Knowledge Center

Knowledge Center > Commerce > Hosted Commerce Pages > Hosted Checkout Pages > Create Checkout Pages on Your Website > Verify the Callback Response

Verify the Callback Response

Zuora Hosted Checkout Pages are no longer under active development. Customers should use Payment Pages 2.0 for their secure payment acceptance requirements.

Overview

 

After providing a Return URL, the next step is to verify that the callback response is actually coming from Zuora. 

Verify the Callback Response via Response Signature

When Zuora sends a response to the merchant's Return URL, Zuora attaches a signature to the response.  Here is an example of a full callback URL:

http://yourdomain.com/yourapp/zuora_callback.php?id=4028e697325f8e970132603326446b33&tenantId=10514
timestamp=1316846058955&token=7av18bEz97Jrq9K6z0QPyvJpIqIxSmZc&responseSignature=ODU2ODMyZmY5YmFjNDQzZDQ4NmU2MDg3ODNkNzhlNTc=&success=true&refId=4028e4862ba3fcae012bad2c19e115b4&field_passthrough1=Capture&field_passthrough2=Step2

To verify the responseSignature

  1. Create a signature using the steps describe in Generate the Signature for the Checkout page.
  2. Compare the outcome with the responseSignature parameter that was sent to you in the original query string. If they differ, do not trust the callback.
  3. Compare the timestamp parameter from the query string with the current time (in UTC format). If they differ by more than 300 seconds, do not trust the callback.

Verify the Callback Response via API call

You can verify the callback response by making an API call to query the object of the parameters in the Return URL for additional validation. For example, if you configure the callback to return subscriptionID then you can use the Zuora API to query whether that subscriptionID number exists in your tenant. 

What's Next

Next, check out the Checkout page sample code section for examples of how to implement Checkout pages on your page with the callback handling already configured.

Last modified
10:35, 22 May 2017

Tags

Classifications

(not set)