what is the security/verification system paypal IPN use called?
In the implementation of an IPN listener: https://developer.paypal.com/api/nvp-soap/ipn/IPNImplementation/
I understand the IPN listener verifies that the message sent to it comes from paypal by using these steps:
Your listener sends the complete message back to PayPal using HTTPS POST.
Prefix the returned message with the cmd=_notify-validate variable, but do not change the message fields, the order of the fields, or the character encoding from the original message.
Send response messages back to PayPal
PayPal sends one of the following words back to your listener:
VERIFIED (if the message matches the original) INVALID (if the message does not match the original)
I am very interested in implementing this security feature in a webhook I want to develop but I can't find documentation on how this actually work on server side. what is this verification called?
I assume: paypal saves a request's data in a database before posting it to the IPN listener. When the listener post back the data to Paypal, the latter just checks it is in its database. If it exists, return "VERIFIED" and it not return "INVALID"
Is it that simple? Is it robust?
