Guide
How to accept payments in your app with Razorpay
If you are building an app in India, at some point money has to change hands. Razorpay is the default choice for most Indian founders because it supports UPI, cards, netbanking and wallets out of one integration, settles to your bank account, and handles the compliance most startups do not want to build themselves. This guide walks through the whole path: opening and verifying an account, understanding how the payment flow actually works, adding a real checkout to your app, verifying payments securely with webhooks, handling refunds, and the specific things you must get right before you go live. It is written for someone shipping a product, not a payments engineer.
How online payments actually work
Before touching code, it helps to have the mental model right, because most integration bugs come from misunderstanding the flow. When a customer pays, four parties are involved: your app, Razorpay, the customer's bank, and your bank. Razorpay sits in the middle as the payment gateway and aggregator. It collects the money via UPI or card, holds it briefly, and then settles it to your bank account on a schedule (typically T+2 working days for a standard account).
The single most important rule: never trust the customer's browser or phone to tell you a payment succeeded. The client can be manipulated. The real confirmation comes from your server verifying a cryptographic signature and, ideally, from a server-to-server webhook that Razorpay sends you. Everything below is built around that rule.
Step 1: Open and verify your Razorpay account
Sign up at razorpay.com and you immediately get access to Test Mode, where you can build and try the entire flow with fake cards and test UPI IDs without moving real money. You do not need to wait for approval to start integrating. To accept real payments you must complete KYC, and that requires a few documents kept ready in advance.
- PAN of the business or proprietor
- Bank account details where settlements will land (account number and IFSC)
- Business proof: GST certificate, Udyam/MSME registration, incorporation certificate, or shop licence depending on business type
- A working website or app description, and your business category, since some categories need extra review
You can register as an Individual, Proprietorship, Partnership, LLP or Private Limited company. A registered entity gets smoother activation and access to more features, but individuals and proprietors can also accept payments. Activation usually takes one to four working days once documents are correct.
Step 2: Get your API keys
In the Razorpay Dashboard under Settings, generate API keys. You get a Key ID and a Key Secret, and there are separate pairs for Test Mode and Live Mode. The Key ID is used on the client to open checkout. The Key Secret must live only on your server and never appear in frontend code, a mobile app bundle, or a public git repository. Treat the secret like a password.
A leaked Key Secret lets someone create orders and issue refunds on your account. If you ever paste it into client code or commit it, rotate the key in the dashboard immediately.
Step 3: The three-part payment flow
A correct Razorpay integration always has three distinct pieces. Skipping any of them is where founders get burned.
| Stage | Where it runs | What happens |
|---|---|---|
| Create order | Your server | You call Razorpay's Orders API with the amount in paise and a currency. Razorpay returns an order_id you pass to the client. |
| Collect payment | Customer's device | The Razorpay Checkout opens with your Key ID and the order_id. The customer pays via UPI, card or netbanking. |
| Verify payment | Your server | You verify the returned signature, and confirm via webhook, before you mark the order paid or unlock anything. |
Notice that amounts are in paise: 499 rupees is 49900. Always compute the amount on your server from your own prices, never from a number sent by the client, otherwise a user can edit the amount and pay one rupee for a premium plan.
Step 4: Create the order on your server
When the customer clicks Pay, your frontend calls your own backend endpoint. That endpoint looks up the real price, calls the Razorpay Orders API with your Key ID and Secret, and returns the order_id to the frontend. In a Node backend it is roughly this: create a Razorpay client with your keys, then razorpay.orders.create with amount, currency 'INR', and a receipt string you can trace back to the cart or subscription. Store that order in your own database with a status of 'created' so you have a record independent of Razorpay.
Step 5: Open checkout in your app
For a web app you load Razorpay's checkout script and open it with the order_id, your Key ID, and prefill fields like the customer's name, email and phone. UPI, cards, netbanking and wallets all appear automatically based on what you have enabled. For a React Native mobile app you use the official react-native-razorpay package, which opens the same native checkout inside your Android and iOS app. Either way, when payment completes the checkout hands your client three values: razorpay_payment_id, razorpay_order_id and razorpay_signature.
Step 6: Verify the payment properly
This is the step people cut corners on and it is the one that matters most. Send those three values back to your server. On the server, compute an HMAC SHA256 of order_id + '|' + payment_id using your Key Secret, and compare it to the razorpay_signature you received. If they match, the payment is genuine. If they do not, reject it. Only after a matching signature do you mark the order paid and deliver the goods.
For real reliability, add a webhook. In the dashboard, register a webhook URL on your server for events like payment.captured and payment.failed, with a webhook secret. Razorpay then calls your server directly, signed with that secret, so even if the customer closes the app right after paying, your backend still learns the payment happened. Use the payment_id to make webhook handling idempotent, so a repeated delivery does not unlock the same order twice.
Rule of thumb: unlock value on the webhook, not on the client callback. The client callback is for showing a nice success screen; the webhook is the source of truth.
Step 7: Refunds, receipts and reconciliation
Refunds are a server call to the Refunds API with a payment_id and an optional amount for partial refunds. Log every refund against your order record. For accounting, download the settlement reports from the dashboard, which show how gross payments, fees and GST on those fees roll up into each bank settlement. Razorpay charges a percentage fee per successful transaction (commonly around 2 percent plus GST for standard plans, with UPI often at lower or promotional rates), so build that into your pricing rather than being surprised at settlement.
Step 8: Going live
- Switch from Test keys to Live keys, and confirm no test key is left in production config
- Confirm your webhook URL is publicly reachable over HTTPS and its secret is set
- Do one real low-value transaction end to end and then refund it
- Handle the failure and pending states, not just success, since UPI can sit in a pending state before confirming
- Show clear pricing, a refund policy, and contact details, which are also activation requirements
Doing this without wiring it all by hand
Everything above is real work: a server endpoint to create orders, secure key storage, signature verification, a webhook handler, a database table for orders, and a checkout in both your web and mobile builds. Kashvi is built for exactly this. You describe the app in plain English, and it generates a real backend with a Postgres database, real user sign-up and login, and payment flows that follow the server-verification pattern described here rather than trusting the client. Because Razorpay and UPI are first-class for Indian founders, you are not bolting payments onto a foreign-first stack. And since you can export and own the full code, the order creation, verification and webhook logic are yours to read and change. You still add your own Razorpay keys and complete KYC, because that is your business account, but the plumbing is done for you.
Questions
Frequently asked
- Do I need a registered company to use Razorpay?
- No. You can activate as an individual or proprietor with your PAN and bank details, though a registered entity (LLP or Private Limited) usually gets smoother activation and access to more features. Keep your PAN, bank account, and a business proof like GST or Udyam ready to speed up KYC.
- Can I test payments before completing KYC?
- Yes. Test Mode is available the moment you sign up, with test cards and test UPI IDs, so you can build and verify the entire flow without moving real money. You only need KYC and Live keys to accept actual payments.
- Why should I verify payments on the server instead of trusting the app?
- Because the customer's device can be manipulated to claim a payment succeeded when it did not. The trustworthy confirmation is a server-side HMAC SHA256 signature check plus a webhook from Razorpay. Only unlock paid features after that server verification.
- Does Razorpay support UPI inside my app?
- Yes. UPI, cards, netbanking and wallets all come through a single integration and appear automatically in the checkout based on what you enable. For mobile apps, the native checkout via react-native-razorpay shows UPI apps directly on the phone.
- What does Razorpay charge per transaction?
- Standard plans commonly charge around 2 percent plus GST per successful transaction, with UPI often lower or promotional. Rates vary by plan and business category, so check your dashboard pricing and build the fee into your margins rather than absorbing it at settlement.
- How long until money reaches my bank account?
- Settlement is typically T+2 working days for a standard account, meaning a payment collected today reaches your bank about two working days later. You can see exact schedules and settlement reports, including fees and GST, in the dashboard.
Keep exploring
Add real Razorpay payments to your app
Describe your product and get a working app with a real database, login, and server-verified UPI and card payments you fully own.
Open the studioFree to start · no credit card