Razorpay Payment Integration: OAuth-Based Secure Access
Introduction
Integrating Razorpay with your application enables seamless and secure payment processing. Razorpay supports OAuth-based authentication, allowing applications to access resources securely without exposing sensitive credentials.
In this article, we will explore how OAuth facilitates secure API access, token generation, handling expired access tokens, and payment gateway integration with third-party services.
Understanding OAuth in Razorpay Integration
OAuth is a secure method for authorizing third-party applications to access Razorpay and RazorpayX resources using token-based authentication. This removes the need for API key-based authentication, enhancing security and scalability.
OAuth Flow in Razorpay
- Authorization Code → Generated when the customer grants access.
- Access Token → Allows API access for a limited time.
- Refresh Token → Used to regenerate an access token without user intervention.
- API Requests → Use the token to create orders, check status, and manage transactions.
Flow Diagram
Auth Code → Access Token → Create Order → Validate → Get Status
The authorization code serves as the entry point for obtaining access tokens, which are used in subsequent API requests.
Steps to Implement OAuth in Razorpay Payment Gateway Integration
Step 1: Generate Authorization Code
To begin, redirect the user to the Razorpay OAuth authorization URL:
https://auth.razorpay.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI
Upon approval, Razorpay provides an authorization code.
Step 2: Exchange Authorization Code for Access Token
Once you obtain the authorization code, exchange it for an access token and refresh token using this API:
POST https://api.razorpay.com/v1/oauth/token
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "AUTH_CODE",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"redirect_uri": "YOUR_REDIRECT_URI"
}
Response Example:
{
"access_token": "xyz123",
"expires_in": 3600,
"refresh_token": "abc456",
"token_type": "Bearer"
}
The access token is valid for 90 days, after which you can use the refresh token to generate a new one.
Handling Expired Access Tokens Using Refresh Token
Once the access token expires, API requests will return an authentication error. Instead of redirecting users to authorize again, you can use the refresh token to obtain a new access token.
Step 3: Generate a New Access Token Using Refresh Token
POST https://api.razorpay.com/v1/oauth/token
Content-Type: application/json
{
"grant_type": "refresh_token",
"refresh_token": "abc456",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}
Response Example:
{
"access_token": "new_xyz123",
"expires_in": 3600,
"refresh_token": "new_abc456",
"token_type": "Bearer"
}
💡 Important: Always store the latest refresh token, as it changes with each request.
Step 4: Make API Requests Using Access Token
Use the obtained access token to call Razorpay APIs. Example:
Create an Order
POST https://api.razorpay.com/v1/orders
Authorization: Bearer xyz123
Content-Type: application/json
{
"amount": 50000,
"currency": "INR",
"receipt": "receipt#1",
"payment_capture": 1
}
Get Order Status
GET https://api.razorpay.com/v1/orders/{order_id}
Authorization: Bearer xyz123
Frontend Checkout Integration
Razorpay provides a checkout snippet that you can embed in your frontend for a seamless payment experience.
Razorpay Checkout Example:
<script src="https://checkout.razorpay.com/v1/checkout.js"></script>
<script>
var options = {
"key": "your_public_key",
"amount": "50000",
"currency": "INR",
"order_id": "order_xyz",
"callback_url": "https://yourdomain.com/payment-success"
};
var rzp1 = new Razorpay(options);
rzp1.open();
</script>
Multi-Merchant Handling in Razorpay
Razorpay allows you to onboard multiple merchants by storing unique merchant credentials securely. Each merchant gets:
- Client ID & Secret for OAuth
- Public Token for frontend integration
- Access & Refresh Tokens for API access
This enables a single platform to manage multiple businesses, handling payments separately for each.
Conclusion
OAuth-based Razorpay integration provides a secure and scalable way to process payments while safeguarding sensitive credentials. By leveraging access tokens and refresh tokens, your application can interact with Razorpay APIs efficiently without exposing API keys.
🚀 Next Steps: Implement OAuth in your application, generate tokens, and start processing payments securely with Razorpay.
Top comments (0)