diff --git a/plugins/fipfcard_plugin/php/paypal/paypal.php b/plugins/fipfcard_plugin/php/paypal/paypal.php
index 2de6b3c..403e4e3 100644
--- a/plugins/fipfcard_plugin/php/paypal/paypal.php
+++ b/plugins/fipfcard_plugin/php/paypal/paypal.php
@@ -8,7 +8,6 @@ if (!defined('ABSPATH')) {
 }
 
 
-include_once(PLGNTLS_class::get_path() . '/php/paypal/route_api_utils.php');
 include_once(PLGNTLS_class::get_path() . '/php/paypal/route_api_orders.php');
 include_once(PLGNTLS_class::get_path() . '/php/paypal/route_api_orders_capture.php');
 
diff --git a/plugins/fipfcard_plugin/php/paypal/route_api_orders.php b/plugins/fipfcard_plugin/php/paypal/route_api_orders.php
index 0ba41ba..bdb763b 100644
--- a/plugins/fipfcard_plugin/php/paypal/route_api_orders.php
+++ b/plugins/fipfcard_plugin/php/paypal/route_api_orders.php
@@ -1,5 +1,8 @@
 <?php
 
+include_once(PLGNTLS_class::get_path() . '/php/paypal/route_api_utils.php');
+include_once(PLGNTLS_class::get_path() . '/php/paypal/update_user_payment.php');
+
 /**
  * it means someone outside wp is accessing the file, in this case kill it.
  */
@@ -19,33 +22,15 @@ function handle_orders_request($request_data) {
 
 		// Process the order and get the response
 		$order_response = create_order($cart);
+		$json_response = $order_response['json_response'];
+		$http_status_code = $order_response['http_status_code'];
 
-error_log("in handle_orders_request, order_response");
-error_log(json_encode($order_response));
-
-$user_id = get_current_user_id(); // Get the ID of the current user
-$transaction_id = $order_response['json_response']->id;
-$purchase_date = current_time('mysql');
-$user_meta = get_user_meta($user_id);
-
-error_log("in handle_orders_request, user_id");
-error_log($user_id);
-error_log("in handle_orders_request, user_meta");
-error_log(json_encode($user_meta));
-error_log("in handle_orders_request, transaction_id");
-error_log($transaction_id);
-error_log("in handle_orders_request, purchase_date");
-error_log($purchase_date);
-
-
-
-// Store purchase-related information as user meta
-//add_user_meta($user_id, 'transaction_id', $transaction_id);
-//add_user_meta($user_id, 'purchase_date', $purchase_date);
-
+error_log("--- in handle_orders_request");
+		update_user_payment($json_response, 'start');
+error_log("--- out handle_orders_request");
 
 		// Return response
-		return new WP_REST_Response($order_response['json_response'], $order_response['http_status_code']);
+		return new WP_REST_Response($json_response, $http_status_code);
 	} catch (Exception $e) {
 		// Handle errors
 		error_log('Failed to create order: ' . $e->getMessage());
@@ -111,5 +96,4 @@ function create_order( $cart )
 
 
 
-
 ?>
diff --git a/plugins/fipfcard_plugin/php/paypal/route_api_orders_capture.php b/plugins/fipfcard_plugin/php/paypal/route_api_orders_capture.php
index 2546c11..313aef5 100644
--- a/plugins/fipfcard_plugin/php/paypal/route_api_orders_capture.php
+++ b/plugins/fipfcard_plugin/php/paypal/route_api_orders_capture.php
@@ -1,5 +1,8 @@
 <?php
 
+include_once(PLGNTLS_class::get_path() . '/php/paypal/route_api_utils.php');
+include_once(PLGNTLS_class::get_path() . '/php/paypal/update_user_payment.php');
+
 /**
  * it means someone outside wp is accessing the file, in this case kill it.
  */
@@ -9,8 +12,6 @@ if (!defined('ABSPATH')) {
 
 function handle_orders_capture_request($request) {
 	$order_id = $request['orderID'];
-	error_log("in handle_orders_capture_request, order_id");
-	error_log($order_id);
 
 	try {
 		// Implement captureOrder function logic here
@@ -20,6 +21,10 @@ function handle_orders_capture_request($request) {
 		$http_status_code = $response_data['http_status_code'];
 		$json_response = $response_data['json_response'];
 
+error_log("--- in handle_orders_capture_request");
+		update_user_payment($json_response, 'end');
+error_log("--- out handle_orders_capture_request");
+
 		return new WP_REST_Response($json_response, $http_status_code);
 	}
 	catch (Exception $e) {
diff --git a/plugins/fipfcard_plugin/php/paypal/update_user_payment.php b/plugins/fipfcard_plugin/php/paypal/update_user_payment.php
new file mode 100644
index 0000000..8384de2
--- /dev/null
+++ b/plugins/fipfcard_plugin/php/paypal/update_user_payment.php
@@ -0,0 +1,112 @@
+<?php
+
+
+/**
+ * it means someone outside wp is accessing the file, in this case kill it.
+ */
+if (!defined('ABSPATH')) {
+	die('You can not access this file!');
+}
+
+
+function update_user_payment($message, $step)
+{
+
+	$order_id = $message->id;
+	/*
+		"status":"CREATED"
+		"status":"COMPLETED"
+	*/
+	$status = $message->status;
+	$user_id = get_current_user_id();
+
+//error_log("status :");
+//error_log($status);
+error_log("message :");
+error_log(json_encode($message));
+//error_log("order_id :");
+//error_log($order_id);
+
+	$user_meta_order_id = get_user_meta($user_id, 'fipf_order_id');
+error_log("user_meta->fipf_order_id :");
+error_log(json_encode($user_meta_order_id));
+//	$user_meta_ordering = get_user_meta($user_id, 'fipf_ordering', true);
+//error_log("user_meta->fipf_ordering :");
+//error_log($user_meta_ordering);
+
+error_log("... update user");
+
+	// update_user_meta : update or create a user meta field
+	// https://developer.wordpress.org/reference/functions/update_user_meta/
+	/*
+			each time add_meta_user is called with key 'fipf_order_id'
+			a new value will be added in the array :
+				- ['aaaaaa']
+				- add_meta_user('user_id', 'fipf_order_id', 'bbbbbb');
+				- ['aaaaaa', 'bbbbbb']
+				- add_meta_user('user_id', 'fipf_order_id', 'bbbbbb');
+				- ['aaaaaa', 'bbbbbb', 'bbbbbb']
+			calling get_user_meta with key 'fipf_order_id' will return
+			the array of values
+				- get_meta_user('user_id', 'fipf_order_id');
+				- ['aaaaaa', 'bbbbbb', 'bbbbbb']
+			calling delete_meta_user with key-value will delete only
+			the values matching this value
+				- ['aaaaaa', 'bbbbbb', 'bbbbbb']
+				- delete_meta_user('user_id', 'fipf_order_id', 'bbbbbb');
+				- ['aaaaaa']
+			this allow to track multiple purchase :
+			if the fields fipf_order_id still have values
+			it means that purchases have started without finish,
+			maybe some will finish ?
+			in this case, what to do ? don't start a second one ?
+			or at least, don't erase the previous values,
+			so that the 2 purchase additions ?
+			-> paypal payment seems to be available for up to 3 days, or 29 days ?
+				 https://developer.paypal.com/sdk/js/reference/#link-actions
+	*/
+	if ($step === 'start')
+	{
+		//update_user_meta($user_id, 'fipf_ordering', true);
+		//update_user_meta($user_id, 'fipf_order_id', $order_id);
+		add_user_meta($user_id, 'fipf_order_id', $order_id);
+		//delete_user_meta($user_id, 'fipf_order_id', '1FA58326FE555261J');
+	}
+	else if ($step === 'end')
+	{
+		// check if purchase is from the right user
+		// TODO : what to do if not ?
+		// propose to contact diego ?
+//		$user_meta_order_id = get_user_meta($user_id, 'fipf_order_id', true);
+//		if ($user_meta_order_id !== $order_id)
+//			return ;
+		//$user_meta_ordering = get_user_meta($user_id, 'fipf_ordering', true);
+		//if ($user_meta_ordering !== true)
+		//	return ;
+
+		// when purchase is finished, success or not, reinit fipf_order* values
+		//update_user_meta($user_id, 'fipf_ordering', false);
+//		update_user_meta($user_id, 'fipf_order_id', '');
+
+		// if purchase is success, proceed to validate on user :
+
+	}
+
+	$user_meta_order_id = get_user_meta($user_id, 'fipf_order_id');
+error_log("user_meta->fipf_order_id :");
+error_log(json_encode($user_meta_order_id));
+//	$user_meta_ordering = get_user_meta($user_id, 'fipf_ordering', true);
+//error_log("user_meta->fipf_ordering :");
+//error_log($user_meta_ordering);
+	$user_meta = get_user_meta($user_id);
+error_log("user_meta :");
+error_log(json_encode($user_meta));
+
+}
+
+
+
+
+
+
+?>
diff --git a/plugins/fipfcard_plugin/utils/plugin_tools.php b/plugins/fipfcard_plugin/utils/plugin_tools.php
index 17e0b77..497cc6a 100644
--- a/plugins/fipfcard_plugin/utils/plugin_tools.php
+++ b/plugins/fipfcard_plugin/utils/plugin_tools.php
@@ -59,6 +59,9 @@ class PLGNTLS_class
 			// add ajax file at beginning of files list
 			array_unshift($scripts_arr, "utils/plugin_ajax.js");
 			$ajax_nonce = array("ajax_nonce" => wp_create_nonce('wp-pageviews-nonce'));
+			// for the custom endpoints in rest api to work
+			// they need to have a nonce named 'wp_rest'
+			// see : https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
 			$rest_nonce = array("rest_nonce" => wp_create_nonce('wp_rest'));
 			$ajax_url = array("ajax_url" => admin_url('admin-ajax.php'));
 			$vars = array_merge($vars, $ajax_nonce);
diff --git a/private b/private
index 7d4fd1f..62a6fc0 160000
--- a/private
+++ b/private
@@ -1 +1 @@
-Subproject commit 7d4fd1fb654bb98aae25da2013a9c8ec24afda2e
+Subproject commit 62a6fc0c86c187835f66bd68eba847c1c6717dde