Best Practices

Store credentials server-side only — Never embed your Client ID or Secret Key in frontend code, mobile apps, or public repositories.

Use HTTPS everywhere — All API calls and your return_url / cancel_url must use HTTPS.

Verify payments server-side — Always call the Check Payment Status endpoint from your server after a customer returns. Never trust query parameters from the browser redirect alone.

Rotate credentials if compromised — If your secret key is ever exposed, regenerate it immediately from your merchant dashboard.

Use environment variables — Store API credentials in .env files, not in source code.

Cache your access token — Do not request a new access token on every API call. Cache it and refresh only when it expires.

Handle token expiry gracefully — When you receive a 401 Unauthorized, automatically re-authenticate and retry the original request once.

Never log access tokens — Exclude Authorization header values from your application logs.

Use the custom field — Always pass your internal order ID as the custom parameter. This makes reconciliation straightforward.

Set timeouts on HTTP calls — Configure a 30-second timeout on your API requests to prevent your server from hanging.

Handle idempotency — A customer may click back and retry. Check your database before creating duplicate orders.

Log all API interactions — Log request parameters (excluding secrets) and full responses for debugging and auditing.

Test all payment flows — Simulate successful payment, cancelled payment, and network errors before going live.

Test error responses — Pass invalid tokens, wrong currencies, and missing parameters to verify your error handling works correctly.

Use Postman or cURL for manual testing — Validate each endpoint manually before writing integration code.

Monitor in production — Set up alerts for payment errors and failed verifications to catch issues early.