Download PDF Manual Back to Extension
Back to Knowledge Base
Download this page as PDF

Configuration

Punchout configuration is split into global settings, buyer profile settings, mapping profile settings, and runtime security controls.

1. Global settings (Stores >Configuration > Punchout)

Recommended baseline:

  • Punchout Enabled = Yes
  • Sandbox Mode = Yes in test environments only
  • Strict Signature Check = Yes in production
  • Allowed IP Ranges limited to your procurement platform egress IPs
  • Trace Enabled = Yes during integration and go-live
  • Trace Retention Days = 14 to 30

2. Buyer profile configuration

A buyer profile defines who can start Punchout and under which protocol identity.

Required fields:

  • Active = Yes
  • Protocol = oci or cxml
  • Buyer ID = external procurement identity
  • Store View = specific scope or All Store Views
  • Mapping Profile = selected profile for transfer behavior

Credential handling:

  • use typed credential fields in admin
  • secrets are stored encrypted internally
  • avoid sharing one buyer profile across unrelated customers

3. Mapping profile configuration

A mapping profile controls how source data becomes outbound transfer fields.

Required structure:

  • protocol and direction must match the buyer and flow
  • source entity and source field
  • target field
  • required flag
  • sort order

Recommended structure:

  • start from a template profile
  • keep partner-specific overrides in a dedicated custom profile
  • avoid editing template profiles directly for production projects

4. Runtime security behavior

Security checks are evaluated in sequence during inbound requests.

Common settings:

  • strict signature mode
  • signature secret
  • IP allowlist
  • hook URL validation behavior

5. Operational controls

Recommended runtime controls:

  • trace logging enabled in integration and go-live phases
  • retention tuned to support/debugging needs
  • sandbox mode only for non-production endpoints and tests

6. Configuration order for first rollout

  1. Configure global security and trace options.
  2. Create buyer profile with protocol and identity.
  3. Create mapping profile from template and assign it.
  4. Execute simulator and verify trace details.
  5. Enforce strict mode and narrow IP ranges before production.
InstallationGo-Live Checklist

Found an issue with this documentation? Let us know