Collapse Menu
FastSpring App
Developer Tools
Contact Support

Validating Popup Storefront Orders


This article describes the recommended process for validating new Popup Storefront orders before you grant real-time access to online products or services.

In some cases, you may want to grant immediate access to content or services based on the results of a Popup Storefront transaction. For example, you might want to take action on the page immediately following the Store Builder Library's "data-popup-closed" event. However, please note that FastSpring does not recommend relying solely on client-side methods such as the order.completed browser script to obtain data about a completed purchase.

Because browser scripts happen in the browser, there is the potential that a malicious user could modify or fake these types of results. One possible result is that an adversary could gain access to content or services without actually paying.

For this reason, you should consider using the FastSpring API to validate orders placed via your Popup Storefront, before granting access to content or services.

Here is the recommended process:

  1. Wait for the order ID to be passed to the data-popup-closed callback function.
  2. Once you have the order ID, make an AJAX request to your server. Your server can then call GET /orders/{orderID} using the order ID obtained from the Popup Storefront.
  3. Act upon the order based on the API response from FastSpring's backend, which can be trusted.