Feature request: "secure", less guessable invoice identifiers

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a resource
within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening at the
above URL initiates a call to our account at FreeAgent via the API for the
invoice with that reference.

We’d like to show the customer the details of their invoice again, before
they continue to be redirected to our payment gateway’s PCI compliant
payment page. This is where the issue of (reasonably) secure payment links
comes in. As anyone who’s built applications for the web knows, you can’t
expose potentially sensitive information via easily guessed URLs. In the
above case, the reference generated by FreeAgent is a sequential integer.
We’d of course implement blocking/throttling of clients who request too
many invalid, or already paid for links, but we’d like to have more secure
links from the outset, so that we don’t have to prompt our customers for a
login in order to be more justifiably paranoid. Once paid, then that secure
URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices, which
stores a long enough (but not too long to be impractical) random looking,
unique string (unique to the specific FreeAgent account, of course), as a
more secure key into each invoice. This would enable the above reasonably
obfuscated method of integration with external payment gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it could
possibly be implemented at run-time by encrypting the invoice number using
the API key as passphrase with a known algorithm. Then when clicked on by
the customer, our application listening at the secure link decrypts the
“pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a particular
invoice, it could be exposed via both an email template variable (say
[pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this feature.
Would anyone else here find it useful? Alternatively, if I’ve missed a
better way of integrating with our payment gateway, please point me in the
right direction. Thanks.

Regards
Dale

Hi Dale,

I just wanted to chip in. FreeAgent has a payment portal that allows
customers to pay invoices with direct debit, credit card or through PayPal
and if you have one of these set up for an invoice we generate a reference
used by our own payment portal. The link to our payment portal is exposed
through the API so you could retrieve this link and extract the reference
from it fairly easily.

The reference is only generated for invoices that are set up to be paid
through the payment portal so you will need to set up Stripe or GoCardless
in FreeAgent or add a PayPal bank account. Invoices you create will then be
marked as payable with that payment method by default. The reference is
generated when the invoice is marked as sent and then is exposed through
the API as the ‘payment_url’ on the invoice resource and is linked to on
the sidebar.

[image: Inline image 1]

Hopefully this might make it possible for you to get your own payment
portal working with what is already available. Olly has also added your
feature request to the list which I realise would make for an easier
solution when it is implemented.

Regards,
Harry MillsOn Mon, Feb 10, 2014 at 2:26 PM, Dale Gallagher dale.gallagher@gmail.comwrote:

Excellent, thank you.

+1 for FreeAgent vs Xero simple payment gateway integration!

Dale

On 10 February 2014 16:23, Olly Headey olly@freeagent.com wrote:

Hi Dale

Sorry, apologies for misunderstanding. I see what you mean now. I’ll
ensure this feature request is added to the list.

Olly

On Mon, Feb 10, 2014 at 2:19 PM, Dale Gallagher <dale.gallagher@gmail.com wrote:

Hi Olly

Thanks for responding. I believe you’ve misunderstood the reason for my
request.

Please reread my original post, as the request has to do with the
generated invoice notification emails on YOUR side and how we may be able
to tie that notification into payment on our side. Using the unique
reference which YOU generate is of importance, as there’s no other way
we’re able to insert our own unique reference variable into the
notifications generated by FreeAgent, without us creating invoices via the
API (which we’d like to avoid at this stage). The idea is to use FreeAgent
for everything except for our payment integration. Does this clarify my
question?

Having access to that unique reference via the email templates and API
would be first prize!

Regards
Dale

On Monday, 10 February 2014 01:27:18 UTC+2, Olly H wrote:

Hi Dale

We do actually generate a unique reference in this way for our own
online payment portal. Unfortunately this isn’t exposed via our API at the
present time. I’ll add it as a feature request but can’t say if it will be
added any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide (
Base 32) and there are plenty of
examples available on the web.

Olly

On Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening
at the above URL initiates a call to our account at FreeAgent via the API
for the invoice with that reference.

We’d like to show the customer the details of their invoice again,
before they continue to be redirected to our payment gateway’s PCI
compliant payment page. This is where the issue of (reasonably) secure
payment links comes in. As anyone who’s built applications for the web
knows, you can’t expose potentially sensitive information via easily
guessed URLs. In the above case, the reference generated by FreeAgent is a
sequential integer. We’d of course implement blocking/throttling of clients
who request too many invalid, or already paid for links, but we’d like to
have more secure links from the outset, so that we don’t have to prompt our
customers for a login in order to be more justifiably paranoid. Once paid,
then that secure URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices, which
stores a long enough (but not too long to be impractical) random looking,
unique string (unique to the specific FreeAgent account, of course), as a
more secure key into each invoice. This would enable the above reasonably
obfuscated method of integration with external payment gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/
geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it
could possibly be implemented at run-time by encrypting the invoice number
using the API key as passphrase with a known algorithm. Then when clicked
on by the customer, our application listening at the secure link decrypts
the “pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a particular
invoice, it could be exposed via both an email template variable (say
[pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this
feature. Would anyone else here find it useful? Alternatively, if I’ve
missed a better way of integrating with our payment gateway, please point
me in the right direction. Thanks.

Regards
Dale

–
You received this message because you are subscribed to the Google
Groups “FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to a topic in the
Google Groups “FreeAgent API” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/freeagent_api/WmebKLltt4U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

Hi

I thought I’d posted this earlier, but don’t see it, so apologies if this
is a duplicate.

I see that xero.com have partially implemented the same feature for adding
one’s own payment URL, but only when viewing the invoice on-line:

http://bit.ly/1djAHRg

Ideally, as per my original post, one should have access to inserting this
URL at the invoice notification stage, giving one the ability to use one’s
own site for displaying the invoice and affecting payment (speaking to the
FreeAgent API behind the scenes).

Unfortunately, they haven’t implemented more secure IDs, using more easily
guessable parameters.

Excellent, thank you.

+1 for FreeAgent vs Xero simple payment gateway integration!

DaleOn 10 February 2014 16:23, Olly Headey olly@freeagent.com wrote:

Hi Dale

Sorry, apologies for misunderstanding. I see what you mean now. I’ll
ensure this feature request is added to the list.

Olly

On Mon, Feb 10, 2014 at 2:19 PM, Dale Gallagher dale.gallagher@gmail.comwrote:

Hi Olly

Thanks for responding. I believe you’ve misunderstood the reason for my
request.

Please reread my original post, as the request has to do with the
generated invoice notification emails on YOUR side and how we may be able
to tie that notification into payment on our side. Using the unique
reference which YOU generate is of importance, as there’s no other way
we’re able to insert our own unique reference variable into the
notifications generated by FreeAgent, without us creating invoices via the
API (which we’d like to avoid at this stage). The idea is to use FreeAgent
for everything except for our payment integration. Does this clarify my
question?

Having access to that unique reference via the email templates and API
would be first prize!

Regards
Dale

On Monday, 10 February 2014 01:27:18 UTC+2, Olly H wrote:

Hi Dale

We do actually generate a unique reference in this way for our own
online payment portal. Unfortunately this isn’t exposed via our API at the
present time. I’ll add it as a feature request but can’t say if it will be
added any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide (
Base 32) and there are plenty of
examples available on the web.

Olly

On Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening at
the above URL initiates a call to our account at FreeAgent via the API for
the invoice with that reference.

We’d like to show the customer the details of their invoice again,
before they continue to be redirected to our payment gateway’s PCI
compliant payment page. This is where the issue of (reasonably) secure
payment links comes in. As anyone who’s built applications for the web
knows, you can’t expose potentially sensitive information via easily
guessed URLs. In the above case, the reference generated by FreeAgent is a
sequential integer. We’d of course implement blocking/throttling of clients
who request too many invalid, or already paid for links, but we’d like to
have more secure links from the outset, so that we don’t have to prompt our
customers for a login in order to be more justifiably paranoid. Once paid,
then that secure URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices, which
stores a long enough (but not too long to be impractical) random looking,
unique string (unique to the specific FreeAgent account, of course), as a
more secure key into each invoice. This would enable the above reasonably
obfuscated method of integration with external payment gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/
geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it
could possibly be implemented at run-time by encrypting the invoice number
using the API key as passphrase with a known algorithm. Then when clicked
on by the customer, our application listening at the secure link decrypts
the “pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a particular
invoice, it could be exposed via both an email template variable (say
[pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this
feature. Would anyone else here find it useful? Alternatively, if I’ve
missed a better way of integrating with our payment gateway, please point
me in the right direction. Thanks.

Regards
Dale

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to a topic in the
Google Groups “FreeAgent API” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/freeagent_api/WmebKLltt4U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

Hi Olly

Thanks for responding. I believe you’ve misunderstood the reason for my
request.

Please reread my original post, as the request has to do with the generated
invoice notification emails on YOUR side and how we may be able to tie that
notification into payment on our side. Using the unique reference which YOU
generate is of importance, as there’s no other way we’re able to insert our
own unique reference variable into the notifications generated by
FreeAgent, without us creating invoices via the API (which we’d like to
avoid at this stage). The idea is to use FreeAgent for everything except
for our payment integration. Does this clarify my question?

Having access to that unique reference via the email templates and API
would be first prize!

Regards
DaleOn Monday, 10 February 2014 01:27:18 UTC+2, Olly H wrote:

Hi Dale

We do actually generate a unique reference in this way for our own online
payment portal. Unfortunately this isn’t exposed via our API at the present
time. I’ll add it as a feature request but can’t say if it will be added
any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide (
Base 32) and there are plenty of
examples available on the web.

Olly

On Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening at
the above URL initiates a call to our account at FreeAgent via the API for
the invoice with that reference.

We’d like to show the customer the details of their invoice again, before
they continue to be redirected to our payment gateway’s PCI compliant
payment page. This is where the issue of (reasonably) secure payment links
comes in. As anyone who’s built applications for the web knows, you can’t
expose potentially sensitive information via easily guessed URLs. In the
above case, the reference generated by FreeAgent is a sequential integer.
We’d of course implement blocking/throttling of clients who request too
many invalid, or already paid for links, but we’d like to have more secure
links from the outset, so that we don’t have to prompt our customers for a
login in order to be more justifiably paranoid. Once paid, then that secure
URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices, which
stores a long enough (but not too long to be impractical) random looking,
unique string (unique to the specific FreeAgent account, of course), as a
more secure key into each invoice. This would enable the above reasonably
obfuscated method of integration with external payment gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it
could possibly be implemented at run-time by encrypting the invoice number
using the API key as passphrase with a known algorithm. Then when clicked
on by the customer, our application listening at the secure link decrypts
the “pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a particular
invoice, it could be exposed via both an email template variable (say
[pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this feature.
Would anyone else here find it useful? Alternatively, if I’ve missed a
better way of integrating with our payment gateway, please point me in the
right direction. Thanks.

Regards
Dale

Thanks Harry,

Unfortunately, your suggestion won’t give us the ability to offer our
customers a link to our own payment gateway at the invoice phase, which is
where we require it. It’s unclear to me with your suggestion how we’d be
able to do this, as our customers would be sent a payment URL to another
service. If I’ve misunderstood your suggestion, please elaborate. Thanks.

Furthermore, South African’s aren’t in a position to use Stripe yet and
PayPal transaction fees for some of our invoice amounts are prohibitively
expensive (you can only receive money here via PayPal through FNB (Bank)
which charges ZAR 7 per transaction) and we’re not with FNB.On 10 February 2014 16:43, Harry Mills harry@freeagent.com wrote:

Hi Dale,

I just wanted to chip in. FreeAgent has a payment portal that allows
customers to pay invoices with direct debit, credit card or through PayPal
and if you have one of these set up for an invoice we generate a reference
used by our own payment portal. The link to our payment portal is exposed
through the API so you could retrieve this link and extract the reference
from it fairly easily.

The reference is only generated for invoices that are set up to be paid
through the payment portal so you will need to set up Stripe or GoCardless
in FreeAgent or add a PayPal bank account. Invoices you create will then be
marked as payable with that payment method by default. The reference is
generated when the invoice is marked as sent and then is exposed through
the API as the ‘payment_url’ on the invoice resource and is linked to on
the sidebar.

[image: Inline image 1]

Hopefully this might make it possible for you to get your own payment
portal working with what is already available. Olly has also added your
feature request to the list which I realise would make for an easier
solution when it is implemented.

–
Regards,
Harry Mills

On Mon, Feb 10, 2014 at 2:26 PM, Dale Gallagher dale.gallagher@gmail.comwrote:

Excellent, thank you.

+1 for FreeAgent vs Xero simple payment gateway integration!

Dale

On 10 February 2014 16:23, Olly Headey olly@freeagent.com wrote:

Hi Dale

Sorry, apologies for misunderstanding. I see what you mean now. I’ll
ensure this feature request is added to the list.

Olly

On Mon, Feb 10, 2014 at 2:19 PM, Dale Gallagher < dale.gallagher@gmail.com> wrote:

Hi Olly

Thanks for responding. I believe you’ve misunderstood the reason for my
request.

Please reread my original post, as the request has to do with the
generated invoice notification emails on YOUR side and how we may be able
to tie that notification into payment on our side. Using the unique
reference which YOU generate is of importance, as there’s no other way
we’re able to insert our own unique reference variable into the
notifications generated by FreeAgent, without us creating invoices via the
API (which we’d like to avoid at this stage). The idea is to use FreeAgent
for everything except for our payment integration. Does this clarify my
question?

Having access to that unique reference via the email templates and API
would be first prize!

Regards
Dale

On Monday, 10 February 2014 01:27:18 UTC+2, Olly H wrote:

Hi Dale

We do actually generate a unique reference in this way for our own
online payment portal. Unfortunately this isn’t exposed via our API at the
present time. I’ll add it as a feature request but can’t say if it will be
added any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide (
Base 32) and there are plenty of
examples available on the web.

Olly

On Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening
at the above URL initiates a call to our account at FreeAgent via the API
for the invoice with that reference.

We’d like to show the customer the details of their invoice again,
before they continue to be redirected to our payment gateway’s PCI
compliant payment page. This is where the issue of (reasonably) secure
payment links comes in. As anyone who’s built applications for the web
knows, you can’t expose potentially sensitive information via easily
guessed URLs. In the above case, the reference generated by FreeAgent is a
sequential integer. We’d of course implement blocking/throttling of clients
who request too many invalid, or already paid for links, but we’d like to
have more secure links from the outset, so that we don’t have to prompt our
customers for a login in order to be more justifiably paranoid. Once paid,
then that secure URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices,
which stores a long enough (but not too long to be impractical) random
looking, unique string (unique to the specific FreeAgent account, of
course), as a more secure key into each invoice. This would enable the
above reasonably obfuscated method of integration with external payment
gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/
geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it
could possibly be implemented at run-time by encrypting the invoice number
using the API key as passphrase with a known algorithm. Then when clicked
on by the customer, our application listening at the secure link decrypts
the “pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a
particular invoice, it could be exposed via both an email template variable
(say [pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this
feature. Would anyone else here find it useful? Alternatively, if I’ve
missed a better way of integrating with our payment gateway, please point
me in the right direction. Thanks.

Regards
Dale

–
You received this message because you are subscribed to the Google
Groups “FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to a topic in the
Google Groups “FreeAgent API” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/freeagent_api/WmebKLltt4U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to a topic in the
Google Groups “FreeAgent API” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/freeagent_api/WmebKLltt4U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

Hi Dale,

I was thinking you re-use the same payment portal reference we generate for
your own payment portal. You would still need to construct the URL for the
email yourself but you would need to do this anyway as the FreeAgent system
wouldn’t know what your payment url would be. Would this work for you? You
would need to connect up a PayPal bank account in order to get the system
to generate the reference but you don’t have to use it for taking payment
for the invoices.

Regards,
Harry MillsOn Mon, Feb 10, 2014 at 3:01 PM, Dale Gallagher dale.gallagher@gmail.comwrote:

Thanks Harry,

Unfortunately, your suggestion won’t give us the ability to offer our
customers a link to our own payment gateway at the invoice phase, which is
where we require it. It’s unclear to me with your suggestion how we’d be
able to do this, as our customers would be sent a payment URL to another
service. If I’ve misunderstood your suggestion, please elaborate. Thanks.

Furthermore, South African’s aren’t in a position to use Stripe yet and
PayPal transaction fees for some of our invoice amounts are prohibitively
expensive (you can only receive money here via PayPal through FNB (Bank)
which charges ZAR 7 per transaction) and we’re not with FNB.

On 10 February 2014 16:43, Harry Mills harry@freeagent.com wrote:

Hi Dale,

I just wanted to chip in. FreeAgent has a payment portal that allows
customers to pay invoices with direct debit, credit card or through PayPal
and if you have one of these set up for an invoice we generate a reference
used by our own payment portal. The link to our payment portal is exposed
through the API so you could retrieve this link and extract the reference
from it fairly easily.

The reference is only generated for invoices that are set up to be paid
through the payment portal so you will need to set up Stripe or GoCardless
in FreeAgent or add a PayPal bank account. Invoices you create will then be
marked as payable with that payment method by default. The reference is
generated when the invoice is marked as sent and then is exposed through
the API as the ‘payment_url’ on the invoice resource and is linked to on
the sidebar.

[image: Inline image 1]

Hopefully this might make it possible for you to get your own payment
portal working with what is already available. Olly has also added your
feature request to the list which I realise would make for an easier
solution when it is implemented.

–
Regards,
Harry Mills

On Mon, Feb 10, 2014 at 2:26 PM, Dale Gallagher <dale.gallagher@gmail.com wrote:

Excellent, thank you.

+1 for FreeAgent vs Xero simple payment gateway integration!

Dale

On 10 February 2014 16:23, Olly Headey olly@freeagent.com wrote:

Hi Dale

Sorry, apologies for misunderstanding. I see what you mean now. I’ll
ensure this feature request is added to the list.

Olly

On Mon, Feb 10, 2014 at 2:19 PM, Dale Gallagher < dale.gallagher@gmail.com> wrote:

Hi Olly

Thanks for responding. I believe you’ve misunderstood the reason for
my request.

Please reread my original post, as the request has to do with the
generated invoice notification emails on YOUR side and how we may be able
to tie that notification into payment on our side. Using the unique
reference which YOU generate is of importance, as there’s no other way
we’re able to insert our own unique reference variable into the
notifications generated by FreeAgent, without us creating invoices via the
API (which we’d like to avoid at this stage). The idea is to use FreeAgent
for everything except for our payment integration. Does this clarify my
question?

Having access to that unique reference via the email templates and API
would be first prize!

Regards
Dale

On Monday, 10 February 2014 01:27:18 UTC+2, Olly H wrote:

Hi Dale

We do actually generate a unique reference in this way for our own
online payment portal. Unfortunately this isn’t exposed via our API at the
present time. I’ll add it as a feature request but can’t say if it will be
added any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide (
Base 32) and there are plenty of
examples available on the web.

Olly

On Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening
at the above URL initiates a call to our account at FreeAgent via the API
for the invoice with that reference.

We’d like to show the customer the details of their invoice again,
before they continue to be redirected to our payment gateway’s PCI
compliant payment page. This is where the issue of (reasonably) secure
payment links comes in. As anyone who’s built applications for the web
knows, you can’t expose potentially sensitive information via easily
guessed URLs. In the above case, the reference generated by FreeAgent is a
sequential integer. We’d of course implement blocking/throttling of clients
who request too many invalid, or already paid for links, but we’d like to
have more secure links from the outset, so that we don’t have to prompt our
customers for a login in order to be more justifiably paranoid. Once paid,
then that secure URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices,
which stores a long enough (but not too long to be impractical) random
looking, unique string (unique to the specific FreeAgent account, of
course), as a more secure key into each invoice. This would enable the
above reasonably obfuscated method of integration with external payment
gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/
geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it
could possibly be implemented at run-time by encrypting the invoice number
using the API key as passphrase with a known algorithm. Then when clicked
on by the customer, our application listening at the secure link decrypts
the “pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a
particular invoice, it could be exposed via both an email template variable
(say [pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this
feature. Would anyone else here find it useful? Alternatively, if I’ve
missed a better way of integrating with our payment gateway, please point
me in the right direction. Thanks.

Regards
Dale

–
You received this message because you are subscribed to the Google
Groups “FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to a topic in the
Google Groups “FreeAgent API” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/freeagent_api/WmebKLltt4U/unsubscribe
.
To unsubscribe from this group and all its topics, send an email to
freeagent_api+unsubscribe@googlegroups.com.

To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to the Google
Groups “FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to a topic in the
Google Groups “FreeAgent API” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/freeagent_api/WmebKLltt4U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.

Hi Dale

We do actually generate a unique reference in this way for our own online
payment portal. Unfortunately this isn’t exposed via our API at the present
time. I’ll add it as a feature request but can’t say if it will be added
any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide
(Base 32) and there are plenty of
examples available on the web.

OllyOn Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening at
the above URL initiates a call to our account at FreeAgent via the API for
the invoice with that reference.

We’d like to show the customer the details of their invoice again, before
they continue to be redirected to our payment gateway’s PCI compliant
payment page. This is where the issue of (reasonably) secure payment links
comes in. As anyone who’s built applications for the web knows, you can’t
expose potentially sensitive information via easily guessed URLs. In the
above case, the reference generated by FreeAgent is a sequential integer.
We’d of course implement blocking/throttling of clients who request too
many invalid, or already paid for links, but we’d like to have more secure
links from the outset, so that we don’t have to prompt our customers for a
login in order to be more justifiably paranoid. Once paid, then that secure
URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices, which
stores a long enough (but not too long to be impractical) random looking,
unique string (unique to the specific FreeAgent account, of course), as a
more secure key into each invoice. This would enable the above reasonably
obfuscated method of integration with external payment gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it could
possibly be implemented at run-time by encrypting the invoice number using
the API key as passphrase with a known algorithm. Then when clicked on by
the customer, our application listening at the secure link decrypts the
“pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a particular
invoice, it could be exposed via both an email template variable (say
[pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this feature.
Would anyone else here find it useful? Alternatively, if I’ve missed a
better way of integrating with our payment gateway, please point me in the
right direction. Thanks.

Regards
Dale

Hi Dale

Sorry, apologies for misunderstanding. I see what you mean now. I’ll ensure
this feature request is added to the list.

OllyOn Mon, Feb 10, 2014 at 2:19 PM, Dale Gallagher dale.gallagher@gmail.comwrote:

Hi Olly

Thanks for responding. I believe you’ve misunderstood the reason for my
request.

Please reread my original post, as the request has to do with the
generated invoice notification emails on YOUR side and how we may be able
to tie that notification into payment on our side. Using the unique
reference which YOU generate is of importance, as there’s no other way
we’re able to insert our own unique reference variable into the
notifications generated by FreeAgent, without us creating invoices via the
API (which we’d like to avoid at this stage). The idea is to use FreeAgent
for everything except for our payment integration. Does this clarify my
question?

Having access to that unique reference via the email templates and API
would be first prize!

Regards
Dale

On Monday, 10 February 2014 01:27:18 UTC+2, Olly H wrote:

Hi Dale

We do actually generate a unique reference in this way for our own online
payment portal. Unfortunately this isn’t exposed via our API at the present
time. I’ll add it as a feature request but can’t say if it will be added
any time soon I’m afraid.

Have you thought about adding a bit of code to your payment portal to
generate such a reference? A popular way to do this is using Base32
encoding. Douglas Crockford wrote a good guide (http://www.crockford.com/
wrmg/base32.html) and there are plenty of examples available on the web.

Olly

On Sunday, February 9, 2014 5:17:29 PM UTC, Dale Gallagher wrote:

Hi

I’m currently looking at FreeAgent as a replacement for my business’
current Freshbooks account of several years, for various reasons, including
the bank feed, attached PDF and RESTful API features.

However, our biggest issue is integrating FreeAgent with our payment
gateway. Ideally, I’d like to send a “secure” (not very easily guessed)
link to a payment form, within each invoice notification email.

We could possibly use the email template variable [reference] as a
resource within our secure link, like so:

https://secure.site/pay/[reference]

Then when the customer clicks on the link, our application listening at
the above URL initiates a call to our account at FreeAgent via the API for
the invoice with that reference.

We’d like to show the customer the details of their invoice again,
before they continue to be redirected to our payment gateway’s PCI
compliant payment page. This is where the issue of (reasonably) secure
payment links comes in. As anyone who’s built applications for the web
knows, you can’t expose potentially sensitive information via easily
guessed URLs. In the above case, the reference generated by FreeAgent is a
sequential integer. We’d of course implement blocking/throttling of clients
who request too many invalid, or already paid for links, but we’d like to
have more secure links from the outset, so that we don’t have to prompt our
customers for a login in order to be more justifiably paranoid. Once paid,
then that secure URL is disabled (marked as used) as an added precaution.

I’d like to suggest possibly adding a field to created invoices, which
stores a long enough (but not too long to be impractical) random looking,
unique string (unique to the specific FreeAgent account, of course), as a
more secure key into each invoice. This would enable the above reasonably
obfuscated method of integration with external payment gateways.

So, instead of https://secure.site/pay/2345

A less guessable URL of https://secure.site/pay/geytgmrugu3demjrgi3domjs

It needn’t be something added to the data structure necessarily - it
could possibly be implemented at run-time by encrypting the invoice number
using the API key as passphrase with a known algorithm. Then when clicked
on by the customer, our application listening at the secure link decrypts
the “pay token” from which it extracts the applicable invoice number.

Whichever method used to generate a “pay token” linked to a particular
invoice, it could be exposed via both an email template variable (say
[pay_token]) and an API invoice field pay_token.

Hopefully the above explanation is clear and motivates for this feature.
Would anyone else here find it useful? Alternatively, if I’ve missed a
better way of integrating with our payment gateway, please point me in the
right direction. Thanks.

Regards
Dale

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.