Facebook Pixel

Razorpay Summary and Complete Integration Node.js Payment Gateway Guide

A comprehensive summary of integrating Razorpay in your Node.js application setup, orders, checkout, verification, webhooks, subscriptions, refunds, and security.

Razorpay Summary and Complete Integration

This is a complete summary of integrating Razorpay payments in your Node.js application.

Complete Integration Checklist

Setup

  • Razorpay account created and KYC completed
  • API keys obtained (test and live)
  • razorpay npm package installed
  • Razorpay client configured in config file
  • API keys in .env (not in code)
  • Webhook secret in .env
  • Webhook URL set in Razorpay dashboard

One-Time Payments

  • Create order endpoint (POST /api/payment/create-order)
  • Frontend checkout with Razorpay checkout.js
  • Payment verification endpoint (POST /api/payment/verify)
  • Signature verification (HMAC-SHA256)
  • Payment model with all fields
  • Update user plan on successful payment

Subscriptions

  • Plan created in Razorpay
  • Subscription create endpoint
  • Webhook handler for subscription events
  • Subscription model in database
  • Cancel subscription endpoint
  • Renewal reminder cron job

Webhooks

  • Webhook endpoint with express.raw()
  • Signature verification on every webhook
  • Handle payment.captured event
  • Handle payment.failed event
  • Handle refund.processed event
  • Handle subscription events
  • Idempotency (prevent duplicate processing)
  • Webhook logging for audit

Security

  • Webhook signature always verified
  • Amount comes from database, not frontend
  • Payment amount verified against order
  • Refunds require admin authorization
  • API keys never exposed to frontend
  • HTTPS only for webhook URL
  • All webhooks logged

Testing

  • Test mode used during development
  • Test cards verified (4111 1111 1111 1111)
  • Webhook tested with ngrok
  • Complete flow tested (create → pay → verify)
  • Failed payment tested
  • Refund flow tested
  • Subscription flow tested

Architecture Summary

Frontend (React)
  ↓ POST /api/payment/create-order
Backend (Node.js)
  ↓ razorpay.orders.create()
Razorpay
  ↓ Returns order ID
Backend → Frontend (order ID)
  ↓ Razorpay checkout opens
Customer pays
  ↓
Razorpay → Frontend (payment ID, signature)
  ↓ POST /api/payment/verify
Backend verifies signature
  ↓ Updates database
Razorpay → Backend (webhook)
  ↓ Verifies webhook signature
  ↓ Updates database (source of truth)

Code Summary

// 1. Create order const order = await razorpay.orders.create({ amount: plan.price * 100, currency: "INR", receipt: `receipt_${Date.now()}`, notes: { userId: req.user._id.toString(), plan } }); // 2. Frontend opens checkout const rzp = new Razorpay({ key_id: keyId, amount, currency, order_id: orderId, handler: (response) => verifyPayment(response) }); // 3. Verify signature const body = orderId + "|" + paymentId; const expectedSignature = crypto .createHmac("sha256", process.env.RAZORPAY_KEY_SECRET) .update(body).digest("hex"); if (expectedSignature === signature) { payment.status = "paid"; await payment.save(); } // 4. Handle webhook router.post("/webhook", express.raw({ type: "application/json" }), (req, res) => { const expected = crypto .createHmac("sha256", process.env.RAZORPAY_WEBHOOK_SECRET) .update(req.body).digest("hex"); if (expected === req.headers["x-razorpay-signature"]) { const event = JSON.parse(req.body.toString()); // Handle event... } res.status(200).json({ status: "ok" }); });

Environment Variables

RAZORPAY_KEY_ID=rzp_test_xxxxxxxx RAZORPAY_KEY_SECRET=xxxxxxxxxxxxxxxx RAZORPAY_WEBHOOK_SECRET=xxxxxxxxxxxxxxxx

The Takeaway

Razorpay integration involves: setup (account, keys, SDK), one-time payments (create order, checkout, verify signature), subscriptions (plans, recurring billing, webhooks), webhooks (signature verification, event handling, idempotency), security (never trust frontend, verify amounts, HTTPS only), and testing (test mode, test cards, ngrok for webhooks). Always use webhooks as the source of truth for payment status, verify all signatures, and test thoroughly before going live.

Setup (account, keys, SDK), create order endpoint, frontend checkout, payment verification with signature, webhook handling (payment.captured, payment.failed, refund.processed), subscriptions (plans, recurring billing), security (verify signatures, don't trust frontend amounts), and testing (test mode, test cards, ngrok).

Backend creates order → frontend opens checkout with order ID → customer pays → Razorpay sends payment ID and signature to frontend → frontend sends to backend → backend verifies signature → backend updates database → Razorpay sends webhook → backend verifies webhook signature → backend updates database (source of truth).

RAZORPAY_KEY_ID (rzp_test_ or rzp_live_), RAZORPAY_KEY_SECRET (from dashboard), and RAZORPAY_WEBHOOK_SECRET (set when creating the webhook in the dashboard). Store in .env, never in code or frontend.

Verify webhook signatures (HMAC-SHA256), use express.raw() for webhooks, get amounts from database (not frontend), verify payment amounts match orders, require admin auth for refunds, use HTTPS only, implement idempotency, and log all webhooks for audit.

Use test mode (rzp_test_ keys), test cards (4111 1111 1111 1111 for success), test UPI (success@razorpay), ngrok for local webhook testing, test the complete flow (create → pay → verify → webhook), test failures and refunds, and test subscriptions. Switch to live mode only after full testing and KYC completion.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.