Skip to main content
This guide walks through a complete payment flow — from your server creating the intent to your frontend collecting the OTP and confirming the payment.

Overview


Step 1 — Create the intent (server)

Always create the payment intent on your server, not in the browser. This keeps your secret key safe and lets you attach order metadata before the customer touches anything.

Step 2 — Drive the checkout (browser)

Your frontend receives the sessionToken and uses it to guide the user through the OTP flow.

Step 3 — Listen for the result (server webhook)

Don’t rely on the frontend to confirm a payment. Use webhooks to fulfill orders server-side.

Handling edge cases

Intent expired

Payment intents expire after a set period. If a user takes too long:

OTP not received

Add a “Resend code” button that calls initOtp again:

Failed payment

The webhook will fire with payment.failed. Log the event and notify the user:

Checklist

  • Create payment intents server-side (never in the browser)
  • Pass only sessionToken and intentId to the frontend
  • Validate the OTP on the Lyel Pay API, not yourself
  • Fulfill orders from webhook events, not from the frontend redirect
  • Handle EXPIRED and FAILED statuses gracefully
  • Store intentId in your database to match webhook events to orders