Idempotency Key Uniqueness

Your idempotency key uniqueness requirements are different to average API users, and have security implications.

If you're a reseller or a multi-merchant site, where all those merchants' requests are sent with your API key, then here is something to keep in mind. Idempotency keys need to be unique per Sendle customer. That is, not unique per merchant on your platform, but unique for all requests sent with your API credentials.

If two of your customers try to create an order with the exact same details (as unlikely as that may be), then you need to make sure the idempotency key for those orders is different. If you do something like hash the order details to get the key, we recommend adding the merchant and/or customer ID into the hash to add some more uniqueness.

However, the easiest way to solve this is to use a UUID instead as it's practically guaranteed to be unique. Long, randomised values are more likely to be unique. Shorter, meaningfully-generated keys won't be as secure.

We also check to make sure the request parameters are the same on any repeated idempotency key we see. This makes it harder for a malicious user on your platform to randomly spoof an idempotency key and use it as a back-channel for gaining access to order data. Because of this extra protection, a malicious user would need to know not only the idempotency key, but also all the parameters that were sent with the original request that made with that key.