Hello Jim,
ec_update_state_to_authorized updates ec_items on a newly authorized order, so that shippable items are to_be_shipped.
At the same time, one could query the order for ec_items where shippable_p == 'f', and mark some independent lookup table that the object ID is readable for the user of the order_id for N units of time (or time_expires).
No callbacks are needed.
Callbacks are indicated when the user is waiting for a displayed response, and a procedure takes an unspecified amount of time (usually seconds or more).
ec_update_state_to_authorized is executed as a scheduled procedure, so a callback is unnecessary.
Using this proc means that the credit card has been processed for nonshippable items, so it's time to provide access via procs called from it.
A schema might be defined with these minimums:
table my_app_user_certificate_map
user_id
certificate_id
table my_app_certificates
certificate_id
object_id
time_created
time_expires
last_access
next_to_last_access
The object_id could be a subsite, a content_item etc
The particulars would be handled by your custom procs.
best wishes,
Ben