Overview
Step 1 — Create the intent (server)
Always create the payment intent on your server, not in the browser. This keeps your secret key safe and lets you attach order metadata before the customer touches anything.Step 2 — Drive the checkout (browser)
Your frontend receives thesessionToken and uses it to guide the user through the OTP flow.
Step 3 — Listen for the result (server webhook)
Don’t rely on the frontend to confirm a payment. Use webhooks to fulfill orders server-side.Handling edge cases
Intent expired
Payment intents expire after a set period. If a user takes too long:OTP not received
Add a “Resend code” button that callsinitOtp again:
Failed payment
The webhook will fire withpayment.failed. Log the event and notify the user:
Checklist
- Create payment intents server-side (never in the browser)
- Pass only
sessionTokenandintentIdto the frontend - Validate the OTP on the Lyel Pay API, not yourself
- Fulfill orders from webhook events, not from the frontend redirect
- Handle
EXPIREDandFAILEDstatuses gracefully - Store
intentIdin your database to match webhook events to orders