About PunchOut Tester
A self-contained PHP 8.2+ tool for testing and validating cXML PunchOut and SAP OCI round trips.
cXML PunchOut
- PunchOutSetupRequest — Initiate a PunchOut session with a supplier
- PunchOutSetupResponse — Parse the supplier's response with StartPage URL
- PunchOutOrderMessage — Receive and parse the shopping cart return
- Supports cXML 1.2.x standard
- Extrinsics, custom headers, basic auth
SAP OCI
- OCI 4.0 / 5.0 — Launch OCI catalog sessions
- HOOK_URL Return — Parse returned cart items
- Support for NEW_ITEM-* field parsing
- Custom additional parameters
- Auto-submitting form POST launch
Return Endpoints
These endpoints receive the cart data from suppliers. Share them with suppliers or use a tunnel to expose them externally.
| Protocol | Endpoint | Method |
|---|---|---|
| cXML | https://punchout.ataraxie.de/cxml/return |
POST (BrowserFormPost) |
| OCI | https://punchout.ataraxie.de/oci/return |
POST (HOOK_URL) |
Storage Locations
| Type | Path | Format |
|---|---|---|
| Profiles | /storage/profiles/ |
JSON files (cxml-*.json, oci-*.json) |
| Logs | /storage/logs/ |
JSONL files (YYYY-MM-DD.jsonl) |
Exposing Endpoints Externally
To test with real suppliers, you need to expose your return endpoints to the internet. Options include:
- ngrok —
ngrok http 8080for quick tunneling - Cloudflare Tunnel — For more permanent setups
- Public hosting — Deploy this tool on a public server
When using a tunnel, update the BrowserFormPost URL (cXML) or HOOK_URL (OCI) to use the public tunnel URL.
⚠️ Standard vs Non-Standard Implementations
This tool supports both standard protocols and common non-standard variations. Non-standard implementations are clearly marked.
Standard cXML Flow
- Buyer sends
PunchOutSetupRequestvia HTTP POST - Supplier returns
PunchOutSetupResponsewith StartPage URL - Buyer opens StartPage in browser/iframe
- Supplier POSTs
PunchOutOrderMessageto BrowserFormPost URL
Standard OCI Flow
- Buyer browser POSTs form directly to supplier URL (with HOOK_URL, USERNAME, PASSWORD, etc.)
- Supplier renders shop page in browser
- User shops and clicks "transfer cart"
- Supplier POSTs NEW_ITEM-* fields to HOOK_URL
Non-Standard Supplier Behaviors (Detected & Warned)
| Behavior | What We Send | What Supplier Does | Verdict |
|---|---|---|---|
| OCI JSON Response | Standard OCI form POST | Returns JSON with punchoutUrl |
⚠️ Supplier non-standard |
| OCI Custom Fields | Standard OCI + extra fields | Requires sessionId, accountID, etc. |
⚠️ Supplier non-standard |
| cXML on OCI Endpoint | OCI HOOK_URL | Returns cXML PunchOutOrderMessage | ❌ Supplier violates spec |
Important: This tool correctly implements OCI and cXML standards.
Non-standard behaviors are supplier decisions, not our requests.
If a supplier returns cXML via OCI endpoint, that's their implementation choice -
for proper cXML, use the cXML tab with XML POST.
Security Notes
- Shared secrets and passwords are masked in logs and UI displays
- CSRF protection is enabled for all POST actions
- This tool is intended for development/testing — do not expose to untrusted networks
- Session data is stored server-side; clear sessions when done testing
System Information
| PHP Version | 8.1.34 |
| Base URL | https://punchout.ataraxie.de |
| Session ID | sns9hasb36arl101js84chrmtc |
| cURL | Available (7.88.1) |