document check for duplicate transaction ID

1 files changed, 4 insertions, 4 deletions

diff --git a/impl-merchant.rst b/impl-merchant.rst
index 4388db42..36030ff6 100644
--- a/impl-merchant.rst
+++ b/impl-merchant.rst
@@ -78,9 +78,6 @@ The following API are made available by the merchant's `backend` to the merchant
   :status 200 OK:
     hash succesfully computed. The returned value is a JSON having one field called `hash` containing
     the hashed contract
-  :status 400 Bad Request:
-    Request not understood. The JSON was invalid. Possibly due to some error in
-    formatting the JSON by the `frontend`.
 
 .. http:post:: /contract
 
@@ -101,9 +98,12 @@ The following API are made available by the merchant's `backend` to the merchant
 
   :status 200 OK:
     The backend has successfully created the contract.  It responds with a `ContractBackendResponse`_ object. This request should virtually always be successful.
-
   On success, the `frontend` should pass this response verbatim to the wallet.
 
+  :status 403 Forbidden:
+    The frontend used the same transaction ID twice.  This is only allowed if the response from the backend was lost ("instant" replay), but to assure that frontends usually create fresh transaction IDs this is forbidden if the contract was already paid.  So attempting to have the backend sign a contract for a contract that was already paid by a wallet (and thus was generated by the frontend a "long" time ago), is forbidden and results in this error.  Frontends must make sure that they increment the transaction ID properly and persist the largest value used so far.
+
+
   **Details:**
 
   .. _ContractBackendResponse: