I'm using Client Integration with checkout.js and it all works fine.
What I don't understand is how to verify that something has been paid for. It appears that all the order information, URLs, and credentials are exposed in the client javascript. How do I know for sure that payment has been credited and the callback, redirect, or whatever is coming after an actual payment, rather than being falsely provided by an attacker who read the javascript, dropped the payment page, and manually redirected to the confirmation page?
Basically I'm asking if it's possible to secure Client Integration to the degree that I know I've been really paid before I fulfill the order. Is Client Integration fundamentally insecure in this way -- do I have to use Server Integration, or Webhooks to achieve fulfillment security?
