Using the Product IPN URL Field
Written By Carlos
Last updated 5 months ago
PayKickstartβs Instant Payment Notification (IPN) is a message service that automatically notifies vendors of events related to PayKickstart transactions. Vendors can use it to automate back-office and administrative functions, including automatically creating users on apps, providing customers with their login credentials via email, etc.
Note:
Each product will need an IPN URL if you want to send the IPN POST data for that product.
Subscription events will fire for both newly created and existing subscriptions once the IPN URL is added to its related productβs settings.
PayKickstart will now send an IPN POST related to PayKickstart transactions to the 3rd party URL specified in the product settings.
NOTE: For IPN example responses and more information regarding the product IPN, please visit: https://docs.paykickstart.com/#instant-payment-notification-ipn-post-ipn-post
IMPORTANT: IPN events have a timeout of 20 seconds total (5 for connection, 15 for request) for each webhook we fire. If the IPN request takes longer than 15-20 seconds, we deem it as failed.
Using IPN POSTs with Multiple Campaigns
As a Vendor, you may have a scenario where your website or application needs to process sales from multiple PayKickstart campaigns at the same time. A common example is offering another vendor's product (which exists in a different campaign) as an upsell in your sales funnel.
When handling this, it is critical to understand how PayKickstart's security keys work:
The IPN Secret Key is unique to each Campaign.
The API Key is unique to each Account.
This means a single, static secret key in your code will only work for one campaign. If an IPN from a different campaign is sent to your endpoint, the verification will fail.
The Solution here is to use Dynamic Key Verification.
Your integration must be able to dynamically select the correct secret key based on the incoming notification. The recommended method is to store all relevant campaign secret keys and look up the correct one using the campaign_id provided in the IPN payload.
Example Scenario:
Imagine you have your Main product in Campaign A,
and an Upsell product in Campaign B.
In your PayKickstart account, find the Campaign ID and IPN Secret Key for both campaigns.
Campaign A:
Campaign ID:
123456IPN Secret Key:
pk_secret_xxxxxxxxxxxxxx_ABCDEFG
Campaign B:
Campaign ID:
789012IPN Secret Key:
pk_secret_xxxxxxxxxxxxxx_BCDEFGH
On your server, store these keys in a secure map or dictionary structure (e.g., in a configuration file or as environment variables). This allows you to associate each
campaign_idwith its uniquesecret_key.Example of Key Storage:
// Store your Campaign IDs and Secret Keys securely. // SECRET_KEYS_MAP = { "123456": "pk_secret_xxxxxxxxxxxxxx_AAAAAAAA", "789012": "pk_secret_xxxxxxxxxxxxxx_BBBBBBBB" }
When your IPN URL receives a notification, your code should first extract the campaign_id from the payload, then use that ID to find the correct secret key for verification.
Example of Dynamic Verification
At your IPN endpoint:
Get the Campaign ID from the incoming IPN data.
incoming_campaign_id = request.body['campaign_id']
Look up the correct Secret Key from your stored map.
secret_key_for_verification = SECRET_KEYS_MAP[incoming_campaign_id];
If a key is found, use it to verify the IPN signature.
if (secret_key_for_verification):
{ is_valid = verify_paykickstart_signature (request.body, request.headers, secret_key_for_verification);
if (is_valid)β SUCCESS: Process the purchase(grant access, send email, etc.)
elseβ FAILED: The signature is invalid. Do not process.
elseβ FAILED: The campaign is unknown. Do not process.
By implementing this logic, your IPN endpoint can reliably and securely handle notifications from any number of PayKickstart campaigns, making your integration more robust and scalable.
For more details, please view our complete API and IPN POST guide at: https://docs.paykickstart.com