What is proposed
When using a payment link such as https://square.link/u/XxXxXxXxXxXxXx
, allow extra parameters (e.g. client_reference_id
) to be passed in the form of https://square.link/u/XxXxXxXxXxXxXx?client_reference_id=ABC
. This could become a hidden field of the form filled in by the customer, and should be sent together with other form data in the payment event to the Webhook that a developer specifies.
Why support this feature
It allows custom data to be passed from client side to server side (webhook) without having to create new payment links for each checkout session.
At the moment, the only way to achieve the same goal needs 4 steps:
- Server calls Square API to create a new payment link for each user session.
- Server passes the newly created payment link to the client
- Client shows the payment link to user, and user clicks it and completes the payment workflow
- Server receives the payment event through webhook, and identifies user session
With this proposal, we have potentially 3 benefits:
- It simplifies to 2 steps (removing the above step 1 and 2, because client can just add extra parameter to a static payment link that is pre-generated, and show it to the user).
- It allows the the extra parameter to be client generated instead of only server generated.
- It does not require storing secrets on the server side in order to create payment links.
The last reason is that Square’s competitors (e.g. Stripe) already support this well. Square could lose customer (e.g. me) if it decides not to support this.
Possible downside
The payment link may be used to pass false data by attackers if the extra data remains hidden from the user during the checkout process. This depends on use case, and is easily fixable if the checkout process also displays the custom data as an extra field, so user sees it.
Developers may abuse this to pass way too much custom data. But this is easily avoidable by setting a limit of max data length to be passed.
Square’s implementation of this feature may require storing extra data for each transaction, but the extra cost seems worth the effort of delivering better developer experience.