User Guide
Table Of Contents
IPN Guide June, 2009 19
2
Implementing an IPN Listener
You write your IPN listener in the scripting or programming language of your choice and host
it on your web server. You can use sample code provided by PayPal as a starting point.
The PayPal SDKs for Website Payments Standard contain sample code in various
programming languages that you can modify to create your own listener. As a good
programming practice, as well as to keep things simple, your IPN listener should listen for a
post from PayPal and dispatch it immediately to another routine or process that handles the
business logic associated with the message. If your listener is structured in this way, it will be
a simple and tight loop that listens for a message and dispatches it for processing by your
application logic.
Your listener software must
1. Wait for an HTTP post from PayPal.
2. Create a request that contains exactly the same IPN variables and values in the same order,
preceded with cmd=_notify-validate.
3. Post the request to paypal.com or sandbox.paypal.com, depending on whether you
are going live or testing your listener in the Sandbox.
4. Wait for a response from PayPal, which is either VERIFIED or INVALID.
5. If the response is VERIFIED, perform the following checks:
– Confirm that the payment status is Completed.
PayPal sends IPN messages for pending and denied payments as well; do not ship until
the payment has cleared.
– Use the transaction ID to verify that the transaction has not already been processed,
which prevents duplicate transactions from being processed.
Typically, you store transaction IDs in a database so that you know you are only
processing unique transactions.
– Validate that the receiver’s email address is registered to you.
This check provides additional protection against fraud.
– Verify that the price, item description, and so on, match the transaction on your website.
This check provides additional protection against fraud.