Skip to main content

Session notifications

If a notificationUrl is provided with the request, notifications about changes (for example, the associated payment transaction completed or failed) will be POSTed to that URL asynchronously (independently from the user's browser session.) You can use these notifications to apply relevant updates within your own system.

Example session notifications

Succesful checkout session:

{
  "outcome": "Success",
  "sessionId": "ac097ba17bcb437f8c966895ecc6aa06",
  "reference": "TestRef",
  "amount": 30000,
  "currencyCode": "EUR",
  "createdAt": "2025-01-03T10:47:16.4777072Z",
  "paymentTakenAt": "2025-01-03T10:48:50.035Z",
  "transactionId": "LAGERMAN-3DSV2-684c3fac-dee8-499d-b246-0873078046f4",
  "token": "58-9-3988545",
  "providerName": "SecureTrading",
  "cardType": "VISA",
  "errorCode": null,
  "errorMessage": null,
  "acquirerResponseCode": null
}

Failed checkout session:

{
  "outcome": "Failure",
  "sessionId": "bf261e90ab2c44c78b03d52aedf192af",
  "reference": "TestRef",
  "amount": 70000,
  "currencyCode": "EUR",
  "createdAt": "2025-01-10T11:59:33.3265623Z",
  "paymentTakenAt": null,
  "transactionId": "LAGERMAN-3DSV2-61fd0b29-2109-4704-bf0f-c113c14d6218",
  "token": "56-9-3985377",
  "providerName": null,
  "cardType": null,
  "errorCode": "decline",
  "errorMessage": "SecureTrading: Decline. No further data.",
  "acquirerResponseCode": "05"
}

Authorization

Requests sent to the notification URL will also include an Authorization header with Basic Authentication as described under Authorization. You can Base64 decode the Basic Authentication text and cross-check it against your ClientId and APIKey to guard against unauthorized requests. We recommend that you refuse requests that have a missing or incorrect Authorization header with a 401 Unauthorized error.

Example header

For instance, a session notification request we send to your notificationUrl endpoint could include the following Authorization header:

  • Header Name: Authorization
  • Header Value: Basic TEFHRVJNQU46OTQzZjM2Mjk0N2EyNDA0NTgyYTI2ODkzN2QyM2JjMzM=

Taking the Basic Authentication text and Base64 decoding it gives the following:

LAGERMAN:87ba874b8a5049beadc9710984606715

You can then compare this with your ClientId and APIKey and, if they match, apply any relevant updates to your system based on the session notification. Otherwise, you can discard the request and return a 401 Unauthorized error.