Skip to content
Session Services Session Services Logo

Checkout Signature Flow

Use the order signature from hosted checkout returns for safe customer-facing order actions.

After hosted checkout, Session Services redirects customers to your returnUrl:

https://yoursite.com/order/complete/{orderId}?sig={signature}

sig is an HMAC signature tied to the order ID. Use it for customer-facing actions without requiring a logged-in bearer token.

Typical Flow

  1. Create the order with a returnUrl.
  2. Customer completes hosted checkout.
  3. Parse orderId and sig on your return page.
  4. Fetch order/tickets and render confirmation.

Create Order

const { order } = await client.order.create({
  eventId: 'evt_01jps5cgsenjrazw6wswmyspa3',
  items: [{ admissionId: 'adm_01jps5cgsee0xvapbk92e8eb4g', quantity: 2 }],
  returnUrl: 'https://yoursite.com/order/complete',
});

Fetch Order and Tickets on Return

const { order } = await client.order.get({
  id: orderId,
  signature: sig, // recommended for customer-facing pages
});

const { tickets } = await client.ticket.list({
  orderId,
  orderSignature: sig,
});

Signature-Required Operations

Two customer-facing order operations require signature input:

  • order.update requires signature
  • order.reserve requires signature
await client.order.reserve({
  id: orderId,
  signature: sig,
});

Security Notes

  • Treat sig as sensitive; avoid logging it in plaintext.
  • Do not trust client-side state alone; always fetch order status from the API.
  • Use your own idempotency keys for retry-prone server actions (for example refunds).