It kind of works, but it needs to be more robust and documented.

1) implement API and transactions log - so I can see what API calls you sent and received. It will be helpful in debugging and disputes.
2) implement test API endpoint - it's not a problem to send real transactions during tests, but they take an hour to get confirmed so my development is slowed down
3) document when and how often you try to call back. What happens if my server does not respond or DNS resolution fails? Are HTTP redirects followed? Is HTTPS supported? etc
4) document foreign_order_id, custom_field and transaction_timestamp, order_status
5) What happens if I want to use one address per customer, as opposed to one address per order? It seems subsequent transactions to an address still fire the callback. Is total_amount in POST /order necessary at all? What happens if customer sends less or more than total_amount?
6) Think about better/more standard cryptography. A homemade HMAC and plaintext authtoken are not good ideas, they are just temporary quick-and-dirty solutions.