# Checkout
Glomo Checkout offers a prebuilt payment form that enables businesses to securely accept payments online. With its
built-in features, you can minimize development time and streamline the payment process. Embed Checkout directly into
your website, or direct customers to a Glomo-hosted payment page to start accepting payments.
Checkout requires minimal coding because of its prebuilt functionalities and customization options. You can integrate
Checkout by creating a Checkout Session and collecting the customer’s payment details.
## End-to-End Flow in Accepting Payments
Below are the steps that are to accept payments :-
## Visual Representation of Payment Flow
A visual representation for the sequence of steps is given below :-
## Test card details
| Card Number | Gateway | OTP | Payment Result | Expiry Month | Expiry Year | CVV |
| --- | --- | --- | --- | --- | --- | --- |
| 3466 2411 1111 1111 | American Express | No | Success | any | any | any |
| 3469 1222 2222 2222 | American Express | Yes | Success | any | any | any |
| 3490 8811 1111 1112 | American Express | No | Failure | any | any | any |
| 3790 8022 2222 2223 | American Express | Yes | Failure | any | any | any |
| 4916 5311 1111 1111 | Mastercard | No | Success | any | any | any |
| 4376 7022 2222 2222 | Mastercard | Yes | Success | any | any | any |
| 4532 2711 1111 1112 | Mastercard | No | Failure | any | any | any |
| 4556 8222 2222 2223 | Mastercard | Yes | Failure | any | any | any |
| 4532 4911 1111 1111 | Visa | No | Success | any | any | any |
| 4532 4422 2222 2222 | Visa | Yes | Success | any | any | any |
| 4556 8911 1111 1112 | Visa | No | Failure | any | any | any |
| 4597 2622 2222 2223 | Visa | Yes | Failure | any | any | any |
## Steps to integrate Checkout
**Note:** We recommend using ES module imports for the Glomo Checkout SDK. While UMD format is still supported for legacy compatibility, it is not actively maintained. For optimal performance and future support, please use ES modules. If you absolutely require UMD format, please contact our support team for assistance.
details
summary
1.
b
Create an Order in Server
- You will have to create an order from your server using the secret keys.
- You can get the secret key on your glomopay [dashboard](https://app.glomopay.com/api-keys-and-webhooks/api-keys).
- You can create order by integrating our [Order APIs](/api-documentation/apis/openapi/orders/createorder).It
should be a server side api call. Refer [Authentication](/api-documentation/authentication) for details around
how to authenticate Order's API.
- The `order_id` received in the response should be passed to the checkout. This ties the order with the payment and
secures the request from being tampered.
details
summary
2.
b
Add payment button on client
* Add a buy button on your website.
* You can integrate the checkout by adding the below code snippet to your website.
* The code snippet will create a checkout instance and open the checkout form when the user clicks on the buy button.
* The `orderId` of the order created via your server in step 1 should be passed to the checkout instance.
* The `publicKey` refers to the public key of your glomo account present on your [dashboard](https://app.glomopay.com/api-keys-and-webhooks/api-keys).
* Handle the payment success and failure events, in the handlers function you will get payment object or error object based on the payment status. Collect these and send them to your server and retry accordingly in case payment failed.
* Additionally, you can also provide a `callbackUrl` to redirect the user after payment completion. If you provide a `callbackUrl`, the user will be redirected to that URL after payment completion with the payment status and other details in the query parameters.
* If `callbackUrl` is provided,failure and success events will not be triggered in the checkout instance.
HTML
```html
```
React (TS)
```jsx
import { FC, useState } from "react";
interface PurchaseButtonProps {
orderId: string;
publicKey: string;
}
const PurchaseButton: FC = ({ orderId, publicKey }) => {
const buttonRef = useRef(null);
const loadCheckout = async () => {
try {
const { GlomoCheckoutApi } = await import('https://glomopay-checkout-sdk.web.app/index.js');
// With callback URL option - user will be redirected after payment
const checkout = new GlomoCheckoutApi({
orderId,
publicKey,
callbackUrl: 'https://yourwebsite.com/payment-result', // Optional
});
// Set up the click handler on the button
if (buttonRef.current) {
buttonRef.current.addEventListener('click', checkout.open.bind(checkout));
}
// Listen for payment success
checkout.on('payment.success', function () {
// Handle payment success (e.g., update state or notify the user)
});
// Listen for payment failure
checkout.on('payment.failure', function (response: unknown) {
console.error('Payment failed:', response);
// Handle payment failure (e.g., show an error message)
});
} catch (error) {
console.error('Error loading the checkout SDK:', error);
}
};
useEffect(() => {
loadCheckout();
}, []);
return (
)
}
```
### About the Callback URL
When you provide a `callbackUrl`, the user will be automatically redirected to that URL after payment completion with the following parameters:
**For successful payments:**
```
https://yourwebsite.com/payment-result?status=success&orderId=123456&signature=abc123def456
```
**For failed payments:**
```
https://yourwebsite.com/payment-result?status=failed&orderId=123456&signature=abc123def456
```
This allows server-side handling of payment results in addition to the client-side event handlers.
details
summary
3.
b
Verify checkout response and signature in server
* In the payment success handler, you will receive the payment object which will have the payment status along with payment_id and order_id.
* Along with payment_id, order_id and status, we also return a signature. This signature is used to verify the authenticity of the payment object.
* You can verify the signature by using the secret key provided by Glomo.
Success Response
```json
{
"payment_id": "payment_679a16457aP6K",
"order_id": "order_679a16457aP6K",
"status": "success",
"signature": "701eab675aca32c14cd1e5e041842d11ee9d04e91a3aaa73c629664a336b2952"
}
```
* You have to verify the signature by using the secret key provided by Glomo. Send the above response to your server, where you can verify the signature using the secret key provided by Glomo.
* For verification, use the payment_id and status from success response and the order_id which was generated in step 1 instead of the one returned from checkout.
* Generate signature using secret key and verify the generated signature with the signature received in the response.
* In case of error response is an error object
Error Response
```json
{
"payment_id": "payment_679a16457aP6K",
"order_id": "order_679a16457aP6K",
"status": "failed",
"error": {
"code" : "INVALID_CARD",
"message" : "Card not eligible for international payments"
}
}
```
***Sample Code to verify signature***
details
summary
PHP
```php
```
details
summary
Ruby
```ruby
require 'openssl'
def generate_signature(order_id, payment_id, status, secret)
data = "#{order_id}|#{payment_id}|#{status}"
OpenSSL::HMAC.hexdigest("SHA256", secret, data)
end
# Example Usage
order_id = "order_679a16457aP6K"
payment_id = "payment_679a16457aP6K"
status = "success"
secret = "your_secret_key"
puts generate_signature(order_id, payment_id, status, secret)
```
details
summary
Go
```go
package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"fmt"
)
func generateSignature(orderID, paymentID, status, secret string) string {
data := orderID + "|" + paymentID + "|" + status
h := hmac.New(sha256.New, []byte(secret))
h.Write([]byte(data))
return hex.EncodeToString(h.Sum(nil))
}
func main() {
orderID := "order_679a16457aP6K"
paymentID := "payment_679a16457aP6K"
status := "success"
secret := "your_secret_key"
fmt.Println(generateSignature(orderID, paymentID, status, secret))
}
```
details
summary
Javascript(Node.js)
```javascript
const crypto = require('crypto');
function generateSignature(orderId, paymentId, status, secret) {
const data = `${orderId}|${paymentId}|${status}`;
return crypto.createHmac('sha256', secret).update(data).digest('hex');
}
// Example Usage
const orderId = "order_679a16457aP6K";
const paymentId = "payment_679a16457aP6K";
const status = "success";
const secret = "your_secret_key";
console.log(generateSignature(orderId, paymentId, status, secret));
```
details
summary
Python
```python
import hmac
import hashlib
def generate_signature(order_id, payment_id, status, secret):
data = f"{order_id}|{payment_id}|{status}".encode()
return hmac.new(secret.encode(), data, hashlib.sha256).hexdigest()
# Example Usage
order_id = "order_679a16457aP6K"
payment_id = "payment_679a16457aP6K"
status = "success"
secret = "your_secret_key"
print(generate_signature(order_id, payment_id, status, secret))
```
details
summary
4.
b
Verify Payment status
Payment's status can be tracked via following ways
* You can track the payments linked to your order_id via dashboard
* You can also track the payment status via polling [Payment APIs](/api-documentation/apis/openapi/payment/getpaymentbyid)
* You can also track the payment status via [Webhooks](/api-documentation/webhooks) which will notify you about the payment status.
## Troubleshooting Common Issues
### Checkout Popup Blocked in Production Environment
**Symptom:** The checkout works perfectly in your local development environment, but when deployed to UAT or production, the payment page fails to open in a new tab/popup after clicking the "Pay Now" button.
**Cause:** This issue is typically caused by the `Cross-Origin-Opener-Policy` (COOP) security header on your website. If your website sends `Cross-Origin-Opener-Policy: same-origin`, it will block popups to external domains, including the Glomo payment gateway.
#### How to Detect This Issue
1. Open your browser's Developer Tools (F12 or Right-click → Inspect)
2. Go to the **Network** tab
3. Reload your page and click on the main document (usually the first entry)
4. Look at the **Response Headers** section
5. Check if you see: `Cross-Origin-Opener-Policy: same-origin`
If you see this header with the `same-origin` value, this is what's blocking the checkout popup.
#### Solution
Update your server's COOP header configuration from:
```
Cross-Origin-Opener-Policy: same-origin
```
to:
```
Cross-Origin-Opener-Policy: same-origin-allow-popups
```
**How to implement this depends on your setup:**
details
summary
Apache (.htaccess)
```apache
Header set Cross-Origin-Opener-Policy "same-origin-allow-popups"
```
details
summary
Nginx
```nginx
add_header Cross-Origin-Opener-Policy "same-origin-allow-popups";
```
details
summary
Node.js/Express
```javascript
app.use((req, res, next) => {
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin-allow-popups');
next();
});
```
details
summary
Next.js (next.config.js)
```javascript
module.exports = {
async headers() {
return [
{
source: '/(.*)',
headers: [
{
key: 'Cross-Origin-Opener-Policy',
value: 'same-origin-allow-popups',
},
],
},
];
},
};
```
#### Verifying the Fix
After deploying the header change:
1. **Clear your browser cache** (or use incognito/private mode)
2. Reload your website
3. Open Developer Tools → Network tab
4. Verify the header now shows: `Cross-Origin-Opener-Policy: same-origin-allow-popups`
5. Test the checkout flow again
**Note:** The `same-origin-allow-popups` value maintains security for your website while allowing the checkout to open properly in a new window.
### CORS Error on Checkout Load (Preferences API Failure)
**Symptom:** After successfully opening the checkout, you see a CORS (Cross-Origin Resource Sharing) error in the browser console when the checkout tries to load. The error typically mentions the preferences API call failing with a message like:
```
Access to fetch at 'https://...' from origin '...' has been blocked by CORS policy
```
**Cause:** This issue is often caused by browser extensions that intercept or modify network requests. Common culprits include ad blockers, privacy extensions, VPN extensions, and other security-focused browser add-ons.
#### How to Detect This Issue
1. Open your browser's Developer Tools (F12)
2. Go to the **Console** tab
3. Load the checkout and look for CORS-related errors
4. The error will typically mention "blocked by CORS policy" or "No 'Access-Control-Allow-Origin' header"
#### Solution
**Step 1: Test in Incognito/Private Mode**
The quickest way to verify if a browser extension is causing the issue:
1. Open an incognito/private browsing window (most extensions are disabled by default)
2. Test the checkout integration again
3. If the checkout works in incognito mode, a browser extension is the culprit
**Step 2: Identify and Disable Interfering Extensions**
If the checkout works in incognito mode:
1. Go to your browser's extensions page:
- **Chrome/Edge:** `chrome://extensions` or `edge://extensions`
- **Firefox:** `about:addons`
- **Safari:** Preferences → Extensions
2. Disable extensions one by one, especially:
- Ad blockers (AdBlock, uBlock Origin, etc.)
- Privacy extensions (Privacy Badger, Ghostery, etc.)
- VPN or proxy extensions
- Security extensions
- Request interceptors or modifiers
3. Test the checkout after disabling each extension
4. Once you identify the problematic extension, keep it disabled for your domain or whitelist your website
#### For Developers: Communicating with Users
If your customers report this issue, provide them with these troubleshooting steps:
1. Try testing in incognito/private browsing mode
2. If it works there, ask them to temporarily disable browser extensions
3. Common extensions that cause issues: ad blockers, VPN extensions, privacy tools
**Note:** This is not an issue with Glomo's checkout or your integration - it's a side effect of browser extensions modifying network behavior. The checkout will work correctly once interfering extensions are identified and configured properly.