Hey @lukestokes - thank you for your feedback! What I've implemented here is only a client-side library, so unless i'm missing something I think the HMAC encryption would be done on the server-side.
I definitely agree that all links and payment-related information should be signed/encrypted as you mentioned so that all of the information can be validated. If / when I add any server-side components to this project I will definitely include that and probably use your docs for some help!
Please let me know if i'm misunderstanding what you're suggesting though!
That sounds perfect! The challenge with purely client side tools is you can’t store any secrets. What we also do is provide a server side signing form so links can be signed and then used on static sites. A toolset like that (along with server side validation code) could be really helpful so the signed links secure what’s on the front end and the backend validates them as well.