Keep your payments secure.

About security

To make sure nobody can interfere with your payments (or find out about your private API key) always stick to the following rules.

Event name

Don't use the event name as an indicator of the state of a resource.

Since there is no guarantee an event has actually been sent by the Unzer API, you should always fetch the resource using the SDK. This way you make sure a hacker can not inject a false payment state into your shop.

In addition, there is no guarantee the events arrive in the same order they have been sent in. Fetching the resource to an event always gives you the latest state.


Don't use the event's retrieveUrl to fetch the event's resource without making sure the domain is legit.

A hacker could send an event with a retrieveUrl which contains his own domain, to spy out your private key or to return fake data to make you believe a payment has been completed when it actually has not.

To retrieve the resource from an event and make sure nobody can feed you false data, use the fetchResourceFromEvent(...) method. This method omits the manipulatable domain and just uses the path to the corresponding resource, making sure you are calling a safe Unzer domain.