Add Fastaar to your website

The full flow has three parts: your server creates a payment, the customer pays on the hosted checkout page, and your server confirms the order from a webhook. Start with a test-mode key so you can integrate without real money.

The flow

1. Customer clicks "Pay with bKash/Nagad" on your site.
2. Your server calls POST /api/v1/payments and redirects the customer to the returned checkout_url.
3. The customer sends the money and submits their TrxID; Fastaar verifies the SMS.
4. Fastaar POSTs payment.completed to your webhook — you mark the order paid.

Plain PHP

With the PHP SDK (or see the raw cURL below):

// pay.php — create the payment and redirect
require 'vendor/autoload.php';

$fastaar = new \Fastaar\FastaarClient(getenv('FASTAAR_API_KEY'), 'https://fastaar.com');

$payment = $fastaar->createPayment([
    'amount' => 1250,
    'invoice_id' => $orderId,
    'success_url' => 'https://shop.example.com/orders/'.$orderId,
]);

header('Location: '.$payment['checkout_url']);
exit;

// webhook.php — confirm the order
$rawBody = file_get_contents('php://input');

$valid = \Fastaar\WebhookSignature::verify(
    getenv('FASTAAR_WEBHOOK_SECRET'),
    $rawBody,
    $_SERVER['HTTP_X_FASTAAR_SIGNATURE'] ?? '',
);

if (! $valid) {
    http_response_code(400);
    exit;
}

$event = json_decode($rawBody, true);

if ($event['event'] === 'payment.completed') {
    markOrderPaid($event['data']['invoice_id'], $event['data']['id']);
}

http_response_code(200);

Laravel

// routes/web.php
Route::post('/pay', function () {
    $response = Http::withToken(config('services.fastaar.key'))
        ->post(config('services.fastaar.url').'/api/v1/payments', [
            'amount' => 1250,
            'invoice_id' => $orderId,
            'success_url' => route('orders.show', $orderId),
        ])->throw()->json('data');

    return redirect($response['checkout_url']);
});

// routes/api.php — exclude from CSRF, verify, then confirm
Route::post('/webhooks/fastaar', function (Request $request) {
    $valid = \Fastaar\WebhookSignature::verify(
        config('services.fastaar.webhook_secret'),
        $request->getContent(),
        $request->header('X-Fastaar-Signature', ''),
    );

    abort_unless($valid, 400);

    $event = $request->json()->all();

    if ($event['event'] === 'payment.completed') {
        // mark order paid (idempotent on $event['data']['id'])
    }

    return response()->noContent();
});

Node.js (Express)

import { FastaarClient, verifyWebhookSignature } from '@fastaar/sdk';

const fastaar = new FastaarClient(process.env.FASTAAR_API_KEY, { baseUrl: 'https://fastaar.com' });

app.post('/pay', async (req, res) => {
    const payment = await fastaar.createPayment({
        amount: 1250,
        invoice_id: req.body.orderId,
        success_url: `https://shop.example.com/orders/${req.body.orderId}`,
    });

    res.redirect(payment.checkout_url);
});

app.post('/webhooks/fastaar', express.raw({ type: 'application/json' }), (req, res) => {
    if (! verifyWebhookSignature(process.env.FASTAAR_WEBHOOK_SECRET, req.body, req.header('X-Fastaar-Signature'))) {
        return res.sendStatus(400);
    }

    const event = JSON.parse(req.body);

    if (event.event === 'payment.completed') {
        // mark order paid (idempotent on event.data.id)
    }

    res.sendStatus(200);
});

Raw cURL (any language)

curl -X POST https://fastaar.com/api/v1/payments \
  -H "Authorization: Bearer $FASTAAR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"amount": 1250, "invoice_id": "ORDER-42", "success_url": "https://shop.example.com/thanks"}'

Allowed domains

Under Developer → Allowed domains in the merchant panel you can restrict which websites may call the API from the browser. Add the domains your checkout runs on — e.g. shop.example.com. The scheme and a leading www. are ignored, so https://www.shop.example.com and shop.example.com are treated the same. How many domains you can register depends on your plan's domain limit.

The check looks at the request's Origin (then Referer) header. Two things follow from that:

• Server-to-server calls are never blocked. Requests without an Origin/Referer — like the cURL and backend examples above — always pass. Always create payments from your server, where your secret key stays safe.
• Empty list = no restriction. Until you add your first domain, browser requests from any origin are allowed. Once you add one, requests from any origin not on the list get 403 domain_not_allowed.

Checklist before going live

• Switch from your fk_test_ key to an fk_live_ key.
• Add your webhook endpoint in the merchant panel and store the webhook secret server-side.
• Register your live site under Allowed domains if you call the API from the browser.
• Confirm orders only from verified webhooks — never from the redirect alone.
• Keep your paired phone online (it forwards the verification SMS).