Confirmation Page

Glopal Checkout shows a confirmation page to the buyer after a successful purchase.

Page can be styled and customized with an additional message that is either configured for the store or passed dynamically in the Create Checkout API call (checkout.success_message). This message will be displayed under the Glopal Order Id.

Custom Page

If Glopal confirmation page does not meet your needs, a custom page can be configured for the store, or passed dynamically via API (checkout.success_url). With the custom confirmation page, Glopal will redirect buyers to your confirmation page after the successful purchase.

Success URL can be configured with optional placeholders:

• ${COUNTRY} - order shipping address country (ISO 3166-1 alpha-2 eg. DE)

• ${LANGUAGE} - visitor language tag (BCP 47, eg. de-DE)

• ${CURRENCY} - visitor currency code (ISO 4217, eg. EUR)

• ${CHECKOUT_ID} - Glopal Checkout ID

• ${ORDER_ID} - Glopal Order ID

For example, having https://example.com/${COUNTRY}/${ORDER_ID}?lang=${LANGUAGE} as the success URL, a buyer completing the order in Germany will be redirected to a page like https://example.com/DE/912-4232?lang=de-DE

Localized versions

By default, buyers will be redirected to the of your confirmation page. To send buyers directly to the given page set checkout.success_url_autoredirect: false.

Signature verification

To protect your server from unauthorized access, we recommend enabling Hash-based message authentication code (HMAC) signatures. To enable HMAC signature

• contact your Glopal Account Manager to generate a new secret key

• pass checkout.success_url_enable_hmac: true in the Create checkout API call

When enabled, Glopal Checkout will append the HMAC signature calculated over the URL with the shared secret key. By verifying the signature, you can ensure that the URL with all parameters was generated by Glopal.

Eg. having https://example.com/${COUNTRY}/${ORDER_ID}?lang=${LANGUAGE} as the success URL, with HMAC signature enabled, a buyer will be redirected to the URL with sig parameter like https://example.com/DE/912-4232?lang=de-DE&sig=3ecf...511ee622

Following code snippets ilutrate how to implement signature verification in different languages.

const crypto = require('crypto');

function verifyHmacSig(url, secret) {
    // extract expected "sig" and sort query params
    const parsedUrl = new URL(url);
    const sig = parsedUrl.searchParams.get('sig');
    parsedUrl.searchParams.delete('sig');
    parsedUrl.searchParams.sort();

    // calculate over url with sorted params 
    const urlToSign = parsedUrl.toString();
    const calculatedSig = crypto.createHmac('sha256', secret)
        .update(urlToSign)
        .digest();

    // verify
    const expectedSig = Buffer.from(sig, 'hex');
    return (
        calculatedSig.length === expectedSig.length &&
        crypto.timingSafeEqual(calculatedSig, expectedSig)
    );
}

import hashlib
import hmac
from urllib.parse import parse_qs, urlencode, urlparse


def verify_hmac_sig(url: str, secret: str):
    # extract expected "sig" and sort query params
    parsed_url = urlparse(url)
    query = parse_qs(parsed_url.query)
    expected_sig = query.pop('sig')[0]
    sorted_query = sorted(
        [(k, v) for k, v in query.items()],
        key=lambda x: x[0]
    )

    # calculate over url with sorted params 
    url_to_sign = parsed_url._replace(
        query=urlencode(sorted_query, doseq=True)
    ).geturl()
    calculated_sig = hmac.new(
        key=secret.encode('utf-8'),
        msg=url_to_sign.encode('utf-8'),
        digestmod=hashlib.sha256
    ).hexdigest()

    # verify
    return hmac.compare_digest(expected_sig, calculated_sig)

/**
 * @param string $url  Current url, eg. $_SERVER['REQUEST_URI']
 * @param string $secret  Shared secret key
 */
function verifyHmacSig(string $url, string $secret): bool {
    // extract expected "sig" and sort query params
    $parsedUrl = parse_url($url);
    parse_str($parsedUrl['query'], $queryParams);
    $sig = $queryParams['sig'];
    unset($queryParams['sig']);
    ksort($queryParams);

    $expectedSig = @hex2bin($sig);
    if ($expectedSig === false) {
        return false;
    }

    // calculate over url with sorted params 
    $urlToSign = sprintf('%s://%s%s', $parsedUrl['scheme'], $parsedUrl['host'], $parsedUrl['path']);
    if (!empty($queryParams)) {
        $urlToSign .= '?' . http_build_query($queryParams);
    }
    $calculatedSig = hash_hmac('sha256', $urlToSign, $secret, true);

    // verify
    return hash_equals($calculatedSig, $expectedSig);
}