Integration Guide
Table Of Contents
- Preface
- Introduction
- Payment Data Transfer
- Instant Payment Notification (IPN)
- Downloadable History Log
- IPN and PDT Variables
- Data Type, Maximum Field Lengths, and URL Encoding
- About These Tables of Variables
- test_ipn Variable in Sandbox
- IPN Variables in All Posts
- Buyer Information
- Basic Information
- Advanced and Custom Information
- Shopping Cart Information
- Currency and Currency Exchange
- Auctions
- Mass Payment
- Subscriptions Variables
- Dispute Notification Variables
- PDT-Specific Variables
- Downloadable History Log Columns and Values
- Country Codes
Instant Payment Notification (IPN)
IPN Notification and Notification Validation
26 August 2005 Order Management Integration Guide
IPN Notification and Notification Validation
After your server receives Instant Payment Notification, you must confirm that you received
it. This is known as notification validation, which is a means for PayPal to help you prevent
spoofing or “man-in-the-middle” attacks.
You have two methods by which you can validate the notification:
1. Sending a shared secret, described in “Shared Secret Validation” on page 27. PayPal
recommends this method because it decreases network traffic to and from your website.
Shared secret validation is appropriate:
– if you are not using a shared website hosting service.
– if you have enabled SSL on your web server.
– if you are using PayPal Encrypted Website Payments.
– if you use the notify_url variable on each individual payment transaction.
2. Sending a POST back to PayPal after you receive the IPN, described in “HTTPS Postback
to PayPal” on page 27. Postback is appropriate:
– if you rely on a shared website hosting service
– if you do not have SSL enabled on your web server
Both methods rely on the concept of a notification URL, which is described in the next
section.
Shared Secret Per Transaction or by Profile Setting
The URL to which PayPal posts IPN data is called the notification URL. It can be set either
with each individual payment transaction or globally in your Profile for all transactions:
z Per Transaction: If you want to receive payment notifications for different payments at
different URLs (for example, if you need to separate payments to different websites you
run), use the notify_url variable to pass the notification URL. With each payment
PayPal saves the value of the notify_url for a specific payment, and any subsequent
updates to that payment (such as a cleared eCheck) are sent to that notify_url. When
you pass a notify_url in your post, it overrides the setting in your Profile.
z Profile Setting. If you want to receive your IPNs at only a single URL, enter that URL in
the Preferences section of your Profile.
Likewise, the shared secret you can use to validate that you have received an IPN can be set
either with each individual payment transaction or globally in your Profile for all transactions:
z Per Transaction: If you want a distinct shared secret for each notification for each
payment, append a FORM variable name and a shared secret value to the value of the
notify_url variable. When you pass a shared secret in your payment post, it overrides
the setting in your Profile.
z Profile Setting. If you want the same shared secret for each and every transaction, enter
that shared secret in the Preferences section of your Profile.