16. Best Practices & Recommendations

This section outlines recommended best practices for integrating and operating SADAD Web Checkout 2.1 efficiently, securely, and in compliance with payment standards.

Following these practices will help merchants:

Improve payment success rates
Reduce customer friction
Avoid common integration issues
Minimize support escalations

1. Always Use Server-Side Integration

Generate signatures only on the server
Never expose Secret Keys in frontend code
Never generate or verify signatures in JavaScript running in the browser

caution

Exposing Secret Keys can lead to fraudulent transactions and account compromise.

2. Implement Both Callback and Webhook

Use Callback URL for customer redirection and UX
Use Webhook for reliable, server-to-server transaction updates
Treat webhook updates as the source of truth for backend systems

This ensures transaction updates are received even if:

The customer closes the browser
Network issues interrupt redirection

3. Handle Transaction Status Correctly

Use transaction_status as the final authority
Treat status 1 (In Progress) as temporary
Fulfil orders only when status is 3 (Successful)
Reconcile pending transactions after midnight

4. Use Separate Test and Live Credentials

Use Test Secret Key for sandbox testing
Use Live Secret Key only in production
Never mix Test and Live credentials

info

Using Test keys always opens the checkout in Sandbox mode.

5. Log All Requests and Responses

Maintain server-side logs for:

Outgoing payment requests
Callback payloads
Webhook payloads
Signature verification results

Logs are essential for:

Issue investigation
Dispute handling
Audit and reconciliation

6. Display User-Friendly Messages

Do not expose raw technical messages to customers
Show simple, actionable messages such as:
- “Payment failed. Please try again.”
- “Payment pending. Please wait.”

7. Validate Callback and Webhook Authenticity

Always verify checksumhash
Reject payloads that fail verification
Process only authenticated callbacks and webhooks

8. Avoid Duplicate Order Processing

Use unique Order IDs for each payment attempt
Ensure idempotent backend logic
Do not process the same transaction twice

9. Secure Your Endpoints

Use HTTPS for all callback and webhook URLs
Restrict access via firewall or IP allowlisting if possible
Protect endpoints from unauthorized requests

10. Test Edge Scenarios

Before going live, test:

Customer cancellation
Authentication failure
Network interruption
Delayed bank responses
Duplicate callbacks

Common Merchant Mistakes to Avoid

❌ Hard-coding logic based on messages
❌ Ignoring webhook updates
❌ Treating In Progress as failure
❌ Exposing Secret Keys
❌ Delivering goods before final success

Final Recommendation

Following these best practices ensures:

Stable integrations
Higher conversion rates
Faster issue resolution
Compliance with payment and security standards

If you have questions about best practices, contact SADAD Support via the support section.

1. Always Use Server-Side Integration​

2. Implement Both Callback and Webhook​

3. Handle Transaction Status Correctly​

4. Use Separate Test and Live Credentials​

5. Log All Requests and Responses​

6. Display User-Friendly Messages​

7. Validate Callback and Webhook Authenticity​

8. Avoid Duplicate Order Processing​

9. Secure Your Endpoints​

10. Test Edge Scenarios​

Common Merchant Mistakes to Avoid​

Final Recommendation​

Related Documentation​