.gif)
We build custom applications 5x faster and cheaper 🚀
Book a Free Consultation
Stuck on an error? Book a 30-minute call with an engineer and get a direct fix + next steps. No pressure, no commitment.
To integrate Replit with Worldpay, you’ll connect your Repl (as your server backend) to Worldpay’s payment API or hosted payment pages. In Replit, you’ll typically use Node.js with Express or Python with Flask to create routes that accept checkout requests, verify webhooks from Worldpay, and securely handle API keys via Replit’s Secrets. Worldpay sends payment confirmation webhooks to your Repl’s public URL, so your Repl must be running and listen on 0.0.0.0 with an exposed port (like 3000). You securely store your Worldpay credentials (Service Key, Client Key, maybe installation ID if you’re using older setups) in Replit Secrets, and call Worldpay’s REST API from your application for transactions or token creation. The workflow is explicit — your Repl doesn’t magically “connect,” you use HTTPS requests (REST) or redirect users to Worldpay’s hosted checkout page, and handle success/failure data via webhooks or redirects.
.png)
.png)
/worldpay/webhook) that receives payment status updates from Worldpay. This has to be accessible from outside — meaning your Repl must be running, and port exposed.
// Example: basic Node.js + Express server for Worldpay integration
import express from "express"
import fetch from "node-fetch" // For REST API calls
const app = express()
app.use(express.json())
// Create a payment order route
app.post("/create-order", async (req, res) => {
try {
const response = await fetch("https://api.worldpay.com/v1/orders", {
method: "POST",
headers: {
"Authorization": `Bearer ${process.env.WORLDPAY_SERVICE_KEY}`, // Secure key from Secrets
"Content-Type": "application/json"
},
body: JSON.stringify({
amount: 1000, // Value in minor currency units (e.g., pence if GBP)
currencyCode: "GBP",
name: "Example Order",
orderDescription: "Test purchase",
customerOrderCode: "order123"
})
})
const data = await response.json()
res.send(data)
} catch (err) {
console.error(err)
res.status(500).send({ error: "Payment creation failed" })
}
})
// Webhook endpoint that receives payment updates from Worldpay
app.post("/worldpay/webhook", (req, res) => {
// Verify the signature per Worldpay docs
console.log("Webhook received:", req.body)
res.sendStatus(200)
})
// Replit needs binding to 0.0.0.0
app.listen(3000, "0.0.0.0", () => {
console.log("Server running on port 3000")
})
process.env.
This integration is realistic, transparent, and aligned with how Replit actually runs full-stack web apps — through explicit HTTP routes, secret management, and exposed ports, connecting directly via Worldpay’s documented REST APIs.
1
Connect your Replit-hosted Node.js or Python app to Worldpay’s REST API for secure online payments. The app runs inside a Repl, serves via a port bound to 0.0.0.0, and handles checkout forms that send payment data to your back-end. You store sensitive keys like WORLDpay_SERVICE_KEY and WORLDpay_CLIENT_KEY in Replit Secrets, avoiding hardcoding credentials. Your backend creates payment orders, passes transaction details (amount, currency, description), and redirects the user once a valid payment response is received. The flow uses real-time API requests to start and confirm a transaction, allowing you to test payments directly within the Repl using Worldpay’s Sandbox environment.
// Node.js example handling payment session creation
import express from "express";
import fetch from "node-fetch";
const app = express();
app.post("/create-session", async (req, res) => {
const response = await fetch("https://try.access.worldpay.com/sessions", {
method: "POST",
headers: {
"Authorization": `Bearer ${process.env.WORLDPAY_SERVICE_KEY}`,
"Content-Type": "application/json"
},
body: JSON.stringify({
amount: 5000,
currencyCode: "USD",
orderType: "ECOM"
})
});
const data = await response.json();
res.json(data);
});
app.listen(3000, "0.0.0.0", () => console.log("Server running"));
2
In Replit, use Workflows and server routes to handle Worldpay webhooks. When a payment completes or fails, Worldpay sends a signed POST request to your webhook endpoint. You verify its authenticity by using HMAC hashing or JWT validation (per Worldpay docs). The Repl must be actively running for Worldpay to reach it — in development, use the Replit webview URL for webhook receiver tests. Store verification secrets as environment vars and log events in your console or database. Use this flow to keep order statuses in sync with your application automatically.
// Express webhook endpoint verifying incoming payload
import crypto from "crypto";
app.post("/webhook", express.json(), (req, res) => {
const signature = req.headers["x-worldpay-signature"];
const expected = crypto
.createHmac("sha256", process.env.WORLDPAY_WEBHOOK_SECRET)
.update(JSON.stringify(req.body))
.digest("hex");
if (signature !== expected) return res.status(401).send("Invalid signature");
console.log("Payment update received:", req.body);
res.sendStatus(200);
});
3
Use Replit’s runtime to prototype a subscription management system connected to Worldpay’s recurring payments API. The app periodically creates, cancels, or retrieves existing subscriptions via HTTPS requests. Setup is simple: add Worldpay keys as Secrets, deploy with Workflows, and store customer references in a small hosted DB (for persistence, use external service). This integration enables safe recurring billing demos where subscription changes trigger Worldpay API calls and confirmation webhooks, which help simulate real SaaS billing flows for testing or onboarding prototypes.
# Simple Python example for creating a recurring agreement
import os, requests
url = "https://try.access.worldpay.com/recurring/orders"
headers = {
"Authorization": f"Bearer {os.environ['WORLDPAY_SERVICE_KEY']}",
"Content-Type": "application/json"
}
payload = {
"recurring": {"agreementType": "RECURRING"},
"amount": 1000,
"currencyCode": "USD",
"orderType": "RECURRING"
}
r = requests.post(url, json=payload, headers=headers)
print(r.json())
Speak one‑on‑one with a senior engineer about your no‑code app, migration goals, and budget. In just half an hour you’ll leave with clear, actionable next steps—no strings attached.
1
The Worldpay API key usually fails to load from Replit Secrets because the secret name or reference in your code doesn't exactly match what was defined, or the environment wasn’t refreshed after setting the secret. Always ensure the spelling and casing of the secret key name are identical, the Repl is restarted after adding new secrets, and you’re not trying to access it from the wrong context (like a stopped or inactive Deployment).
// Correct example for reading secret inside index.js
const worldpayKey = process.env.WORLDPAY_API_KEY;
if (!worldpayKey) {
console.error("Worldpay API key not loaded. Check Replit Secrets and restart the Repl.");
} else {
console.log("Worldpay key loaded successfully.");
}
The key principle: Replit injects secrets as environment variables at start. Any typo, missing restart, or mismatch between secret name and variable reference prevents them from loading.
2
The mismatch happens when the callback (redirect or webhook) URL configured in your Worldpay dashboard doesn’t exactly match the live URL of your Replit server. To fix this, copy your current running Repl’s public URL (the one that looks like https://your-repl-name.username.repl.co) and paste it as the callback URL in Worldpay’s settings, making sure the path also matches (for example /webhook/worldpay). Any protocol, trailing slash, or path mismatch will cause an error.
// Example Express server handling Worldpay callback
import express from "express";
const app = express();
app.use(express.json());
app.post("/webhook/worldpay", (req, res) => {
console.log(req.body); // Inspect payload
res.sendStatus(200); // Acknowledge receipt
});
app.listen(3000, "0.0.0.0", () => console.log("Server ready"));
Remember: if you fork or stop/start your Repl, the public URL may change; in that case, repeat updating it in Worldpay.
3
The Replit Flask server times out after redirect from the Worldpay payment page because Replit projects (Repls) go to sleep or restart when idle or after short inactivity. When Worldpay sends the customer back to your callback URL, the Repl often isn’t running, so the request hits a cold container start, adding 5–10 seconds delay. Combined with payment gateway timeout limits, this causes a connection failure before Flask can respond.
app.run(host="0.0.0.0", port=8000) and port 8000 mapped in the “Expose” section for Workflows.
from flask import Flask, request
app = Flask(__name__)
@app.route("/payment-return")
def payment_return():
print("Worldpay redirect:", request.args)
return "Received", 200
app.run(host="0.0.0.0", port=8000) # required for Replit
For production, host the payment callback endpoint on an always-on service (like a small VPS or serverless function) and forward results back to Replit via API.
Worldpay sends event notifications (like payment approvals) through webhooks. On Replit, developers often forget to verify these incoming payloads using Worldpay's HMAC signature. Without that check, anyone could trigger fake payment events. Always capture the Authorization header from Worldpay, compute your own HMAC with the shared secret key saved inside Replit Secrets, and compare values before processing.
0.0.0.0 and expose a port.import express from "express";
import crypto from "crypto";
const app = express();
app.use(express.raw({ type: "application/json" }));
app.post("/webhook", (req, res) => {
const signature = req.get("Authorization");
const computed = crypto
.createHmac("sha256", process.env.WORLDPAY_WEBHOOK_SECRET)
.update(req.body)
.digest("hex");
if (signature !== computed) return res.status(401).end();
res.sendStatus(200);
});
app.listen(3000, "0.0.0.0");
Replit preview URLs use HTTPS, but local port URLs (like http://localhost:3000) don’t. Worldpay’s API requires secure endpoints for redirects, tokens, and callbacks. Testing insecure endpoints in Replit leads to invalid redirect URI errors. Always use the Replit-provided HTTPS URL when registering callbacks in the Worldpay dashboard, and confirm it matches your Repl domain exactly.
http://localhost in production-like tests on Replit.https://) to register at Worldpay.A frequent mistake is putting Worldpay keys directly into the frontend JavaScript. In Replit, code in script.js or public files is visible to anyone. Only backend (Node.js or Python) can safely read secrets from process.env through Replit Secrets. The client should talk to your Replit backend, which then communicates with Worldpay’s API using those hidden keys.
WORLDPAY_SERVICE_KEY and WORLDPAY_CLIENT_KEY.// server.js
app.post("/payment", async (req, res) => {
const response = await fetch("https://try.access.worldpay.com/payments", {
method: "POST",
headers: {
"Authorization": "Bearer " + process.env.WORLDPAY_SERVICE_KEY,
"Content-Type": "application/json"
},
body: JSON.stringify(req.body)
});
res.send(await response.json());
});
Replit Repls idle and restart — in-memory sessions disappear. Developers sometimes keep payment session IDs or order statuses only in memory. When Replit restarts, those pending states vanish, breaking reconciliation with Worldpay. Always persist key data externally: lightweight database (like SQLite file in Replit filesystem) or external DB service. Store minimal reference data locally and periodically sync with Worldpay API.
import fs from "fs";
// Simple persistence example
function saveOrder(order) {
const current = JSON.parse(fs.readFileSync("orders.json", "utf8") || "[]");
current.push(order);
fs.writeFileSync("orders.json", JSON.stringify(current, null, 2));
}
This prompt helps an AI assistant understand your setup and guide you through the fix step by step, without assuming technical knowledge.
From startups to enterprises and everything in between, see for yourself our incredible impact.
They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.
