I'm testing my PayPal's accounts with SandBox, I read that after PayPal answer I should send a post request with my transaction id, but I don´t understand why. When PayPal send's me request with GET, mi account show operation complete, so:
1.- Why I need send a post request with confirmation if PayPal already done the transaction?
2.- Why I need a Identity token if PayPal already done the transaction?
Thanks.
I've been thinking, after read many times the process, and the reasons to use PDT instead IPN, answered both questions:
1.- I need send a post request to PayPal to verify transaction is real and was made to me.
2.- I need a identity token, because that's the way to say to PayPal "Hey, it's really me, tell me if transaction is real and was made to me"
This avoids that malicious users send me false url request or repeated request (in that case PayPal should't tell me SUCCESS". So, at the time to know than transaction is real and was made to me, I can update my stock, for example