Authorization is enabled via a webpage hosted by Razorpay. When the application
needs to connect to a merchant's Razorpay account, it redirects the user to this
webpage where the user can approve or deny the authorization request.
Note:
Razorpay OAuth supports the standard authorization code grant.
You have to implement the flow described below to obtain an authorization code and then exchange it for an access token. The implicit grant is not currently supported.
To initiate authorization, users must be redirected to Razorpay's authorization service on the URL given below:
Copyhttps://auth.razorpay.com/authorize
You must define the following query parameters in the URL. All parameters are mandatory unless specified as optional:
client_id
Unique client identifer.
response_type
The only supported value is code. This specifies that the application is requesting an authorization code grant.
redirect_uri
Callback URL used by Razorpay to redirect after the user approves or denies the authorization request. The redirect_uri must be whitelisted by the client first.
scope
Defines what access your application is requesting from the user. Multiple scopes can be requested by separating each scope with a space. Refer the section on Scopes for further details.
state
A random string generated by your service. This parameter is forwarded to the redirect URL. This helps prevent CSRF attacks, and is explained here.
An example of a complete authorization URL is shown below:
If the user approved the request, the following query parameters are sent:
code
URL-encoded authorization code. You can exchange this code for an access token
in the next step.
state
The value of the state parameter that was sent in the authorization request.
Refer Validating States for details on how to successfully
validate this parameter.
The access_token received above can be stored on your server. Using this token,
you can access the merchant's data on Razorpay APIs based on the level of
access granted. Refer Accessing Resources section for more details.
Using the public_token for authorization can secure a public facing implementation such as Razorpay Checkout or Payments. In such cases, the public_token can replace the key_id field as shown below:
Copy<button id="rzp-button1">Pay</button>
<scriptsrc="https://checkout.razorpay.com/v1/checkout.js"></script><script>
var options = {
"key”: "rzp_test_oauth_32hsbEKriO6ai4", //Public token
"amount": "29900",
"name": "Acme Corp",
"description": "A Wild Sheep Chase is the third novel by Japanese author Haruki Murakami",
"image": "https://example.com/your_logo",
"handler": function (response){
alert(response.razorpay_payment_id);
},
"prefill": {
"name": "Gaurav Kumar",
"email": "gaurav.kumar@example.com"
},
"notes": {
"address": "note value"
},
"theme": {
"color": "#F37254"
}
};
var rzp1 = new Razorpay(options);
document.getElementById('rzp-button1').onclick = function(e){
rzp1.open();
e.preventDefault();
}
</script>
The state parameter helps in preventing cross site request forgery (CSRF) attacks. State validation has to be implemented by your application, and should work as described below:
Your application should generate a random unique string and save it in the database.
The random string should be sent to Razorpay in the Authorization request in the state parameter.
Razorpay will send back the same state value as query params on your redirect URI.
In your backend, validate that the state value stored in your database matches
the one you received for the client_id and user that initiated the authorization.