Click to Pay is the better way to pay online – featuring advanced payment technology built on secure remote commerce industry standards.

Merchant setup

In order to process Click to Pay payments you will need to register as a Digital Payments Application (DPA). You can set up Click to Pay in the dashboard which will automatically register and configure your DPA with Mastercard.

Click to Pay Setup

Prepare the server

Before you can load Click to Pay with Secure Fields into your checkout, you will need to generate a checkout session via the API. This is made easy with our server-side SDKs.

Install a server-side SDK

Use the package manager in your preferred programming language to install our server-side SDK. Generating a checkout session can only be done server side and we do not recommend doing this client side as it will expose your API key to your customers.

npm install @gr4vy/node --save
# or: yarn add @gr4vy/node

Please install the latest release of your preferred SDK.

Initialize the SDK client

Next, initialize the SDK with the ID of your instance and the private key.

const fs = require("fs");
const { Client } = require("@gr4vy/node");
// or: import { Client } from "@gr4vy/node";

const key = String(fs.readFileSync("./private_key.pem"));

const client = new Client({
  gr4vyId: "[GR4VY_ID]",
  privateKey: key,

This SDK needs to be initialized on your server-side. Please do not expose your private key to your client-side code.

This assumes the key you created in the previous step is kept in a file called private_key.pem that is kept in the same folder next to the code. You could store this key in an environment variable or a secure vault.

To learn more about our API authentication, and how to generate a bearer token for use without our SDKs, please see our more extensive authentication guide.

Create a checkout session

With the SDK installed, you can use it to create a checkout session for use with Click to Pay.

const response = await this.newCheckoutSession();

Please refer to the API reference to learn more about our Checkout Sessions and the additional options that can be passed when creating them.

Create your checkout

With your checkout session ready, it’s time to start creating a card form that can support Click to Pay.

Our frontend integration is called Secure Fields and it essentially wraps each of your credit card input fields in a secure element, keeping you PCI-compliant and allowing for seamless integration with Click to Pay.

For more information on Secure Fields, please see our detailed guide which will cover all the available options, events, and theming customizations available.

Install Secure Fields

There are three ways to install Secure Fields for use with Click to Pay: either as a React library, a Node library or straight off our CDN.

npm install @gr4vy/secure-fields-react --save
# or: yarn add @gr4vy/secure-fields-react

Initializing secure fields

With Secure Fields installed it’s now possible to initialize the connection to your instance. It expects a checkout session ID you created earlier.

import { SecureFields } from "@gr4vy/secure-fields-react";

  environment="sandbox" // or "production"
  // enable debugging
  <Form />

When SecureFields is loaded without a valid sessionId it will error. We recommend only loading the component if the session ID is set.

{sessionId && (
  <SecureFields ...>

Create a card form

Next, you can add any of the 3 individual card fields to your form. You can mix and match these with your own forms, and you can add your own labels.

Let’s start by adding your form with 4 fields: the cardholder’s name, the card number, card expiration date, and the security code for the card.

import { 
} from '@gr4vy/secure-fields-react'

const secureFields = useSecureFields()

{/* This card form will automatically hide  */}
  onVisibilityChange={(visible: boolean) => {
    console.log('Card form visibility changed. Visible', visible)
  <div id="card-form" className="max-w-xs">
    {/* You can add your own fields as well as secure fields */}
    <label for="cc-holder-name">Name</label>
    <input id="cc-holder-name" placeholder="Name on the card" />
    {/* These are fields that will become secure fields */}
    <label htmlFor="cc-number">Card number</label>
    <CardNumber styles={styles} />

    <label htmlFor="cc-expiry-date">Expiry date</label>
    <ExpiryDate styles={styles} />

    <label htmlFor="cc-security-code">Security code</label>
    <SecurityCode styles={styles} />

    <button onClick={() => secureFields.submit()}>Pay</button>

You should now see each secure field loaded on your page. Please see our more extensive guides on how to add event listeners and your own styles to Secure Fields.

Add Click to Pay

Next, add the Click to Pay components to show and hide their UI on demand.

import { 
} from '@gr4vy/secure-fields-react'

 {/* The main Click to Pay component */}
  cardBrands={['mastercard', 'visa', 'amex']}
  // email='' // optional: define a Click to Pay user e-mail instead of capturing it with the sign-in form
  /* mobileNumber={{
    countryCode: "61",
    phoneNumber: "491570159"
  }} */ // optional: define a Click to Pay user phone instead of capturing it with the sign-in form

 {/* An optional sign-in with email or phone for Click to Pay would go here */}
<ClickToPaySignIn data-testid="sign-in">
  <label>Access your Click to Pay stored cards</label>
  <input type="text" className="email" ref={ref} />
  {/* This shows how to sign in with email. For the mobile number use the `mobileNumber` with a `countryCode` and `number` */}
  <button onClick={() => secureFields.clickToPay.signIn({ email: ref.current.value })}>
    Sign in

  {/* ... */}

  <input type="checkbox" id="click-to-pay-consent-checkbox" />
  <label htmlFor="click-to-pay-consent-checkbox">
    Store my card with Click to Pay <a href="javascript:void(0)" id="click-to-pay-learn-more-link">Learn more</a>

  {/* ... */}

Secure Fields will automatically display and hide the Click to Pay Component, the sign in form, and your card form, based on the status of Click to Pay.

Handle form submission

Once the data has been submitted, you can use the onCardVaultSuccess property on the SecureFields component to create a transaction.

<SecureFields onCardVaultSuccess={async () => {
    // call your API

For more information on Secure Fields, please see our detailed guide which will cover all the available options, events, and theming customizations available.

Create a payment

With the card data stored in the vault, you are now ready to create a transaction on the server-side. To create a transaction you can pass the amount, currency, as well as the payment method, in this case a checkout session.

const request = new TransactionRequest();
request.amount = 1299;
request.currency = "AUD";

request.paymentMethod = new TransactionPaymentMethodRequest();
request.paymentMethod.method = "checkout-session"; = "[CHECKOUT_SESSION.ID]";

const transaction = await client.authorizeNewTransaction(request);

Client-side vs server-side

A transaction should be created server-side instead of client-side, as there are many reasons why a success message may never reach your server, leaving you in a state where it’s unclear if your transaction has succeeded.

Error handling

A few more errors can be caught that are related to Click to Pay.

  onClickToPayError={(error) => console.error(error)}

The available error codes for Click to Pay are as follows.

  • RETRIES_EXCEEDED - The user has exceeded the maximum number of retries filling in their one-time password (OTP) and their profile is locked. An error message is also displayed on the OTP component. It is recommended to hide the Click to Pay component for the user at this point.
  • CODE_INVALID - The user entered an incorrect OTP. An error message is also displayed on the OTP component.
  • INVALID_CARD - The user entered incorrect card details, or the details of a card that is not one of the supported schemes.
  • SIGN_OUT_FAILED - When attempting to sign out via the “Not you?” link it is possible that Click to Pay is not able to sign out the user. It is recommended to hide the Click to Pay component for the user at this point.
  • ACCT_INACCESSIBLE - The user’s account is temporarily not accessible.
  • USER_NOT_RECOGNIZED - The user is not recognized by Click to Pay (typically when a user hasn’t signed in yet).
  • UNKNOWN - An unknown error occurred. These are usually unrecoverable. For example, the Click to Pay library was not initialized due to an invalid parameter.


The following props can be used on the SecureFields component to listen to specific Click to Pay events.

onMethodChangeMETHOD_CHANGETriggered when a user switches between the card and the Click to Pay payment methods.
onClickToPayInitializedCLICK_TO_PAY_INITIALIZEDTriggered when Click to Pay is loaded and its init method called successfully.
onClickToPayReadyCLICK_TO_PAY_READYTriggered when a Click to Pay user is identified correctly and can start using Click to Pay.
onClickToPaySignOutCLICK_TO_PAY_SIGN_OUTTriggered when a Click to Pay user signs out using the “Not me” / “Not my cards” functionality.
onClickToPayErrorCLICK_TO_PAY_ERRORSee Error Handling
onClickToPayCancelCLICK_TO_PAY_CANCELTriggered when a Click to Pay user cancels the checkout process from within the UI.
onClickToPayCheckoutWithNewCardCLICK_TO_PAY_CHECKOUT_WITH_NEW_CARDTriggered when a Click to Pay user starts the process of checking out with a new (not enrolled) card.
onClickToPayUnableToLoadDpaCLICK_TO_PAY_UNABLE_TO_LOAD_DPATriggered when the provided Click to Pay DPA cannot be loaded.

Additionally, you can add the prop onVisibilityChange to the ClickToPay, ClickToPaySignIn and CardForm components to listen to visibility change events (CLICK_TO_PAY_VISIBILITY_CHANGE, CLICK_TO_PAY_CARD_FORM_VISIBILITY_CHANGE, CLICK_TO_PAY_SIGN_IN_VISIBILITY_CHANGE).

<CardForm onVisibilityChange={(visible) => console.log('Card form visible', visible)} />