Phoca Forum

I know the Order Token is used to 'login' without logging in.

So in my case, Mollie fires a webhook after every transaction or Status change and I can go fetch the the Payment from Mollie using that token (no user login).

I had intended to include the order token in the Payment metadata which Mollie returns when I fetch the Payment (not on the webhook of course). That way I have a double check that the orderId and order token both match.

Or is it dangerous to include that order token (outside the control of Phoca Cart)?

Hi,

yes, order token is here mainly for guest checkout - guest users. It is used by downloads (where the order token and download token are here to check the download rights - as login cannot be used e.g. for guest users)

Order token and download token is a part of links sent to customers and there is no other option to check the rights. So order token and download token should be only sent to customer, not to some third party website, etc. But of course if you have guest checkout user, you need to somehow identify the order so you need to work with it but if possible not to give to third party service.

Jan

OK so I better not include it.

Thanks