1. The PWA client uses the setPaymentMethodOnCart mutation to set the payment method.

  2. The mutation returns a Cart object.

  3. The client runs the placeOrder mutation, which creates an order and begins the authorization process.

  4. The application requests a secure token from the PayPal gateway.

  5. The gateway response includes a secure token, a secure token ID, and the URL to use for requesting the form in step 9. This token secures the data for a one-time transaction and is valid for 30 minutes.

  6. The placeOrder mutation returns an order ID. The application does not return secure token information. The order has the status payment pending.

  7. The client runs the getPayflowLinkToken mutation to retrieve the secure token information.

  8. The application returns the token information.

  9. The client displays a payment form in an iframe rendered from the URL specified by the paypal_url from the getPayflowLinkToken mutation response. When the customer completes the form, the client sends the payment information directly to the PayPal gateway, bypassing the application server.

  10. After PayPal processes the payment, the gateway runs a silent post request against the application server. As a result, the application sets the order status to processing, and the order is ready to be invoiced.

  11. The PayPal gateway returns control of the customer's browser to the client.