summaryrefslogtreecommitdiff
path: root/core/api-merchant.rst
diff options
context:
space:
mode:
Diffstat (limited to 'core/api-merchant.rst')
-rw-r--r--core/api-merchant.rst19
1 files changed, 18 insertions, 1 deletions
diff --git a/core/api-merchant.rst b/core/api-merchant.rst
index 2493608..25cee22 100644
--- a/core/api-merchant.rst
+++ b/core/api-merchant.rst
@@ -693,6 +693,12 @@ Payment processing
// shopping sessions that were combined during checkout).
lock_uuids?: UUID[];
+ // Should a token for claiming the order be generated?
+ // False can make sense if the ORDER_ID is sufficiently
+ // high entropy to prevent adversarial claims (like it is
+ // if the backend auto-generates one).
+ create_token: boolean;
+
}
.. ts:def:: Order
@@ -749,6 +755,11 @@ Payment processing
interface PostOrderResponse {
// Order ID of the response that was just created
order_id: string;
+
+ // Token that authorizes the wallet to claim the order.
+ // Provided only if "create_token" was set to 'true'
+ // in the request.
+ token?: ClaimToken;
}
@@ -848,6 +859,11 @@ Payment processing
interface ClaimRequest {
// Nonce to identify the wallet that claimed the order.
nonce: string;
+
+ // Token that authorizes the wallet to claim the order.
+ // *Optional* as the merchant may not have required it
+ // (``create_token`` set to ``false`` in `PostOrderRequest`).
+ token?: ClaimToken;
}
**Response:**
@@ -1359,7 +1375,8 @@ Payment processing
**Request:**
- :query h_contract: hash of the order's contract terms (this is used to authenticate the wallet/customer in case $ORDER_ID is guessable). *Mandatory!*
+ :query h_contract: hash of the order's contract terms (this is used to authenticate the wallet/customer in case $ORDER_ID is guessable). Either this field or *token* is *mandatory*.
+ :query token=TOKEN: *Optional*. Authorizes the request via the claim token that was returned in the `PostOrderResponse`. Either this field or *h_contract* is *mandatory*.
:query session_id: *Optional*. Session ID that the payment must be bound to. If not specified, the payment is not session-bound.
:query timeout_ms: *Optional.* If specified, the merchant backend will
wait up to ``timeout_ms`` milliseconds for completion of the payment before