Order validation

Adding a Snipcart buy button is incredibly easy. Add a button to your site, some data attributes, and you're good to go. But you may wonder: "what if I change the product information with my browser developer tools? I'll be able to tamper the price and place orders with a different price." This was probably the first challenge we had to deal with when building Snipcart in the first place.

We came up with a solution to guarantee that the integrity of the order is kept through the whole checkout process.

Product data-item-url attribute

When you configure a product, there's a required attribute called data-item-url.

Before completing the order, Snipcart makes an HTTP request to the value specified in this attribute to make sure the price and other important information have not been altered by someone who knows how to use browser developer tools.

You can read more about this in the security section.

The specified URL must be the one where the Snipcart buy button for the product is available on the source of the page.

Important notice: For users with a single-page website, the data-item-url field should only be filled with your root domain name, such as www.example.com, or with a simple slash bar /.

Allowed domains

You also need to allow domains and sub-domains where Snipcart can crawl your products. If you log into the dashboard and go to Store Configuration > Domains & URLs, you can set your default domain name as well as the additional allowed domains and sub-domains.

For instance, if the data-item-url value is http://test.mysite.com/products/1 and your default domain is mysite.com, our validation will fail. You need to add test.mysite.com in the allowed sub-domains for it to work.

If you want, you can also use a relative URL (/products/1). But we only validate the product in your default domain name. So, in the example above, if the data-item-url value was /products/1, we would make the HTTP request to validate the information to http://mysite.com/products/1.

To specify a relative URL, the data-item-url value must start with a /.

JSON crawler

When Snipcart validates an order's integrity, it uses the values specified in the data-item-url attribute of each product.

Most times, the value you'll specify for this attribute will be the unique URL where you're selling the item. However, some merchants could sometimes slightly more complex scenarios.

If that's your case, know that there's an alternative to our default HTML crawler: our JSON crawler.

When Snipcart makes the request to the URL, if your response Content-Type header is application/json, we'll use our JSON validator instead of the HTML one.

You must return us a JSON having the following properties.

{
  "id": "20",
  "price": 50.00,
  "url": "https://snipcart.com/products/1.json"
}

The id, price and url fields are mandatory, and they must be the same ones you specified in the product definition in your HTML.

Note that the object you return may contain other properties, but only those affecting the price of your products will be considered.

If you are using our multi currencies feature, the price property can be a hash with multiple currencies.

{
  "id": "20",
  "price": {
    "usd": "30",
    "cad": "35"
  },
  "url": "/"
}

You can also return an array containing multiple objects as defined above.

[
  {
    "id": "20",
    "price": 50.00,
    "url": "https://snipcart.com/products.json"
  },
  {
    "id": "21",
    "price": 100.00,
    "url": "https://snipcart.com/products.json"
  }
]

This can be useful when your website is API-driven, using a single page application framework such as Angular.

Fetching products from a JSON document

In our dashboard you can fetch products if you need to set inventory stock for example. If you are using our JSON validator you can also use your JSON documents to fetch products.

The document can be a JSON file that contains all of your products in an array or a product individually.

The following example is a single product that can be fetched. Please note that this example also set default stock levels.

{
  "id": "JSON_PRODUCT",
  "name":  "JSON Product",
  "url": "/products.json",
  "price": 20.00,
  "image": "http://placehold.it/300x300",
  "inventoryManagementMethod":  "Variant", 
  "variants": [
    {
      "variation": [
        {
          "name": "Color",
          "option": "Red"
        },
        {
          "name": "Size",
          "option": "Small"
        }
      ],
      "stock": 10,
      "allowOutOfStockPurchases":  true
    }
  ],
  "customFields": [
    {
      "name": "Size",
      "options": "Small|Medium|Large",
      "type": "dropdown"
    },
    {
      "name": "Color",
      "options": "Red|Blue|Green",
      "type": "dropdown"
    }
  ]
}

Validating the request

Please refer to this part of the documentation to learn how to secure any endpoints that handles request from Snipcart.