I think that fetch is also problematic here, & I need to call from the sub-domain http function that runs on the main domain. Just need to solve the session var somehow, maybe to put it hidden on the Donations page. What do you think about this way?
Another alternative, which is even more secure, is to use the shared secret to encrypt the body using some standard strong algorithm, e.g. AES with the shared secret as a key → encode it using BASE64 encoding → send the request to main site.
The main site’s http function will decode BASE64 to Buffer, decrypt using the same algorithm and shared secret → and check whether the result is the expected format of the request.
Additional alternative is to use a private / public key pair. Private key is stored on the caller side, meaning the payment site, and the public key is stored on the main site.
Payment site will sign the body with the key and send as a standard JWT token.
Main side will decode the JWT token and validate the signature using the public key.
In both those alternative the X-MY-AUTH header is not needed.
Just to emphasize, payment site must call main site from backend web method, backend to backend call.
Regards,
Genry.
I’ll start with the 1st alternative, without encoding. Then I will encode
Thanks for your great help!
Promise to update!
Glad to be of help 
Regards,
Genry.
The backend function should be in .js file, right? (not .jsw)
Thanks!
If you are referring to the one in the payment site - it should be a web method - meaning jsw. You then should call it on the event of completed transaction.
Regards,
Genry.
Thank you so much for your great help!