Integration Guide
Table Of Contents
- Preface
- Introduction
- Payment Data Transfer
- Instant Payment Notification (IPN)
- Downloadable History Log
- IPN and PDT Variables
- Data Type, Maximum Field Lengths, and URL Encoding
- About These Tables of Variables
- test_ipn Variable in Sandbox
- IPN Variables in All Posts
- Buyer Information
- Basic Information
- Advanced and Custom Information
- Shopping Cart Information
- Currency and Currency Exchange
- Auctions
- Mass Payment
- Subscriptions Variables
- Dispute Notification Variables
- PDT-Specific Variables
- Downloadable History Log Columns and Values
- Country Codes
Order Management Integration Guide August 2005 27
Instant Payment Notification (IPN)
IPN Notification and Notification Validation
Shared Secret Validation
The first and recommended method for notification validation is to use a shared secret on
individual payment transactions. Add a shared secret variable and value to the value of the
notify_url variable to which the IPN data is posted after a payment is made. The shared
secret consists of the following:
notify_url=yourIPNnotificationURL?shared_secret_variable_name=shared_secret_value
where:
yourIPNNotificationURL is a URL on your website at which you want to receive notification.
shared_secret_variable_name is any variable name you want.
shared_secret_value is the shared secret itself
For example, the value of notify_url variable might look like this:
notify_url=https://www.mysite.com/PP-IPN-Validate.cfm?secret=shhhhhhh
Security Considerations with Shared Secret Validation
To ensure the security of your shared secret, you should use Encrypted Website Payments
(EWP). For information about EWP, see the PayPal Standard Checkout Integration Guide.
The value of the shared secret is not encrypted; it is in clear text for easier processing.
Therefore, the shared secret value is recorded in your web server’s access log. Be sure to
practice proper security for your server access logs. If you use a web server hosting service,
ensure that your provider practices proper security of your data.
IMPORTANT:Your notification URL should check the validity of the returned shared secret
and flag for investigation any transaction that does not have the correct
shared secret.
HTTPS Postback to PayPal
The second method for validating your receipt of an IPN is to post back to PayPal the exact
variables and values you received in the IPN.
Constructing the POST
Here are the guidelines for constructing the IPN HTTPS POST to PayPal for notification
validation.
NOTE: You can implement IPN without SSL, but PayPal recommends against doing so.
1. Your POST must be sent to
https://www.paypal.com/cgi-bin/webscr.
2. You must include the variable cmd with the value _notify-validate:
cmd=_notify-validate
3. You must post all the form variables you received exactly as you received them.