Handling HTTP Notification is crucial in order to make sure that your integration's business logic works as expected. Here are some best practices that you need to implement:
- Always use an HTTPS endpoint for secure communication, preventing Man-in-the-Middle (MITM) attacks. Avoid self-signed certificates.
- Implement notifications idempotently, as we may occasionally send duplicate notifications for the same event. Use the Order ID as a tracking key to prevent duplicate entries.
- Verify the notification's signature hash to ensure it was sent by Paycloud, as we encode the shared secret into it. Check these fields for a successful transaction:
- Status code: Should be 200 for successful transactions
- latestTransactionStatus: 00 (Success)
- We aim to send notifications immediately after a transaction, but if there are delays, use the Get Status API to verify the transaction status. You can also use the Get Status API for any use cases to check the latest transaction status.
- The HTTP timeout is set to 30 seconds, but it’s recommended to keep response times under 8 seconds.
- Notifications are sent as JSON; use a JSON parser that can gracefully handle new fields without throwing exceptions. This allows for future enhancements without disrupting existing clients.
- Always use the right HTTP Status code for responding to the notification. Currently, we do not handle retry for notification.