I've coded a callback script for premium sms features on my site which seems to work ok but, I am expanding that to work for site credits too and I need to make sure it wont get exploited (which some people will inevitably try to do)

I want to be able to encrypt a particular unique thing for a user so I can send that with the payment request, when the SMS gateway API sends a callback to my script it sends that value back so I can check that it matches what I sent.

I imagine I can do this with a wordpress function, I can't do it with a _nonce value coz the callback calls my script multiple times with part payments and finally with the success call which seems to work once but if the user makes another payment on the same screen, the nonce doesn't get accepted again which is, I think, the point of a number-used-once system.

does anyone have experience using a key type thing to do this (sorry, I don't even know what it would be called!). I expect it would involve me taking the user_id , amount of credits and possibly the date and encrypting that on server side and appending it to the link that is shown on the page. When the user clicks it and succeeds in making payment, the gateway provider sends it back along with success code and I am the only one that knows how that key was made so I can check it by making another one with the same details and if it matches, do the logic for increasing credits or activating the blog/plugin/theme etc.

is there a wordpress function other than wp_nonce to do this kind of thing? or is there a simpler way that a simpleton can understand?