KadevPay

create_checkout_session

• ⚠Use the PUBLIC key (kdvp_*) in KadevPay.checkout(), not the secret key — the secret key is only for server-side verify_payment calls.
• ⚠amount is a number in XOF (FCFA), not a string — e.g. 5000 for 5000 FCFA.
• ⚠Save the transaction reference returned via the onSuccess callback — you need it to call verify_payment before fulfilling the order.
• ⚠For method: 'card', KadevPay processes payments via Paystack internally — no additional Paystack integration is needed.
• ⚠Always call verify_payment server-side after checkout — the onSuccess callback can be spoofed.

verify_payment

• ⚠Use the SECRET key (kdvs_*), not the public key — using the wrong key returns 401.
• ⚠reference is passed as a path parameter: GET /api/v1/transactions/verify/{reference}, not in the request body.
• ⚠Check both conditions before fulfilling: top-level status === 'success' AND data.status === 'paid'. Checking only data.status is not sufficient — an invalid reference can return a non-success top-level status.
• ⚠Pass the reference directly as a path segment — do not URL-encode it. The format KDV-* contains only safe characters.
• ⚠mode: 'test' appears in sandbox responses — check this field to distinguish test vs live transactions.

webhook_payment_success

• ⚠Verify the signature: compute HMAC-SHA512(JSON.stringify(req.body), KADEVPAY_WEBHOOK_SECRET) and compare with the x-kadevpay-signature header — hash the re-serialized parsed body, not the raw request string. Use SHA-512, not SHA-256.
• ⚠Only act on event === 'payment.success' — other event types may be added by KadevPay in the future.
• ⚠net_amount is the actual revenue after KadevPay's 3% fee — use it for accounting, not amount.
• ⚠Always call verify_payment server-side after receiving the webhook — never fulfill based on the webhook payload alone.
• ⚠Return HTTP 200 immediately; process the event asynchronously. The webhook URL must be HTTPS and configured in the KadevPay dashboard.