Core principle: everything goes through the backend
Your LigdiCash credentials (Apikey and Auth Token) must never appear in your frontend, mobile app, or public source code. All requests to the LigdiCash API leave from your server.Transactions table structure
Your database must hold enough information to trace every transaction, handle the callback idempotently, and run a fallback poll.The
ligdicash_token field must be stored as soon as the invoice is created. This is the token you’ll use to call the confirm endpoint, both in the callback and in the fallback poll. Do not rely on the token received in the callback — it’s a different token.Endpoints to expose on the backend
Your backend acts as a proxy between your frontend and the LigdiCash API. At a minimum, expose these three routes:| Route | Method | Role |
|---|---|---|
/api/payment/initiate | POST | Creates the LigdiCash invoice, stores the token, returns the payment URL |
/api/payment/:id/status | GET | Returns the transaction status (polls LigdiCash if still pending) |
/api/ligdicash/callback | POST | Receives LigdiCash notifications, re-verifies, updates the database |
Initiation route
Node.js (Express)
Callback route
Node.js (Express)
Polling fallback
LigdiCash does not enforce a retry policy for callbacks. If your endpoint was unavailable or a callback was missed, a transaction can staypending indefinitely. Set up periodic polling on the backend.
Polling fallback (cron)
LigdiCash never automatically flips a transaction to
notcompleted. A transaction stays pending indefinitely if the customer never finalizes the payment. After 24h, you can consider the transaction expired and close it yourself.Logging and audit
Keep a trace of every interaction with LigdiCash to make troubleshooting easier in case of a dispute.Environment variables
.env
Summary diagram
Related pages
- Callback security — why you must always re-verify
- Callback idempotency — handle the LigdiCash double send
- transaction_id pattern — identify transactions reliably
- Production checklist — go-live verifications
