# Validate order

This page describes how to validate an order before completion using Kustom Checkout (KCO).

## Use cases

Kustom Checkout (KCO) provides a callback mechanism for merchants to validate orders before finalization.  This is useful for various scenarios:

* **Out of stock validation:** Verify item availability before purchase.
* **Delivery limitations:** Ensure products can ship to the provided address.
* **Order number generation:** Generate internal order IDs for tracking.
* **Blacklisted consumers:** Prevent sales to specific customers or addresses.
* **Discount coupon validation:** Validate discount codes to prevent misuse.
* **Cart validation:** Prevent fraudulent purchases by comparing the KCO order with the internal cart.


## How it’s done

![Order validation flowchart](/assets/941040b4-f2c1-49e3-b317-bb3cee95192d-order-validation-flowchart.c18043fed270f94eef4058ec3ceed51aa0ab68545082b4acfbc04a7f519116c9.f02f6a03.jpeg)

## Order configuration

Include the optional `merchant_urls.validation` property in order configuration.  Use HTTPS for the validation URI.

All communication with the validation URI is encrypted. Use HTTPS for this URI.


```json
  "merchant_urls": {
    "terms": "https://merchant.com/toc",
    "checkout": "https://merchant.com/checkout?kustom_order_id={checkout.order.id}",
    "confirmation": "https://merchant.com/confirmation?kustom_order_id={checkout.order.id}",
    "push": "https://merchant.com/push?kustom_order_id={checkout.order.id}",
    "validation": "https://merchant.com/validation?kustom_order_id={checkout.order.id}"
  }
```

## Respond to KCO’s POST request

A POST request is sent to the `merchant_urls.validation` endpoint when the user clicks "buy now."  The request body contains the order details.

You do not need to fetch the order from KCO; all information is included in the POST request body.

The system expects a response within 3 seconds.  If no response is received and `require_validate_callback_success: false`, the order is automatically approved.  If `require_validate_callback_success: true`, a 10-second timeout triggers order failure.

* **Approve:** Respond with HTTP status 200 OK.
* **Deny:** Respond with HTTP status 303 See Other, including a `Location` header to a custom page explaining the rejection reason.


The rejection page should be hosted by you and should provide clear reasons for the purchase denial.

## Cards and 3D Secure

An HTTP 200 OK response does *not* guarantee order completion if the payment involves 3D Secure authentication. Kustom retains a card reservation even if the validation callback is responded to with HTTP 303 (deny purchase) after the authentication step.  Order completion occurs only after the final authentication step.