Interactive XPayr checkout widget example with secure server-side session creation and popup, redirect, and embedded checkout modes.
Status: Runnable browser integration example
Demonstrate a polished browser checkout without exposing merchant secret keys or inventing payment status client-side.
- Popup, redirect, and embedded checkout modes
- Server-side session creation
- Strict checkout-origin event handling
cp .env.example .env
npm test
npm startOpen http://127.0.0.1:3001 and switch between popup, embedded, and redirect modes. Every mode uses the same server-created XPayr session.
- The merchant secret key is read only by the Node.js server.
- Checkout URLs must use the exact
https://xpayr.com/pay/origin and path. - Embedded messages are accepted only from
https://xpayr.comand remain UX signals. - Order fulfillment waits for a verified webhook or authenticated API reconciliation.
The repository intentionally avoids pretending that closing a popup, receiving a browser message, or returning to a success URL proves payment.
Use an XPayr test key before live credentials. Never expose sk_test_*, sk_live_*, agent keys, webhook secrets, or wallet private keys in browser code or commits.
Read SECURITY.md before reporting a vulnerability. Payment completion must be based on verified XPayr webhook/API state and canonical on-chain evidence, not browser callbacks alone.
MIT. See LICENSE.