Nabeyond ltd t/a CartDNA is a CartDNA is a Shopify Payment App Development Partner
Use this guide to connect CartDNA to your ecommerce store, app, or backend service. The core flow is simple: authenticate, create a payment request, send security headers, redirect the customer, and listen for callbacks.
Before you start, collect your CartDNA credentials. Your setup will normally include a client ID, client secret, merchant ID, and signature key. Keep private values on the server only. Never expose them in browser code or public repositories.
CartDNA uses token-based authentication. Your server sends your client credentials to the auth endpoint and receives an access token. You then include that token as a Bearer token in authorised API requests.
Note: Refresh the token when it expires. Handle 401 responses cleanly in your backend.
Build a payment payload using your order reference, amount, currency, transaction type, payment method, customer details, return URL, cancel URL, and callback URL. Add metadata if you need to link the payment to your own internal systems.
Helpful examples:
Each payment request should include the required headers for authentication and request protection. These include the Bearer token, a UTC timestamp, an idempotency key, and a generated signature.
Note: These headers help prevent replay issues, duplicate requests, and tampered payloads.
CartDNA requires a SHA-256 signature built from key values in a strict order. The amount must be converted into its integer minor-unit format, the signature key must be MD5 hashed, and the final string must be hashed and sent in uppercase form.
Note: Create one tested server-side utility for this. Reuse it across all payment requests.
A successful payment request returns a payment URL. Redirect the customer to that URL so they can complete the transaction using the selected payment method.
Customer flow:
CartDNA can notify your callback endpoint when payment events happen. Use this to update order status, payment status, support dashboards, and internal reports. Your callback handler should log events, validate requests, and be safe to retry.
Credentials stored securely
Auth token flow tested
Signature utility verified
Idempotency strategy defined
Return and cancel URLs working
Callback endpoint live and logged
Sandbox flow tested end to end
Live environment reviewed before launch
Reusing the same idempotency key
Sending unsigned or wrongly signed requests
Using browser code for secrets
Trusting redirect success without callback confirmation
Ignoring token expiry handling
Logging sensitive secrets in plain text
