allows you to invalidate contact checksums (see

It does NOT allow marking a checksum as valid because it could easily open up a security hole - e.g. it could inadvertently allow access to data it shouldn't, especially if multiple extensions implement the hook.


hook_civicrm_invalidateChecksum($contactID, $checksum, &$invalid)


  • $contactID (string) - The contact ID of the checksum.

  • $checksum (string) - The checksum to validate.

  • $invalid (bool) - Default false. Set this to true to invalidate.


  • null

Example (Invalidate a list of checksums)

 * Implements hook_civicrm_invalidateChecksum().
 * @param string $contactID
 * @param string $checksum
 * @param bool $invalid
function example_civicrm_invalidateChecksum($contactID, $checksum, &$invalid) {
  // These checksums sent out hardcoded via mailing on 14th July (valid for 30 days)
  if (in_array($checksum, ['fdsfsdfdsf_sfsd_123', 'fsa34f30fsfs_sf34f_123'])) {
    $invalid = TRUE;
    \Civi::log()->warning('Invalidated checksum was used: ' . $checksum . ' for contact ID ' . $contactID);
    // Optionally trigger a redirect to another page explaining why it was invalid
    // CRM_Utils_System::redirect('');