## Zoho Payments Documentation Index Access the complete documentation index at: https://www.zoho.com/in/payments/llms.txt Use this file to discover all available documentation pages before proceeding. # Go-Live Checklist Before going live with your Zoho Payments integration, walk through each section below. Checklist items persist locally so you can resume progress anytime. **Note:** Use the sandbox environment for testing and switch to production only when you’re ready. To enable sandbox access, [contact us](https://www.zoho.com/in/payments/contact-us/ "Contact us"). * [Set Up and Configure Your Account](#set-up) * [Generate API Keys and OAuth Tokens](#Generate-api) * [Configure Connectivity](#connectivity) * [Configure Webhooks](#webhooks) * [Web Integration](#web) * [Mobile Integration](#mobile) * [Setup and Execute Mandates](#mandates) * [Verify and Confirm Payments](#verify) * [Configure Notifications](#notification) * [Review API Error Handling](#error) * [Manage Authentication Keys](#manage) ## Set Up and Configure Your Account Before integrating Zoho Payments, ensure your account is created, verified, and properly configured. Create a [Zoho Payments account](https://www.zoho.com/in/payments/signup/) and complete the account verification process. Enable [Multi-Factor Authentication (MFA)](https://www.zoho.com/in/payments/faq/general/multi-factor-authentication/) on your account. MFA is mandatory. Set up OTP or authenticator app via account security settings. * **Complete Video KYC**: Available Mon–Fri, 9 AM – 9 PM IST only. Requires Aadhaar, PAN, and Aadhaar-registered mobile for OTP and verification via DigiLocker. Learn more about [Video KYC.](https://www.zoho.com/in/payments/help/getting-started/verification/ "Video KYC") * **Complete bank account verification:** Submit an active bank account owned and controlled by the registered business. Status must show Active in the Zoho Payments homepage banner and on the Online Payments page of your Zoho Finance application after penny drop verification. Learn more about [bank account verification](https://www.zoho.com/in/payments/help/getting-started/verification/#Bank-Account-Verification "Bank Verification"). * **Complete business details verification:** Submit documents based on your business type (e.g., Company: Certificate of Incorporation, Board Resolution, GST Certificate, Sole Proprietorship Udyam Registration etc.,). Check out the [required documents](https://www.zoho.com/in/payments/help/getting-started/acceptable-documents/ "Required Documents"). Confirm your Zoho Payments account is active. Ensure settlement bank account details are verified and active. Verify that the integration is managed by a user with Account Owner or Admin. Provide role-based access to a developer to to configure and manage the integration. **Note:** Only users with the Account Owner, Admin role in Zoho Payments can generate OAuth tokens and API Keys. Enable the required payment methods (UPI, Cards, Net Banking) and notification preferences. To enable, go to Settings > Payment Methods. Test all enabled methods in your sandbox environment before going live. ## Generate API Keys and OAuth Tokens To start interacting with Zoho Payments, you need to generate secure API credentials. The API key allows embedding the payment widget, while the OAuth token ensures your app has authorized access. Generate an API key from Settings > Developer Space > Authentication Keys. Generate OAuth tokens to authenticate your API calls with Zoho Payments. Register your application in the [Zoho Developer Console](https://api-console.zoho.in/) and generate client credentials. Generate the authorization code with the required scopes to obtain access and refresh tokens. Refer to the [OAuth guide](https://www.zoho.com/in/payments/developerdocs/web-integration/org-oauth/). Exchange the authorization code for access and refresh tokens within 1 minute to initiate API calls. Generate and store Signing Keys from Settings > Developer Space. This is for verifying payment widget responses and payment link return URLs. Store all credentials (client ID, client secret, API Key, signing key, tokens) securely, never in source code or version control. Refresh access tokens before they expire in 1 hour. Refer to the [OAuth Doc (Step 5)](https://www.zoho.com/in/payments/developerdocs/web-integration/org-oauth/#generate-access-tokens-from-refresh-tokens) to regenerate access tokens. **Note:** Authorization code is valid for 1 minute only. Access tokens expire in 1 hour. ## Configure Connectivity To communicate with our APIs and webhooks, you must first establish connectivity. Verify whether you're using live API credentials and not test or placeholder credentials. Ensure that sandbox or test URLs are not referenced anywhere. Whitelist Zoho Payments domains and IP addresses if firewall restrictions are in place. [Contact support](https://www.zoho.com/in/payments/contact-us/) for the latest IP list. Ensure all endpoints (payment, webhook, redirect) use HTTPS with TLS 1.3. All Zoho Payments communications require HTTPS. Ensure SSL certificates are valid and avoid mixed-content warnings. Verify return and redirect URLs are publicly accessible and configured for both success and cancellation flows. ## Configure Webhooks Webhooks notify your system in real time when events like payment or refund successes and failures occur. You can configure event types and your endpoint URL to receive notifications. [Set up and register webhook endpoint URL](https://www.zoho.com/us/payments/help/settings/webhooks/#configure-webhooks) in Settings > Developer Space > Webhooks. Subscribe to required webhook events (payments and refunds). Copy and store the webhook signing key securely after registration. Learn more about [managing webhooks](https://www.zoho.com/in/payments/developerdocs/webhooks/management/). Implement [signature verification using X-Zoho-Webhook-Signature header](https://www.zoho.com/in/payments/developerdocs/webhooks/verification/). Acknowledge webhook events with HTTP 2xx within 15 seconds to avoid retries. Verify that webhook notifications are received and processed correctly for all required integration events, including handling delayed and duplicate notifications. **Note:** Zoho Payments retries failed webhooks for up to 2 days, hourly on the first day and every 2 hours on the second day. If failures continue, the endpoint is disabled and an email notification is sent. You can have up to 5 webhook endpoints per account. ## Web Integration [Integrate and embed the payment widget](https://www.zoho.com/in/payments/developerdocs/web-integration/integrate-widget/) into your website or app. Create payment sessions from your backend before initiating payments. Confirm the business name displayed in the widget matches your brand. Verify success and failure messages during checkout across supported browsers and devices. Test payment checkout on both mobile and desktop browsers. Ensure payment statuses are recorded accurately in your system. Implement payment response [signature verification](https://www.zoho.com/in/payments/developerdocs/signature-verification/#widget-response) before processing any outcome. ## Mobile Integration (iOS & Android) Integrate Zoho Payments into your mobile app to accept payments securely on iOS and Android devices. Integrate the [Zoho Payments SDK](https://www.zoho.com/in/payments/developerdocs/mobile-integration/) into your iOS or Android app. Initialize and create payment sessions from your backend before starting mobile payments. Confirm the business name displayed in the mobile interface matches your brand. Verify success and failure messaging across supported devices and OS versions. Test the complete payment flow on both iOS and Android devices. ## Setup and Execute Mandates ### Mandate Creation Create a [payment session for mandate enrollment](https://www.zoho.com/in/payments/developerdocs/mandates/create-execute-mandates/#create-mandates) by passing the correct payment session type. Validate minimum amount (₹1 for future-dated mandates, ₹6 for same-day mandates) and ensure the correct currency is passed. Record payment status on your server using webhooks for payment events (including mandate details) or the [Payment Session Retrieve API](https://www.zoho.com/in/payments/api/v1/payment-session/#retrieve-payment-session) to confirm completion, even if the customer closes the browser, encounters network issues, or the client-side response is not received. ### Mandate Execution Send the [mandate notification](https://www.zoho.com/in/payments/developerdocs/mandates/create-execute-mandates/#send-mandate-notification) at least 24 hours before execution if you are handling notifications manually. For direct executions, the payment is processed only after the mandatory 24-hour notification window. Create a [payment session for mandate execution](https://www.zoho.com/in/payments/developerdocs/mandates/create-execute-mandates/#create-payment-session) with the correct session type, and pass the session ID when triggering mandate executions. Validate that the execution amount does not exceed the mandate’s maximum amount (if defined). Record payment status on your server using webhooks for payment events (including mandate details) or the [Payment Session Retrieve API](https://www.zoho.com/in/payments/api/v1/payment-session/#retrieve-payment-session) to confirm completion or [handle execution failures](/in/payments/developerdocs/mandates/create-execute-mandates/#handle-failures) accordingly. Verify whether the mandate execution payment statuses are accurately recorded in your system. ## Verify and Confirm Payments Ensure payments are validated and captured correctly before completing orders. Test the complete payment flow across all [enabled payment methods](https://www.zoho.com/in/payments/help/settings/methods/), including both successful and failed transactions. Do not rely solely on client-side status. Verify payments from your server using the Payment ID. Ensure the payment status is correctly recorded on your server, using [webhooks](https://www.zoho.com/in/payments/api/v1/webhooks/#overview) or the [Payment Session Retrieve API](https://www.zoho.com/in/payments/api/v1/payment-session/#retrieve-payment-session), to confirm completion even if the customer closes the browser, experiences network interruptions, or the client-side response is not received. Verify refunds (full and partial) are processed and recorded accurately. Test with invalid, incomplete, or duplicate data to ensure errors are handled correctly and duplicate processing is prevented. Validate that payment amount, currency, and order reference match your records before fulfilling orders. ## Configure Notifications Enable account and customer email notifications for Payments, Payouts, and Refunds from Settings > Notification Preferences. Verify webhook failure monitoring is in place. You will receive an email if your endpoint is disabled due to repeated failures. ## Review API Error Handling Ensure to verify your integration using the [error codes](https://www.zoho.com/in/payments/api/v1/errors/#error-codes "Errors") available in our API docs before going live. Test handling of unexpected or low-probability scenarios. Check that API error messages are logged clearly and handled properly. Validate that the system fails without impacting other processes or users. Implement exponential backoff and retry logic for 429 (rate limit) and 5xx (server error) responses. Implement and test authentication failure handling (expired tokens, invalid credentials). ## Manage Authentication Keys Ensure only an authorized person handles and accesses the keys to maintain strict access control. Store all OAuth credentials (client ID, client secret, tokens) securely and ensure they are never exposed.