Online Order

Secure Link for Order Flow

3 min read#9

Every online order is protected by a secure signed link that prevents anyone from manipulating others' orders. This article explains how it works and why it matters.

What is the secure link?

When a guest creates an order via Online Order, Vendion generates a secure signed link that is unique to that specific order and restaurant. The link also contains an expiry time – typically 24 hours.

The link is signed with a secret key that only exists on Vendion's servers. It cannot be forged or modified.

When is the link used?

The link is required for all actions that modify the order:

Add product
Remove product
Change quantity
Link customer data
Mark as paid

Without a valid link, the action is denied.

What does it protect against?

Manipulation of others' orders

Without the secure link, someone could potentially guess order IDs and manipulate others' order totals. With the link this is impossible – no one can sign their own links.

Replay attacks

Each link is valid only for 24 hours. If an old link leaks, it cannot be used after expiry.

Order hijacking

If two guests scan the same QR and each get their own order, neither can affect the other's order because the link is unique per order.

Where is the link stored?

The link is saved in:

The browser – for return to the same order later
SMS receipt link – so the guest can return via SMS

Lifetime and expiry

Default time: 24 hours from creation
No automatic renewal – after expiry, a new order is required

24 hours is deliberately long to cover:

Guests who close the browser and return
SMS receipt links clicked after a few hours
Long orders at events or large parties

What happens if the link expires?

If the guest tries to interact with an expired link:

The system shows a message: "Your session has expired. Start a new order."
The browser is cleared
Guest is redirected to the start page

There is no way to "extend" an old link – the guest must create a new order.

Security notes

Link ≠ SMS verification

The link proves the order is "the right order" but says nothing about who owns it. SMS verification is separate and handles ownership of loyalty points and customer profile.

For developers

If you want to integrate Vendion's Online Order API, contact support@vendion.com for API documentation.

This feature is part of Vendion Online Order.

Curious how it looks in practice? Read more about the product or book a short demo.

Read about Vendion Online Order Book a demo

Was this article helpful?

Security in the Guest AI Assistant

How we secure the guest AI – rate limits, spam protection, and security improvements planned.

OTP and Phone Verification for Guests

How SMS-based OTP verification works in Online Order – flow, rate limits, cost, and how to support guests with issues.

#16

Pending Orders and Payment Links

How "awaiting payment" status works – guests who abort mid-payment can return via a secure payment link.