When integrating CoinGate payments, your system will receive callbacks (notifications) about order status updates. To prevent fraud or spoofing, it’s important to secure your callback URL. Here's how to do it step by step:
1. Accept Callbacks Only from CoinGate IP Addresses
Make sure your system only processes incoming requests (callbacks) from CoinGate’s official IP addresses.
🔗 List of CoinGate IP addresses
This ensures that only our servers can send callbacks to your system — blocking malicious third parties.
2. Use a Secure token
When Creating Orders
When you create a new order via API, include a uniquetoken
string in the request.
🔗 How to include token
when creating orders
Later, when your system receives a callback, check that the
token
matches — it’s like a secret handshake to confirm the callback is real.
3. Always Double-Check Order Status and Amount
When you receive a callback, don't just trust the data blindly. Always:
-
Take the Order ID from the callback
-
Make a separate API call to CoinGate to verify the order status and amount
This protects you from accepting outdated, incorrect, or tampered data. You're verifying directly with CoinGate.
Why This Matters
These steps prevent attackers from:
-
Sending fake payment confirmations
-
Triggering actions on your website with spoofed data
-
Exploiting your business logic with modified callbacks
Comments
0 comments
Article is closed for comments.