Skip to content

Email and MobilePay gateways

Production deliberately keeps provider credentials outside the main application. Configure HTTPS gateway endpoints and a shared bearer token.

Email gateway

Set EMAIL_ADAPTER=webhook and EMAIL_WEBHOOK_URL. The application posts:

json
{
  "type": "magic-link",
  "email": "person@example.com",
  "token": "single-use-token",
  "url": "/admin/login?token=single-use-token"
}

The gateway must turn the relative URL into the canonical public origin, deliver it securely, avoid logging the token, and return a successful HTTP status only after accepting responsibility for delivery.

Payment gateway

Set PAYMENT_ADAPTER=webhook and MOBILEPAY_WEBHOOK_URL. Charge requests include action, amount, currency, and merchant reference. Refund requests include action, provider reference, amount, and currency. Responses use:

json
{ "status": "paid", "reference": "provider-reference" }

Before production, add provider signature validation, idempotency, retry/backoff, reconciliation, durable webhook processing, and audit logging without credentials or sensitive payloads.

Booking SaaS implementation documentation