Integration checklist

• Request signatures: Ensure your backend generates a unique requestSignature for every Establish call. Never hardcode signatures or generate them on the client side.
• Webhook validation: Verify that your webhook listener validates the signature in the header of every incoming notification to prevent spoofing.
• PII handling: Confirm that no Personally Identifiable Information (Names, Emails) is passed in the description field. PII must only be passed in the customer object.
• Script source: Verify that the Trustly SDK is loaded directly from trustly.one. Do not host the script file on your own servers.

See Generate request signatures.

• Transaction IDs: Ensure your database stores the Trustly transactionId returned in the redirect URL and webhook. This is required for all future refunds or support requests.
• Async fulfillment: Verify that your system fulfills orders based on the COMPLETED webhook event, not just the user's redirect to the success page.
• Split tokens (Trustly Pay): If using Trustly Pay, ensure you are capturing and storing the splitToken to enable one-click payments for returning users.
• Duplicate handling: Ensure your webhook listener can handle duplicate events idempotently. For example, if Trustly sends the same Success webhook twice, you don't duplicate the payment.

See Manage transactions.

• Cancel flow: If a user clicks 'Cancel' in the Trustly Lightbox, ensure they are returned to your checkout selection page, not an error page.
• Error messages: If a transaction is declined, ensure you display a friendly message asking the user to try again or choose a different bank, rather than a generic 'System Error'.
• Mobile responsiveness: Test the integration on a mobile device to ensure the Trustly Lightbox does not overlap with your site's navigation bars or headers.

See Branding requirements.