Payment provider abstraction for StoneScriptPHP. Razorpay is the first driver; the interface is designed for Paddle, Square, Apple Pay, and others as future drivers.
composer require progalaxyelabs/stonescriptphp-payuse StoneScriptPay\Drivers\RazorpayDriver;
use StoneScriptPay\DTO\CreateOrderRequest;
use StoneScriptPay\DTO\VerifyRequest;
use StoneScriptPay\DTO\WebhookRequest;
// Instantiate — credentials are runtime-injected from env, never hardcoded
$provider = new RazorpayDriver(
keyId: $_ENV['RAZORPAY_KEY_ID'],
keySecret: $_ENV['RAZORPAY_KEY_SECRET'],
webhookSecret: $_ENV['RAZORPAY_WEBHOOK_SECRET'],
);
// 1. Create an order (server-set amount — never trust client)
$order = $provider->createOrder(new CreateOrderRequest(
amountMinorUnits: 49900, // paise for INR
currency: 'INR',
receipt: 'order_ref_001',
notes: ['tenant_id' => $tenantId],
));
// Pass $order->orderId and $order->publishableKeyId to the frontend
// 2. Verify the checkout response from the frontend
$result = $provider->verifySignature(new VerifyRequest(
paymentId: $request->razorpay_payment_id,
orderId: $request->razorpay_order_id,
signature: $request->razorpay_signature,
));
// $result->verified === true → safe to fulfil the order
// 3. Handle webhooks
$event = $provider->handleWebhook(new WebhookRequest(
rawBody: file_get_contents('php://input'),
signature: $_SERVER['HTTP_X_RAZORPAY_SIGNATURE'] ?? '',
));
if ($event->isPaymentCaptured()) {
// Activate subscription / fulfil order
}- Backend is the verification authority — amount is set server-side; the frontend only receives
order_idand the publishablekey_id. - Secrets are runtime-injected —
key_secretandwebhookSecretare never in source. - Hosted checkout only — card details never pass through your app (Razorpay's hosted surface).
composer testMIT