What is the purpose of the client secret ID?

Having a unique secret ID for every client is intended to prevent them from potentially trying to see invoices that don’t belong to them.

When an invoice is sent to a client, the URL looks something like this:

http://my-website/customer-invoice/?invoice_ID=1000&client_ID=20&mode=preview_invoice&secret_ID=4253652396347201&type=invoice

There is a chance that when viewing the invoice that a client who knows a little about web development and query strings might try to be sneaky and change one or more of the query string values in the URL, in an attempt to see if they can view other invoices that don’t belong to them (for example, changing invoice_ID=1000 to invoice_ID=500).

It will be impossible for the client to see an invoice that doesn’t belong to them as long as the client has a unique secret ID. Invoice Rocket checks to make sure the invoice_ID and client_ID belong to the client with the matching secret_ID, and if this check passes then they can view the invoice. If the check fails then they will see a 404 page.

Note: If a client managed to get access to another invoice after guessing a different existing invoice_ID, it would only be for an invoice they have already been sent anyway.

❮ Go back to Invoice Rocket FAQ & Guide