Updated for latest module behavior

PunchOutHub — Overview

PunchOutHub This is a PrestaShop 9 module that enables your online store to support the cXML PunchOut protocol, a standard used by leading enterprise procurement systems such as Oracle Fusion, SAP Ariba, Coupa, and Jaggaer.

When an enterprise buyer PunchOuts into your store, they see the regular product catalog, can select products, and when they return, the cart information is sent back to the procurement system automatically.

Usage GuideLivePunchOut flow, continue shopping behavior, and return-to-buyer flowEndpoints Latestentry, oci_entry and order receiver of the latest module
✓ Production Tested
DocsReferenceFor the current commercial package, the main scope is the Single Buyer cXML PunchOut create flow, with an optional path for the OCI Add-on.

Requirements

  • PrestaShop 9.x — Supports PS9 only (not PS 1.7 or PS 8).
  • PHP 8.1+ — Depends on PS9 requirements.
  • SSL Certificate — HTTPS is required for all endpoints.
  • License Key — Provided after payment.
  • Buyer Credentials — SharedSecret and Sender ID from the buyer side
⚠ Note
We recommend using a separate subdomain for PunchOut endpoints, such as punchout.yourshop.com to make SSL and logging easier to manage.

Installation Steps

  1. Download the ZIP file

    After payment, you will receive the file punchouthub_latest.zip and the license key by email.

  2. Install through Module Manager

    In PrestaShop Admin, go to Modules → Module Manager → Upload a module, then select the ZIP file.

  3. Enter the License Key

    Go to Modules → PunchOutHub → Configure, enter the license key received by email, and click Activate License.

  4. Buyer Setupbuyerfirst

    Go to the "Buyer Setup" tab and enter the Sender ID and SharedSecret provided by the buyer side.

  5. Test in the Dashboard

    Go to the "Dashboard" tab and click "Run PunchOut Simulation" to verify that the system works correctly.

  6. Send Endpoint URLs to the buyer

    Copy URL Copy them from the Dashboard and send them to the buyer’s IT team for configuration in their procurement system.

Buyer Setup (Buyer Setup)

informationWhat you need from the buyer

  • Sender ID (From Identity) — The buyer company identifier in the procurement system
  • SharedSecret — Authentication secret that must match on both sides
  • DUNS ((if available) — The buyer organization DUNS number
Example information from Oracle Fusion
<!-- From the buyer cXML Header →
<From>
  <Credential domain="NetworkID">
    <Identity>XX_BUYER_0001</Identity> <!-- Sender ID -->
  </Credential>
</From>
<Sender>
  <SharedSecret>your-shared-secret-here</SharedSecret>
</Sender>

Endpoint URLs

After installation, PunchOutHub generates endpoint URLs automatically. You can view and copy them from the Dashboard.

Endpoint URLs
# cXML PunchOut (Oracle, Coupa, Jaggaer)
POST https://yourshop.com/module/punchout/entry

# OCI Entry (SAP Ariba)
GET/POST https://yourshop.com/module/punchout/oci_entry

# OrderMessage Receiver (PO Inbox)
POST https://yourshop.com/module/punchout/order_receiver

SECURITY

ℹ Security
PunchOutHub Uses RSA-based licensing and SHA-256 HMAC for SharedSecret authentication.

License Security

  • RSA public/private key encryption
  • Domain binding — License Bound to the store domain
  • SHA-256 integrity check Helps prevent license tampering

Request Authentication

  • SharedSecret Checks every cXML request
  • Session token One-time tokens help reduce replay attack risk
  • HTTPS required For all endpoints

Vulnerability reporting

If you discover a security issue, please contact security@getpunchouthub.com directly and avoid public disclosure.

Current Status

This section stands in place of a public changelog so buyers can understand release readiness without tracking every minor patch.

Single Buyer

  • Supports cXML PunchOut
  • Active buyer Supports 1 buyer
  • Suitable for real-world starting deployments

Single Buyer + OCI Add-on (optional)

  • Single Buyer base scope = cXML PunchOut create flow
  • Still limited to 1 buyer profile
  • OCI An add-on for customers who still want a 1 buyer / 1 company setup

Business / Custom Scope

  • Supports multiple buyers, up to 5 buyers
  • For requirements beyond the current commercial package scope
  • Suitable for more complex workflows

Documentation

  • Quick install guide
  • Buyer setup and endpoint examples
  • Usage guide for real usage and the return flow
ℹ Guidance
If you want to continue shopping in the PunchOut flow, click Back to PunchOut catalog to return to the original catalog while keeping the session and cart intact.

FAQ For Developers

Why only PrestaShop 9?
PS9 It uses Symfony 6, and the architecture differs significantly from PS 1.7/8. For example, Tools::encrypt() was removed and Db::getRow() auto-appends LIMIT 1, which required major rewrites. Supporting too many versions would reduce quality.
Upgrade version How does it work?
Upload the new ZIP through Module Manager without uninstalling the existing module. Configuration and license information remain intact, and the upgrade flow has been tested successfully.
Debug cXML request How does it work?
Use Postman to send a POST request with Content-Type: text/xml to the endpoint URL together with a sample cXML body. Review the result in Dashboard → Session Log or in the PS log under /var/log/.