Fast Hosted Checkout
Create a payment session, redirect the customer, then verify or receive IPN updates when the transaction completes.
Merchant API Reference
DigiKash Merchant API
Accept wallet, gateway, and hosted checkout payments with environment-aware credentials, merchant-level currency control, and dashboard-managed payment gateway rules.
Production ready
POST
/api/v1/initiate-payment
GET
/api/v1/verify-payment/{trxId}
Latest Merchant Flow
Gateways are now configured after API generation from the merchant API Config page. Checkout only shows gateways that match the merchant currency and the active receiver wallet.
Wallet-aware Currency
The requested currency must be enabled for the merchant and backed by an active merchant wallet.
Configurable Gateways
Merchants can choose eligible payment gateways from API Config without regenerating API credentials.
Authentication
DigiKash API uses API keys to authenticate requests. You can obtain your credentials from your merchant dashboard.
Environment-Aware API Integration
DigiKash API supports both sandbox (testing) and production environments. Always test in sandbox first before going live.
Environment Configuration
Sandbox Mode
Use for: Development, testing, integration
X-Environment: sandbox
Credentials: Use test_* prefixed API keys
Production Mode
Use for: Live payments, real money
X-Environment: production
Credentials: Use production API keys (no prefix)
Gateway Configuration
Payment gateway selection is dashboard-managed. After generating API credentials, open Merchant -> Config -> Payment Gateway Controls to choose eligible gateways without changing your integration keys.
Signed requests
Every API call must include X-Timestamp and X-Signature unless merchant API signatures are disabled by admin configuration.
Replay protection
The timestamp must be fresh. Default tolerance is 300 seconds, configurable by admin.
Rate limit
Merchant API calls are rate limited per merchant and IP. Default limit is 120 requests per minute.
Required Credentials
| Credential | Header | Description | Location |
|---|---|---|---|
Merchant ID |
X-Merchant-Key |
Your unique merchant identifier | Dashboard → Merchant → Config |
API Key |
X-API-Key |
API authentication key | Dashboard → Merchant → Config |
Request Timestamp |
X-Timestamp |
Unix timestamp in seconds used for replay protection | Generated by your server for each API request |
API Signature |
X-Signature |
HMAC-SHA256 signature for the request | Generated using your Client Secret |
Client Secret |
- | Used for API request signing and webhook signature verification | Dashboard → Merchant → CONFIG |
| Production API Key | X-API-Key |
Production API key (no prefix) | Merchant Dashboard > API Config > Production Mode |
| Production Merchant Key | X-Merchant-Key |
Production merchant identifier (no prefix) | Merchant Dashboard > API Config > Production Mode |
Security Notice
Never expose your Client Secret in client-side code. Store all credentials securely on your server.
Signature Payload
When API signatures are required, sign this exact payload with your Client Secret:
timestamp.HTTP_METHOD.path_with_query.raw_body
Quick Start
Use this flow for a production-safe integration. Credentials identify the merchant, while currency and gateway availability are controlled from the merchant dashboard.
Generate API Keys
Open Dashboard -> Merchant -> Config and copy the Merchant Key, API Key, and Client Secret for sandbox or production.
Confirm Currencies
Make sure the merchant supports the checkout currency and the merchant owner has an active wallet for that currency.
Select Gateways
From API Config, enable the payment gateways that should appear on hosted checkout for each eligible currency.
Sign & Create Payment
POST to /api/v1/initiate-payment with X-Timestamp and X-Signature, redirect the customer to payment_url, then verify or listen for IPN.
API Config
Currency + Wallet
Gateway Filter
Hosted Checkout
Open Testing Console
Use sandbox credentials first, then switch to production when your checkout and IPN are verified.
Latest Merchant Update
API Config controls checkout after keys are generated
Merchant Setup & API Config
The merchant API is no longer a single-currency, fixed-gateway flow. A merchant can now support multiple currency rails, keep separate sandbox and production credentials, and choose eligible gateways from the API Config page without regenerating API keys.
Merchant Dashboard
One integration, dashboard-controlled checkout
Your code sends amount, currency, redirects, IPN URL, and optional gateway keywords. The dashboard decides which currency rails, wallets, and payment gateways are actually available for that merchant.
Sandbox keys
Production keys
Wallet rails
Gateway controls
Default mode
Sandbox
Live access
Requires approval
Gateway source
API Config
Merchant Review Status
Pending merchants can test in sandbox. Production API access and live checkout are available only after admin approval.
Currency Rails
Each request currency_code must exist in the merchant-supported currency list. Unsupported currencies are rejected before checkout opens.
Receiver Wallet Match
The merchant owner must have an active wallet for the requested currency, otherwise the API returns a wallet availability error.
Payment Gateway Controls
Only active automatic gateways that match the requested currency and merchant selection can appear on hosted checkout.
Runtime Decision Order
-
01
Authenticate the environment
X-Environment decides which merchant key, API key, and API secret are used.
-
02
Check merchant availability
Rejected or disabled merchants are blocked. Production also requires approved merchant status.
-
03
Validate requested currency
currency_code must match a merchant-supported rail such as USD, EUR, or BDT.
-
04
Confirm receiver wallet
The merchant owner needs an active wallet for that same currency.
-
05
Resolve configured gateways
Merchant API Config selections restrict checkout to the chosen eligible gateways. If none are selected, the safe fallback is all active automatic gateways for that currency.
-
06
Apply optional API filter
allow_payment_methods can narrow the available gateway list, but it cannot expose an unconfigured or wrong-currency gateway.
Real Cases & Results
| Case | API Result | Fix |
|---|---|---|
| Merchant supports USD and EUR, but only USD wallet exists. | 422 Receiver wallet for this currency is not available. |
Create/activate the EUR merchant wallet before accepting EUR checkout. |
| Stripe USD is selected, but the request sends currency_code EUR. | Stripe USD will not appear on checkout. | Select an active EUR gateway or send USD. |
| Merchant has not selected any gateway yet. | Checkout falls back to all active automatic gateways that match the requested currency. | Use API Config to lock checkout to preferred gateways. |
allow_payment_methods=["paypal"] but PayPal is not configured for the merchant. |
PayPal remains hidden. | Enable PayPal from Payment Gateway Controls if its currency matches. |
| Pending merchant calls production API. | 403 Merchant Pending Approval |
Use sandbox until admin approval is complete. |
No cross-currency gateways
A gateway configured for USD cannot process EUR checkout unless a separate EUR gateway exists.
Secrets stay server-side
API Secret is used only to sign server-to-server API requests and verify IPN signatures.
Signed checkout URL expires
The returned payment_url is time-limited. Create a new payment session for expired checkout links.
Verify is merchant scoped
A merchant can verify only its own transaction and only in the matching sandbox or production environment.
Currency & Gateway Rules
Merchant API checkout is controlled by three layers: merchant-supported currency, active receiver wallet, and configured payment gateways. This keeps checkout options accurate after API credentials are generated.
Gateway Match Matrix
A gateway appears on hosted checkout only when every rule below is true. If the merchant has selected gateways, those selected gateways become the allowed set for checkout.
Dashboard Source
Merchant -> Config -> Payment Gateway Controls
Currency enabled for merchant
The request currency_code must exist in the merchant-supported currency list.
Active merchant wallet exists
The merchant owner must have an active wallet for the requested currency.
Gateway currency matches
Only active automatic deposit methods for that exact currency are eligible.
Merchant gateway selection passes
When gateways are selected in API Config, checkout is restricted to those selected methods.
How allow_payment_methods Works Now
| Layer | Who controls it | Effect |
|---|---|---|
currency_code |
API request | Must match a merchant-supported currency with an active receiver wallet. |
Payment Gateway Controls |
Merchant dashboard | Defines the gateway set available to hosted checkout for each eligible currency. |
allow_payment_methods |
API request | Optional name/code keyword filter applied after merchant gateway rules. It cannot expose a gateway the merchant did not configure. |
Safe Default
If a merchant has not selected any gateways, checkout falls back to all active automatic gateways that match the requested currency. Once the merchant selects gateways, checkout uses only that configured list.
POST
Initiate Payment
Create a hosted checkout session for a merchant-supported currency. The returned payment_url should be opened by the customer.
https://digidev.coevs.com/api/v1/initiate-payment
Gateway Selection
Hosted checkout first applies merchant currency and wallet rules, then the gateways selected on Merchant API Config. allow_payment_methods is only an optional extra filter.
Request Headers
| Header | Value | Required | Description |
|---|---|---|---|
Content-Type |
application/json |
Yes | Request content type |
Accept |
application/json |
Yes | Expected response type |
X-Environment |
sandbox | production |
Yes | Use sandbox for testing and production for live payments |
X-Merchant-Key |
{merchant_key} |
Yes | Merchant identifier from the API Config page |
X-API-Key |
{api_key} |
Yes | API key for the selected environment |
X-Timestamp |
{unix_timestamp} |
Yes | Current Unix timestamp in seconds. Requests outside the allowed tolerance are rejected. |
X-Signature |
sha256={hmac} |
Yes | HMAC-SHA256 of timestamp.METHOD.path_with_query.raw_body using the API Secret for the selected environment. |
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
payment_amount |
number | Yes | Payment amount. Minimum value is 1.00. |
currency_code |
string | Yes | 3-letter currency code. Must be enabled for the merchant and backed by an active merchant wallet. |
ref_trx |
string | Yes | Your unique order or transaction reference. Max 60 characters. |
success_redirect |
url | Yes | Customer is redirected here after a successful hosted checkout. |
cancel_redirect |
url | Yes | Customer is redirected here when checkout is canceled or cannot continue. |
ipn_url |
url | Yes | Server-to-server webhook URL for payment status updates. |
description |
string | No | Payment description visible in merchant transaction context. |
customer_name |
string | No | Customer name. Max 100 characters. |
customer_email |
No | Customer email address. Max 100 characters. | |
allow_payment_methods |
string | array | No | Optional keyword filter applied after merchant gateway rules. Example: "stripe,paypal" or ["stripe","paypal"]. |
Gateway Availability Response Fields
| Field | Type | Meaning |
|---|---|---|
info.merchant_payment_methods_restricted |
boolean | true when the merchant has selected specific gateways in API Config. |
info.merchant_payment_method_ids |
array | Eligible deposit method IDs for the requested currency. |
info.merchant_payment_method_codes |
array | Eligible method codes that can appear on hosted checkout. |
Code Examples
curl -X POST "https://digidev.coevs.com/api/v1/initiate-payment" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "X-Environment: sandbox" \
-H "X-Merchant-Key: test_merchant_key" \
-H "X-API-Key: test_api_key" \
-H "X-Timestamp: 1778650000" \
-H "X-Signature: sha256=generated_hmac_signature" \
-d '{
"payment_amount": 250.00,
"currency_code": "USD",
"ref_trx": "ORDER_12345",
"description": "Premium Subscription",
"success_redirect": "https://merchant.example/payments/success",
"cancel_redirect": "https://merchant.example/payments/cancel",
"ipn_url": "https://merchant.example/webhooks/digikash",
"customer_name": "John Doe",
"customer_email": "john@example.com",
"allow_payment_methods": ["stripe", "paypal"]
}'<?php
use Illuminate\Support\Facades\Http;
$payload = [
'payment_amount' => 250.00,
'currency_code' => 'USD',
'ref_trx' => 'ORDER_12345',
'description' => 'Premium Subscription',
'success_redirect' => route('payments.success'),
'cancel_redirect' => route('payments.cancel'),
'ipn_url' => route('webhooks.digikash'),
'customer_name' => 'John Doe',
'customer_email' => 'john@example.com',
'allow_payment_methods' => ['stripe', 'paypal'],
];
$body = json_encode($payload, JSON_THROW_ON_ERROR);
$timestamp = (string) time();
$path = '/api/v1/initiate-payment';
$signature = hash_hmac(
'sha256',
$timestamp.'.POST.'.$path.'.'.$body,
config('services.digikash.api_secret')
);
$response = Http::withHeaders([
'Content-Type' => 'application/json',
'Accept' => 'application/json',
'X-Environment' => 'sandbox',
'X-Merchant-Key' => config('services.digikash.merchant_key'),
'X-API-Key' => config('services.digikash.api_key'),
'X-Timestamp' => $timestamp,
'X-Signature' => 'sha256='.$signature,
])->withBody($body, 'application/json')
->post('https://digidev.coevs.com/api/v1/initiate-payment')
->throw()
->json();
return redirect()->away($response['payment_url']);const crypto = require('crypto');
const payload = {
payment_amount: 250.00,
currency_code: 'USD',
ref_trx: 'ORDER_12345',
description: 'Premium Subscription',
success_redirect: 'https://merchant.example/payments/success',
cancel_redirect: 'https://merchant.example/payments/cancel',
ipn_url: 'https://merchant.example/webhooks/digikash',
customer_name: 'John Doe',
customer_email: 'john@example.com',
allow_payment_methods: ['stripe', 'paypal']
};
const body = JSON.stringify(payload);
const timestamp = Math.floor(Date.now() / 1000).toString();
const path = '/api/v1/initiate-payment';
const signature = crypto
.createHmac('sha256', process.env.DIGIKASH_API_SECRET)
.update(`${timestamp}.POST.${path}.${body}`)
.digest('hex');
const response = await fetch('https://digidev.coevs.com/api/v1/initiate-payment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Environment': 'sandbox',
'X-Merchant-Key': process.env.DIGIKASH_MERCHANT_KEY,
'X-API-Key': process.env.DIGIKASH_API_KEY,
'X-Timestamp': timestamp,
'X-Signature': `sha256=${signature}`
},
body
});
const data = await response.json();
if (!response.ok) {
throw new Error(data.error || 'Payment initiation failed');
}
window.location.href = data.payment_url;Success Response
200 OK
Payment session created
{
"payment_url": "https://DigiKash.test/payment/checkout?token=encrypted&signature=signed",
"info": {
"ref_trx": "ORDER_12345",
"description": "Premium Subscription",
"ipn_url": "https://merchant.example/webhooks/digikash",
"cancel_redirect": "https://merchant.example/payments/cancel",
"success_redirect": "https://merchant.example/payments/success",
"customer_name": "John Doe",
"customer_email": "john@example.com",
"merchant_id": 1,
"merchant_name": "Demo Store",
"amount": 250,
"currency_code": "USD",
"environment": "sandbox",
"is_sandbox": true,
"allow_payment_methods": ["stripe", "paypal"],
"merchant_payment_methods_restricted": true,
"merchant_payment_method_ids": [7],
"merchant_payment_method_codes": ["stripe-usd"]
}
}Common Error Responses
422
Currency is not enabled for this merchant.
The requested currency_code is not in the merchant-supported currency list.
422
Receiver wallet for this currency is not available.
The merchant owner does not have an active wallet for the requested currency.
401
Invalid API credentials.
Check X-Environment, X-Merchant-Key, and X-API-Key for the same environment.
GET
Verify Payment
Fetch the latest status for a hosted checkout transaction. Always verify server-side before fulfilling an order.
https://digidev.coevs.com/api/v1/verify-payment/{trxId}
Request Headers
| Header | Value | Required | Description |
|---|---|---|---|
Accept |
application/json |
Yes | Expected response type |
X-Environment |
sandbox | production |
Yes | Must match the environment used to initiate the payment |
X-Merchant-Key |
{merchant_key} |
Yes | Merchant identifier from API Config |
X-API-Key |
{api_key} |
Yes | API key for the selected environment |
X-Timestamp |
{unix_timestamp} |
Yes | Use the same timestamp format as payment initiation. |
X-Signature |
sha256={hmac} |
Yes | Sign timestamp.GET./api/v1/verify-payment/{trxId}. using the matching API Secret. The raw body is empty for GET requests. |
Path Parameter
| Parameter | Type | Required | Description |
|---|---|---|---|
trxId |
string | Yes | DigiKash transaction ID returned by hosted checkout or IPN. |
cURL Example
curl -X GET "https://digidev.coevs.com/api/v1/verify-payment/TXNQ5V8K2L9N3XM1" \
-H "Accept: application/json" \
-H "X-Environment: sandbox" \
-H "X-Merchant-Key: test_merchant_key" \
-H "X-API-Key: test_api_key" \
-H "X-Timestamp: 1778650000" \
-H "X-Signature: sha256=generated_hmac_signature"Success Response
200 OK
Completed payment
{
"status": "success",
"trx_id": "TXNQ5V8K2L9N3XM1",
"amount": 237.5,
"fee": 12.5,
"currency": "USD",
"net_amount": 237.5,
"customer": {
"name": "John Doe",
"email": "john@example.com"
},
"description": "Premium Subscription",
"created_at": "2026-05-13T10:30:00.000000Z",
"updated_at": "2026-05-13T10:35:45.000000Z"
}Payment Status Values
| Status | Description | Recommended Action |
|---|---|---|
pending |
Payment is still processing. | Wait for IPN or verify again later. |
success |
Payment completed successfully. | Fulfill the order after idempotency checks. |
failed |
Payment failed or was canceled. | Do not fulfill; show retry or cancel state. |
Idempotency
Use your ref_trx and the returned trx_id to make fulfillment idempotent. A webhook and a verify request may arrive close together.
GET
Site Info
Fetch gateway branding, environment labels, and customer-facing checkout metadata for a merchant-authenticated integration.
https://digidev.coevs.com/api/v1/site-info
cURL Example
curl -X GET "https://digidev.coevs.com/api/v1/site-info" \
-H "Accept: application/json" \
-H "X-Environment: sandbox" \
-H "X-Merchant-Key: test_merchant_key" \
-H "X-API-Key: test_api_key" \
-H "X-Timestamp: 1778650000" \
-H "X-Signature: sha256=generated_hmac_signature"Success Response
200 OK
Gateway metadata
{
"site_name": "DigiKash",
"site_logo": "https://digidev.coevs.com/storage/images/2025-02-27_15-19-28_logo_wy6i.png",
"site_url": "https://digidev.coevs.com",
"gateway_name": "DigiKash Payment Gateway",
"gateway_description": "Secure payment powered by DigiKash",
"features": {
"ssl_secured": "SSL Secured",
"instant_processing": "Instant",
"global_support": "Global",
"mobile_ready": "Mobile Ready"
},
"environments": {
"production": "Production Mode - Live payment processing is active",
"sandbox": "Test Mode - This is a test transaction. No real money will be charged"
},
"api_version": "1.0",
"status": "active"
}Webhooks (IPN)
DigiKash sends real-time notifications to your specified IPN URL when payment status changes. This ensures you're immediately notified of payment completions, failures, and other status updates. Webhooks work identically in both sandbox and production environments.
Environment-Aware Webhooks
Use the same webhook URL for both sandbox and production. DigiKash will include environment context in webhook payloads to help you differentiate between test and live transactions.
Reliable Delivery
DigiKash retries timeout webhook deliveries up to 3 attempts. Your endpoint should return a 2xx response as soon as the payload is safely queued or processed.
Webhook Headers
| Header | Description | Example |
|---|---|---|
Content-Type |
Always application/json |
application/json |
X-Signature |
Raw HMAC-SHA256 signature for verification | a8b9c2d1e5f3... |
X-Environment |
Webhook environment context | sandbox | production |
Webhook Payload
All webhook payloads include environment information to help you differentiate between sandbox and production transactions:
Environment Context:
environment field will be sandbox for test transactions or production for live transactions. Transaction IDs are prefixed accordingly (SANDBOX_ or PRODUCTION_).
{
"data": {
"ref_trx": "TXNT4AQFESTAG4F",
"description": "Order #1234",
"ipn_url": "https://webhook.site/5711b7d5-917a-4d94-bbb3-c28f4a37bea5",
"cancel_redirect": "https://merchant.com/cancel",
"success_redirect": "https://merchant.com/success",
"customer_name": "John Doe",
"customer_email": "john@example.com",
"merchant_name": "Xanthus Wiggins",
"amount": 200,
"currency_code": "USD",
"environment": "production",
"is_sandbox": false
},
"message": "Payment Completed",
"status": "completed",
"timestamp": 1705747245
}Signature Verification
Always verify webhook signatures to ensure authenticity and prevent unauthorized requests. Use your API secret (environment-specific) to verify signatures:
Environment-Specific Secrets: Use
test_webhook_secret for sandbox and webhook_secret for production environments.
<?php
// Laravel Webhook Handler
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use App\Enums\EnvironmentMode;
class DigiKashWebhookController extends Controller
{
public function handle(Request $request)
{
// Get webhook headers
$environment = $request->header('X-Environment', 'production');
$signature = $request->header('X-Signature');
// Get appropriate secret based on environment
$secret = $this->getSecretForEnvironment($environment);
// Verify signature
if (!$this->verifySignature($request->getContent(), $signature, $secret)) {
Log::warning('DigiKash webhook signature verification failed', [
'environment' => $environment
]);
return response()->json(['error' => 'Invalid signature'], 401);
}
$payload = $request->json()->all();
// Handle based on environment
if ($environment === EnvironmentMode::SANDBOX->value) {
return $this->handleSandboxWebhook($payload);
} else {
return $this->handleProductionWebhook($payload);
}
}
private function getSecretForEnvironment(string $environment): string
{
// Return test secret for sandbox, live secret for production
return $environment === 'sandbox'
? config('digikash.test_webhook_secret')
: config('digikash.webhook_secret');
}
private function verifySignature(string $payload, string $signature, string $secret): bool
{
$expectedSignature = hash_hmac('sha256', $payload, $secret);
$providedSignature = str_starts_with($signature, 'sha256=') ? substr($signature, 7) : $signature;
return hash_equals($expectedSignature, $providedSignature);
}
private function handleSandboxWebhook(array $payload): JsonResponse
{
Log::info('Processing sandbox webhook', $payload);
// Your sandbox-specific logic here
// Don't fulfill orders, don't send emails to real customers, etc.
return response()->json(['status' => 'sandbox_processed']);
}
private function handleProductionWebhook(array $payload): JsonResponse
{
Log::info('Processing production webhook', $payload);
// Your production logic here
// Fulfill orders, send confirmation emails, etc.
return response()->json(['status' => 'processed']);
}
}const crypto = require('crypto');
const express = require('express');
const EnvironmentMode = {
SANDBOX: 'sandbox',
PRODUCTION: 'production'
};
// Webhook handler
app.post('/api/webhooks/digikash', async (req, res) => {
const environment = req.headers['x-environment'] || 'production';
const signature = req.headers['x-signature'];
# Get appropriate secret based on environment
const secret = getSecretForEnvironment(environment);
# Verify signature
if (!verifySignature(JSON.stringify(req.body), signature, secret)) {
console.warn('DigiKash webhook signature verification failed', {
environment: environment
});
return res.status(401).json({ error: 'Invalid signature' });
}
const payload = req.body;
try {
# Handle based on environment
if (environment === EnvironmentMode.SANDBOX) {
await handleSandboxWebhook(payload);
} else {
await handleProductionWebhook(payload);
}
res.json({ status: 'processed' });
} catch (error) {
console.error('Webhook processing error:', error);
res.status(500).json({ error: 'Processing failed' });
}
});
function getSecretForEnvironment(environment) {
# Return test secret for sandbox, live secret for production
return environment === 'sandbox'
? process.env.DIGIKASH_TEST_WEBHOOK_SECRET
: process.env.DIGIKASH_WEBHOOK_SECRET;
}
function verifySignature(payload, signature, secret) {
if (!signature) {
return false;
}
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
const providedSignature = signature.startsWith('sha256=') ? signature.slice(7) : signature;
return crypto.timingSafeEqual(
Buffer.from(expectedSignature),
Buffer.from(providedSignature)
);
}
async function handleSandboxWebhook(payload) {
console.log('Processing sandbox webhook:', payload);
# Your sandbox-specific logic here
# Don't fulfill orders, don't send emails to real customers, etc.
}
async function handleProductionWebhook(payload) {
console.log('Processing production webhook:', payload);
# Your production logic here
# Fulfill orders, send confirmation emails, etc.
}import hmac
import hashlib
import json
import logging
from django.http import JsonResponse
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.http import require_http_methods
logger = logging.getLogger(__name__)
ENVIRONMENT_MODE = {
'SANDBOX': 'sandbox',
'PRODUCTION': 'production'
}
@csrf_exempt
@require_http_methods(["POST"])
def digikash_webhook(request):
environment = request.headers.get('X-Environment', 'production')
signature = request.headers.get('X-Signature', '')
# Get appropriate secret based on environment
secret = get_secret_for_environment(environment)
# Verify signature
if not verify_signature(request.body, signature, secret):
logger.warning('DigiKash webhook signature verification failed', extra={
'environment': environment
})
return JsonResponse({'error': 'Invalid signature'}, status=401)
try:
payload = json.loads(request.body)
# Handle based on environment
if environment == ENVIRONMENT_MODE['SANDBOX']:
handle_sandbox_webhook(payload)
else:
handle_production_webhook(payload)
return JsonResponse({'status': 'processed'})
except Exception as e:
logger.error(f'Webhook processing error:{str(e)}')
return JsonResponse({'error': 'Processing failed'}, status=500)
def get_secret_for_environment(environment):
from django.conf import settings
# Return test secret for sandbox, live secret for production
return (settings.DIGIKASH_TEST_WEBHOOK_SECRET
if environment == 'sandbox'
else settings.DIGIKASH_WEBHOOK_SECRET)
def verify_signature(payload, signature, secret):
if not signature:
return False
expected_signature = hmac.new(
secret.encode('utf-8'),
payload,
hashlib.sha256
).hexdigest()
provided_signature = signature[7:] if signature.startswith('sha256=') else signature
return hmac.compare_digest(expected_signature, provided_signature)
def handle_sandbox_webhook(payload):
logger.info('Processing sandbox webhook', extra=payload)
# Your sandbox-specific logic here
# Don't fulfill orders, don't send emails to real customers, etc.
def handle_production_webhook(payload):
logger.info('Processing production webhook', extra=payload)
# Your production logic here
# Fulfill orders, send confirmation emails, etc.
Environment-Specific Best Practices
Sandbox Webhooks
- Use for testing webhook integration
- No real money transactions
- Don't fulfill actual orders
- Don't send emails to real customers
- Use test webhook secret for verification
Production Webhooks
- Process real customer orders
- Send confirmation emails
- Update inventory systems
- Trigger fulfillment processes
- Use production webhook secret for verification
Integration Examples
Production-oriented integration examples for popular platforms and frameworks. Keep gateway selection in Merchant API Config, then sign each API request from your server.
Environment Configuration: Replace {environment} with sandbox or production, and use corresponding credentials - test_ prefix for sandbox, no prefix for production in your configuration files.
Latest Checkout Rules
The requested currency must match the merchant setup and active wallet. Gateway visibility is controlled from Merchant API Config; allow_payment_methods only narrows the already eligible gateway list.
Signature Required
Examples should include X-Timestamp and X-Signature generated with the API Secret for the selected sandbox or production environment. See Authentication for the exact signature payload.
<?php
// Laravel Integration Service
namespace App\Services;
use Illuminate\Support\Facades\Http;
use Exception;
class DigiKashService
{
private string $baseUrl;
private string $merchantKey;
private string $apiKey;
private string $environment;
public function __construct()
{
$this->baseUrl = config('digikash.base_url');
$this->merchantKey = config('digikash.merchant_key');
$this->apiKey = config('digikash.api_key');
$this->environment = config('digikash.environment'); // 'sandbox' or 'production'
}
public function initiatePayment(array $paymentData): array
{
try {
$response = Http::withHeaders([
'Content-Type' => 'application/json',
'X-Environment' => $this->environment,
'X-Merchant-Key' => $this->merchantKey,
'X-API-Key' => $this->apiKey,
])->post("{$this->baseUrl}/api/v1/initiate-payment", $paymentData);
if ($response->successful()) {
return $response->json();
}
throw new Exception('DigiKash API Error: Payment initiation failed');
} catch (Exception $e) {
throw new Exception('DigiKash API Error: ' . $e->getMessage());
}
}
public function verifyPayment(string $transactionId): array
{
try {
$response = Http::withHeaders([
'Accept' => 'application/json',
'X-Environment' => $this->environment,
'X-Merchant-Key' => $this->merchantKey,
'X-API-Key' => $this->apiKey,
])->get("{$this->baseUrl}/api/v1/verify-payment/{$transactionId}");
if ($response->successful()) {
return $response->json();
}
throw new Exception('DigiKash API Error: Payment verification failed');
} catch (Exception $e) {
throw new Exception('DigiKash API Error: ' . $e->getMessage());
}
}
}
// Configuration (config/digikash.php)
return [
'base_url' => env('DIGIKASH_BASE_URL', 'https://digidev.coevs.com'),
'environment' => env('DIGIKASH_ENVIRONMENT', 'sandbox'), // sandbox or production
'merchant_key' => env('DIGIKASH_MERCHANT_KEY'), // Use appropriate prefix
'api_key' => env('DIGIKASH_API_KEY'), // Use appropriate prefix
];
// Usage in Controller
class PaymentController extends Controller
{
public function initiatePayment(Request $request, DigiKashService $digikash)
{
$paymentData = [
'payment_amount' => $request->amount,
'currency_code' => 'USD',
'ref_trx' => 'ORDER_' . time(),
'description' => $request->description,
'success_redirect' => route('payment.success'),
'cancel_redirect' => route('payment.cancelled'),
'ipn_url' => route('webhooks.digikash'),
'allow_payment_methods' => ['stripe', 'paypal'],
];
try {
$result = $digikash->initiatePayment($paymentData);
return redirect($result['payment_url']);
} catch (Exception $e) {
return back()->withErrors(['error' => $e->getMessage()]);
}
}
}// Node.js Integration Service
const axios = require('axios');
class DigiKashService {
constructor() {
this.baseUrl = process.env.DIGIKASH_BASE_URL || 'https://digidev.coevs.com';
this.environment = process.env.DIGIKASH_ENVIRONMENT || 'sandbox'; // sandbox or production
this.merchantKey = process.env.DIGIKASH_MERCHANT_KEY; // Use appropriate prefix
this.apiKey = process.env.DIGIKASH_API_KEY; // Use appropriate prefix
}
async initiatePayment(paymentData) {
try {
const response = await axios.post(`${this.baseUrl}/api/v1/initiate-payment`, paymentData, {
headers: {
'Content-Type': 'application/json',
'X-Environment': this.environment,
'X-Merchant-Key': this.merchantKey,
'X-API-Key': this.apiKey
}
});
return response.data;
} catch (error) {
throw new Error(`DigiKash API Error: ${error.message}`);
}
}
async verifyPayment(transactionId) {
try {
const response = await axios.get(`${this.baseUrl}/api/v1/verify-payment/${transactionId}`, {
headers: {
'Accept': 'application/json',
'X-Environment': this.environment,
'X-Merchant-Key': this.merchantKey,
'X-API-Key': this.apiKey
}
});
return response.data;
} catch (error) {
throw new Error(`DigiKash API Error: ${error.message}`);
}
}
}
// Express.js Route Example
const express = require('express');
const app = express();
const digikash = new DigiKashService();
app.post('/initiate-payment', async (req, res) => {
const paymentData = {
payment_amount: req.body.amount,
currency_code: 'USD',
ref_trx: `ORDER_${Date.now()}`,
description: req.body.description,
success_redirect: `${req.protocol}://${req.get('host')}/payment/success`,
cancel_redirect: `${req.protocol}://${req.get('host')}/payment/cancelled`,
ipn_url: `${req.protocol}://${req.get('host')}/webhooks/digikash`,
allow_payment_methods: ['stripe', 'paypal'],
};
try {
const result = await digikash.initiatePayment(paymentData);
res.redirect(result.payment_url);
} catch (error) {
res.status(500).json({ error: error.message });
}
});
module.exports = DigiKashService;# Python/Django Integration Service
import os
import requests
from django.conf import settings
class DigiKashService:
def __init__(self):
self.base_url = getattr(settings, 'DIGIKASH_BASE_URL', 'https://digidev.coevs.com')
self.environment = getattr(settings, 'DIGIKASH_ENVIRONMENT', 'sandbox') # sandbox or production
self.merchant_key = getattr(settings, 'DIGIKASH_MERCHANT_KEY') # Use appropriate prefix
self.api_key = getattr(settings, 'DIGIKASH_API_KEY') # Use appropriate prefix
def initiate_payment(self, payment_data):
try:
headers = {
'Content-Type': 'application/json',
'X-Environment': self.environment,
'X-Merchant-Key': self.merchant_key,
'X-API-Key': self.api_key
}
response = requests.post(
f"{self.base_url}/api/v1/initiate-payment",
headers=headers,
json=payment_data,
timeout=30
)
response.raise_for_status()
return response.json()
except requests.RequestException as e:
raise Exception(f'DigiKash API Error: {str(e)}')
def verify_payment(self, transaction_id):
try:
headers = {
'Accept': 'application/json',
'X-Environment': self.environment,
'X-Merchant-Key': self.merchant_key,
'X-API-Key': self.api_key
}
response = requests.get(
f"{self.base_url}/api/v1/verify-payment/{transaction_id}",
headers=headers,
timeout=30
)
response.raise_for_status()
return response.json()
except requests.RequestException as e:
raise Exception(f'DigiKash API Error: {str(e)}')
# Django Settings Configuration
DIGIKASH_BASE_URL = 'https://digidev.coevs.com'
DIGIKASH_ENVIRONMENT = 'sandbox' # Change to 'production' for live
DIGIKASH_MERCHANT_KEY = os.environ.get('DIGIKASH_MERCHANT_KEY') # Use appropriate prefix
DIGIKASH_API_KEY = os.environ.get('DIGIKASH_API_KEY') # Use appropriate prefix
# Django View Example
from django.shortcuts import redirect
from django.http import JsonResponse
from django.views.decorators.csrf import csrf_exempt
import json
digikash = DigiKashService()
@csrf_exempt
def initiate_payment(request):
if request.method == 'POST':
data = json.loads(request.body)
payment_data = {
'payment_amount': data['amount'],
'currency_code': 'USD',
'ref_trx': f'ORDER_{int(time.time())}',
'description': data['description'],
'success_redirect': request.build_absolute_uri('/payment/success/'),
'cancel_redirect': request.build_absolute_uri('/payment/cancelled/'),
'ipn_url': request.build_absolute_uri('/webhooks/digikash/'),
'allow_payment_methods': ['stripe', 'paypal'],
}
try:
result = digikash.initiate_payment(payment_data)
return redirect(result['payment_url'])
except Exception as e:
return JsonResponse({'error': str(e)}, status=500)# Environment Variables Setup
export DIGIKASH_ENVIRONMENT="sandbox" # or "production"
export DIGIKASH_MERCHANT_KEY="test_merchant_your_key" # or "merchant_your_key" for production
export DIGIKASH_API_KEY="test_your_api_key" # or "your_api_key" for production
# Initiate Payment
curl -X POST "https://digidev.coevs.com/api/v1/initiate-payment" \
-H "Content-Type: application/json" \
-H "X-Environment: $DIGIKASH_ENVIRONMENT" \
-H "X-Merchant-Key: $DIGIKASH_MERCHANT_KEY" \
-H "X-API-Key: $DIGIKASH_API_KEY" \
-d '{
"payment_amount": 250.00,
"currency_code": "USD",
"ref_trx": "ORDER_12345",
"description": "Premium Subscription",
"success_redirect": "https://yoursite.com/payment/success",
"cancel_redirect": "https://yoursite.com/payment/cancelled",
"ipn_url": "https://yoursite.com/api/webhooks/digikash",
"allow_payment_methods": ["stripe", "paypal"]
}'
# Verify Payment
curl -X GET "https://digidev.coevs.com/api/v1/verify-payment/TXNQ5V8K2L9N3XM1" \
-H "Accept: application/json" \
-H "X-Environment: $DIGIKASH_ENVIRONMENT" \
-H "X-Merchant-Key: $DIGIKASH_MERCHANT_KEY" \
-H "X-API-Key: $DIGIKASH_API_KEY"
# Environment-specific credential examples:
# Sandbox: test_merchant_xxxxx, test_api_key_xxxxx
# Production: merchant_xxxxx, api_key_xxxxxWooCommerce Integration
Advanced DigiKash payment gateway with modern WooCommerce Blocks support, dynamic branding, and enterprise-grade security features.
Advanced WooCommerce Integration
Production-ready payment gateway with WooCommerce Blocks (Gutenberg) support, dynamic branding, and secure webhook processing.
3
Minutes Setup
99.9%
Uptime
24/7
Webhook Support
Latest Plugin Download
Enterprise-grade WooCommerce payment gateway with modern Blocks support and dynamic branding.
Plugin Size: 45.2 KB
Version: 2.8.0
Last Updated: May 19, 2026
System Requirements
- WordPress 5.8+
- WooCommerce 6.0+
- PHP 8.1+ (8.2+ Recommended)
- SSL Certificate (Required)
- DigiKash Merchant Account
- WooCommerce Blocks Support
Production Ready
Advanced Features
Enterprise-grade payment processing with modern architecture
WooCommerce Blocks
Full Gutenberg checkout compatibility with React-based UI
Dynamic Branding
Auto-fetch logo, colors, and branding from DigiKash API
Secure Webhooks
HMAC-SHA256 signature verification for payment callbacks
Compact Mobile UI
Space-efficient, responsive design for all devices
Advanced Security
Multi-header authentication with environment isolation
Test/Live Mode
Seamless sandbox testing with production deployment
Quick Installation Guide
Get started with DigiKash WooCommerce integration in minutes
1
Download Latest Plugin
Download DigiKash WooCommerce Gateway v2.8.0 from the download section above. This includes all latest features and security updates.
2
Install via WordPress Admin
Navigate to Plugins → Add New → Upload Plugin and select the downloaded ZIP file. The plugin will auto-extract and install.
3
Activate & Configure
Activate the plugin and go to WooCommerce → Settings → Payments → DigiKash. Enter your API credentials and webhook secret.
4
Test Integration
Enable Test Mode, process a sandbox transaction to verify Blocks checkout, webhook delivery, and order completion.
5
Go Live
Disable test mode, ensure production API keys are configured, and start accepting real payments with full webhook processing.
API Configuration
Essential API settings for secure payment processing
API Base URL
https://digidev.coevs.com
Merchant ID & API Key
Your unique merchant credentials from DigiKash dashboard
RequiredWebhook Secret
HMAC-SHA256 signature verification for secure callbacks
RecommendedAuthentication Headers
Required headers for all DigiKash API requests:
X-Environment: sandbox|production
X-Merchant-Key: your_merchant_id
X-API-Key: your_api_key
Content-Type: application/jsonWebhook Configuration
Real-time payment status updates and order processing
Webhook Endpoint
https://yoursite.com/wc-api/digikash_webhook
Configure this URL in your DigiKash merchant dashboard for automatic order updates.
Supported Events
- Payment Success
- Payment Failed
- Payment Cancelled
- Payment Pending
- Refund Processed
- Payment Timeout
WooCommerce Blocks Integration
Modern Gutenberg checkout with React-based payment UI
Responsive Design
Compact, mobile-optimized payment interface that adapts to any screen size.
Dynamic Branding
Automatically fetches and displays your DigiKash branding and logos.
Security Indicators
Clear SSL and security badges to build customer trust during checkout.
Test Mode Support
Clear sandbox indicators for testing without affecting live transactions.
Production Deployment Checklist
Ensure everything is configured correctly before going live
Technical Requirements
API Configuration
Final Verification
Troubleshooting
Common issues and solutions for DigiKash WooCommerce integration
Payment method not showing in checkout
Solutions:
- Verify plugin is activated and enabled in WooCommerce → Settings → Payments
- Clear browser cache and WooCommerce cache
- Check if API credentials are correctly configured
- Ensure SSL certificate is properly installed
401 Unauthorized API errors
Solutions:
- Verify Merchant ID and API Key are correct
- Ensure environment (sandbox/production) matches your credentials
- Check that all required headers are being sent
- Contact DigiKash support to verify account status
Orders not updating after payment
Solutions:
- Verify webhook URL is configured in DigiKash dashboard
- Check webhook secret key matches plugin configuration
- Review WordPress error logs for webhook processing errors
- Test webhook delivery using DigiKash dashboard tools
Release Readiness
Sandbox first, production after approval
Sandbox & Go Live Checklist
Use this checklist before moving from test payments to live checkout. The same API routes work in both modes; only the environment header and credential set change.
Sandbox
Use test credentials and X-Environment: sandbox. Transactions are marked as sandbox and do not represent real money movement.
- Generate or copy test Merchant ID, API Key, and API Secret.
- Send signed API requests with the sandbox secret.
- Test success, cancel, pending, failed, webhook, and verify flows.
Production
Use live credentials and X-Environment: production only after admin approval, wallet readiness, and gateway configuration are complete.
- Merchant status must be approved.
- Every live currency must have an active merchant wallet.
- Payment Gateway Controls should contain only gateways you want customers to see.
Production Launch Checks
Required before live traffic
Review Config
Approved merchant
Production API returns 403 until admin approval is complete.
Server-side signing
Each request includes X-Timestamp and X-Signature generated with the matching API secret.
Wallet coverage
Each merchant currency has an active receiver wallet.
Gateway coverage
Selected gateways match the currencies customers will use.
Redirect URLs
success_redirect and cancel_redirect are HTTPS and handle repeated visits safely.
IPN verification
Webhook signature is verified before fulfillment or wallet-side order updates.
Important
Never switch only the X-Environment header. Always switch the Merchant ID, API Key, and API Secret together so the environment and credential set match.
Interactive API Testing
Test DigiKash API endpoints directly from this documentation. Use the demo credentials below for sandbox testing.
Demo Payment Information SANDBOX MODE
Use these demo credentials to test all payment methods in sandbox environment:
Demo Wallet
Wallet ID:
Auto-approved in sandbox
123456789
Wallet PIN:
123456
Demo Voucher
Voucher Code:
Instant redemption
TESTVOUCHER
Gateway Payment
Behavior:
No external redirection
Auto Success
Testing Guidelines
- Environment Header: Always include
X-ENVIRONMENT: sandboxin your API requests - Demo Credentials: Use the provided demo wallet/voucher codes for testing payment flows
- Sandbox Behavior: All payments auto-complete successfully without real money processing
- Gateway Controls: Hosted checkout respects the gateways configured from Merchant API Config for the selected currency.
- Transaction Status: Sandbox transactions are marked with "SANDBOX_TRANSACTION" in remarks
- IPN Notifications: Webhook notifications work normally in sandbox mode
Environment Setup: Use
sandbox for testing and production for live transactions. Only sandbox credentials use test_ prefix, production credentials have no prefix.
API Testing Console
Authentication Headers
Sandbox: test_*, Production: no prefix
Sandbox: test_*, Production: no prefix
Used locally to generate X-Signature. Prefer sandbox secrets in the browser console.
Request Parameters
Currency code must be uppercase (e.g. USD, EUR, BDT). You must use the currency that matches your merchant shop setup.
Limit checkout methods by name. Accepts CSV string or JSON array. Case-insensitive.
Sandbox Environment
Base URL: https://digidev.coevs.com
Environment Header: X-Environment: sandbox
Credentials: Use test_ prefixed keys
Purpose: Safe testing without real money
Production Environment
Base URL: https://digidev.coevs.com
Environment Header: X-Environment: production
Credentials: No prefix for production keys
Purpose: Live transactions with real money
Error Codes
DigiKash API uses conventional HTTP response codes to indicate the success or failure of API requests.
HTTP Status Codes
| Code | Status | Description |
|---|---|---|
| 200 | OK | Request succeeded |
| 400 | Bad Request | Invalid request parameters |
| 401 | Unauthorized | Invalid or missing API credentials |
| 403 | Forbidden | Insufficient permissions |
| 404 | Not Found | Resource not found |
| 429 | Too Many Requests | Rate limit exceeded |
| 500 | Internal Server Error | Server error occurred |
API Error Codes
| Error Code | Description | Solution |
|---|---|---|
INVALID_CREDENTIALS |
Invalid API credentials provided | Check your Merchant ID and API Key |
INSUFFICIENT_FUNDS |
Customer has insufficient funds | Customer needs to add funds to their wallet |
PAYMENT_DECLINED |
Payment was declined by payment processor | Customer should try a different payment method |
INVALID_AMOUNT |
Payment amount is invalid | Check minimum and maximum amount limits |
INVALID_CURRENCY |
Unsupported currency code | Use a supported currency code (USD, EUR, etc.) |
DUPLICATE_REFERENCE |
Transaction reference already exists | Use a unique transaction reference |
EXPIRED_SESSION |
Payment session has expired | Create a new payment request |
MERCHANT_SUSPENDED |
Merchant account is suspended | Contact DigiKash support |
Error Response Format
{
"success": false,
"message": "Validation failed",
"error_code": "INVALID_AMOUNT",
"errors": {
"payment_amount": [
"The payment amount must be at least 1.00"
]
},
"timestamp": "2024-01-20T10:30:00Z"
}
Error Handling
Always check the success field in API responses and handle errors appropriately in your application.
Support
Technical Support
Need assistance with DigiKash API integration? Our technical team provides comprehensive support.
Support Hours: 24/7 for critical issues