I am using the Square API to process user payment (using the Create Checkout Link API): POST /v2/online-checkout/payment-links.
The problem is that square does not support out-of-the-box callback functions on payment success and payment failure, it only provides a redirect_url option to send the user to another page when they finish the payment.
The way I solved it now is to generate a random secret key for each purchase intent and pass the key as an argument in the redirect_url:
redirectr_url = "https://example.com?pid=5&secret_key=abcdefgh12345"
This however exposes the inner-workings of my system to anyone remotely skilled in IT, they can see that I pass a secret key as a GET argument.
Even though the secret key is a variation with class 25 and number of elements 64 where order of elements is important and repetition is allowed (which works out to ~2*10^84, if there is ever a leak of the database (e.g. hosting provider is compromised), all the secret keys will be up for grabs and people can just manually hit the API to approve their purchases. I need to either make this more subtle or change the payment validation process altogether.
Any way I can improve my current system? Is there a way to somehow use Square's API to verify a purchase success via callback like the Stripe API provides?
You can add your key to the redirect_url but as you pointed out that's easily accessible to bad actors. Have you looked at added your secret key as a reference_id in the payment link order? Once the payment is complete you can take the order_id and call RetrieveOrder to get all order details including your unique reference_id which wouldn't be accessible to bad actors.