348
edits
Changes
m
→Interaction with the verify URL
* <tt>status</tt>: A string, containing one of the values "ok", "pending", "refunded", or "invalid".
This verification is not required, but is provided to support real-time queries. Receipt issuers SHOULD require application authentication on this call, to prevent enumeration attack. Receipt issuers are encouraged to use a sparse, non-guessible receipt sequence ID if they do not authenticate verification calls. (TODO: If it's just a status field, does enumeration really matter? Perhaps none of this language is required.)
== References ==
