Why the URL parameters get encrypted in Pega 8? (?pzuiactionzzz=...)


We are upgrading a Pega application from version 7 to version 8.

There are some functionalities for that we need to call a specific URL and then extract a part of the URL using JavaScript.

For the sake of simplicity let's take this URL as it is available in all Pega installations (gets the Mashup script): http://[our domain]/prweb?pyActivity=pzIncludeMashupScripts
And the tasks is to fetch the Activity name using JavaScript (here: "pzIncludeMashupScripts").

In Pega 7 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pyActivity=pzIncludeMashupScripts
That's fine, we still have the Activity name ("pzIncludeMashupScripts") in it and it can be parsed.

However in Pega 8 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=CXtpbn1jaW1RV1hLOEoyeVdRaEtra05SQTdzOGFvbEVJRXMrdE1EMm9yaVhFZ2lBRXZ4TlFEVEdH%0AbmN5Sk1HNWVLV1NZ*
It seems that the pzuiactionzzz parameter contains some kind of hashed value of the previous parameters.
This is not good for us, as the Activity name is no longer in the URL - it cannot be extracted using JavaScript.

I found some articles which seem to be related:

So according to the above articles I disabled URL encryption:
Pega-Engine • prconfig/initialization/urlencryption/default: false
Pega-Engine • prconfig/initialization/submitobfuscatedurl/default: optional

But still, the URL parametes get transformed into the ?pzuiactionzzz=... hashed form.
I even tried using the URL Mappings rule, but the "nice URL" was transformed to ?pzuiactionzzz=... as well.

My goal here is to understand what's going on, why it has changed it Pega 8.
From security perspective it's very good that the URL parameters are encrypted, and I guess, we will need to find a better solution than parsing the URL using JavaScript.
So the question is not how to solve this particular problem, but rather to have a general understanding.

Could you please provide some documentation about what is behind this mechanism?
How does the URL encryption work, and is it really connected to that ?pzuiactionzzz=... parameter?
How is the hash calculated for ?pzuiactionzzz=...?

Best regards,

***Edited by Moderator Marissa to update platform capability tags****


Keep up to date on this post and subscribe to comments

March 16, 2019 - 8:25am

I relayed the questions to the SMEs and hopefully they can provide more info.

August 14, 2019 - 10:42am
Response to KevinZheng_GCS

Hello Kevin,


Request you to please help me with a reply from the SME if possible soon as I am in need of implementing a solution as POC more details you can find in the below link.


Thank you.

March 18, 2019 - 4:13am

Hi Attila, you are right, the changes to the URL parameters are for security reasons.

We advise developers to rely on server side logic in activities to do the parsing of the parameters. 

March 18, 2019 - 9:01am
Response to Srikanth

Hi Srikanth,

Thank you for your answer.

Does this functionality have something to do with the initialization/urlencryption and initialization/submitobfuscatedurl system settings or is it something completely different?

August 13, 2019 - 11:19am
Response to AttilaDonath

Hello AttilaDonath,


I was going thru your post and thought my post is some where related can you please guide me with some points on my below post. Thanks.

August 14, 2019 - 9:24am
Response to kapilc85


At the end we solved the issue with a different approach, so unfortunately I cannot give you any hints on the SubmitObfuscatedURL parameter.

August 14, 2019 - 10:39am
Response to AttilaDonath

Hello Attila,


Thanks for the reply so if its ok by you to share can you please let me know the approach you tried as even I am doing a POC around to make it work.

If its not feasible to share here it works no issues. Thanks.

August 14, 2019 - 11:49am
Response to kapilc85

Hello Kapil,

My task was just to add a value to the URL which can be parsed using JavaScript - on a development system. So finally I added the data to the URL after a # (fragment identifier) as a workaround (e.g. http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=[long hash]#myparam=1). On the production system we used another solution (which I cannot describe, it was done by a colleague). My solution was just for quick testing during development.

After reading your post I guess you would like to enhance security, so I don't think this helps for you, but that's what I could share. :-)

However I think if you want to pass data from an external application to the Pega Mashup, the Pega URL encryption doesn't matter. As I understand you have an account ID in Salesforce and you want to pass it to the mashup. For this you can use the data-pega-action-param-parameters parameter, see: and Now how to secure this is another question. In general I would say you should use HTTPS and then the communication is secured. If you want to hide the account ID even from the HTML markup generated on the Salesforce side, you can use a custom encryption mechanism.

August 14, 2019 - 1:07pm
Response to AttilaDonath

Thanks Attila,


Actually i have implemented the mashup code, requirement was to display search screen when user click a link in salesforce which will pass accnt# its coming well.

Now next step is to encrypt the account# in the url so i started the search on pdn for the help .


1> Can you please describe more on the below if feasible how u achieved it:

So finally I added the data to the URL after a # (fragment identifier) as a workaround (e.g. http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=[long hash]#myparam=1).


for example below is my sample code snippet hiding all the sensitive info:


<script src ='https://some url/prweb/sso?pyActivity=pzIncludeMashupScripts'>
pega.web.config.systemID = "https://some url/prweb/sso/";
pega.web.config.appName = "<app name>";

<div data-pega-gadgetname ='PegaGadget' 
data-pega-action= 'display'
data-pega-action-param-harnessname ='harness name' 
data-pega-action-param-classname ='Data-Portal' 
data-pega-action-param-model ='' 
data-pega-action-param-readonly ='false' 
data-pega-isdeferloaded ='false' 
data-pega-applicationname ='app name' 
data-pega-threadname ='Thread1' 
data-pega-resizetype ='default' 
data-pega-url ='https://some url/prweb/sso'
data-pega-action-param-parameters="{pzSkinName:'skin name'}"></div>





2> Even i got a link in pdn may be related with my topic of encryption can u give your points if time permits currently my POC is on a pega sandbox server and salesforce sanbox server in future once successful it will be rolled over to production.


3> Regarding HTML custom encryption mechanism that i will try later as an objective of poc.

Thank you.

August 14, 2019 - 2:14pm
Response to kapilc85

1> It was an URL generated by Pega. I simply concatenated "#myparam=1" to the URL string, e.g. url = url + "#myparam=1".

2> If I understand correctly, your process starts from Salesforce, that generates the link, e.g.: https://[site which contains the mashup]?accountID=xx. Up to this point, Pega is not involved at all. The URLEncryption Pega setting is only important when an URL is generated by Pega.

July 31, 2019 - 4:10am
Response to Srikanth

But why Pega has to generate such a long hash. It increases dom content when you have link with run-activity configured in a repeating layout.

August 14, 2019 - 10:44am
Response to Srikanth

Hello Srikanth,


Request you to please help me with a reply from the SME if possible soon as I am in need of implementing a solution as POC more details you can find in the below link.


Thank you.