DuroCheckout.open() — a drop-in script that opens a payment sheet over the merchant’s own page, in an iframe, so card data never touches the merchant’s DOM. Mechanically it’s the hosted checkout flow rendered as a popup. What makes it different is the identity bar.
The popup flow
Integrate in six steps
The sheet renders the same flow as hosted checkout, in a popup over your page. You still create the session server-side with your secret key, then hand the browser only the session token — so the amount can never be tampered with client-side.Create a session (server)
Identical to hosted checkout — your server calls
POST /v1/checkout/sessions and returns just the token and id to the page. The secret key stays on the server.Open the sheet (client)
Fetch a token from your server, then call
DuroCheckout.open() with your publishable key. Card entry happens inside the iframe — it never touches your DOM.Verify on success (server)
onSuccess fires in the browser, so confirm it server-side with the session id before acting. Source of truth, every time.Receive the webhook
The popup can be closed before
onSuccess ever runs — so the webhook is your reliable trigger. Subscribe subscription_payment_success in Developers → Webhooks and verify the signature against the raw body. (Full handler and signature check in Webhook Events.)The “save to my phone” moment is the whole strategy
When a guest pays and ticks save to my phone, the sheet:- Sends a one-time code to their phone over the WhatsApp Cloud API.
- Verifies the code.
- Creates (or finds) the customer’s universal identity keyed to that phone.
- Links the tokenised payment method to the identity — not to the merchant.
Rails, inline
The same rail set as hosted checkout — card, direct debit, one-time bank transfer, USSD, virtual account — and the same instant rail-switch on failure (“Card didn’t go through — pay with transfer?”). For transfers, the sheet polls for confirmation; the merchant page just waits on theonSuccess callback.
Building blocks the frontend needs
The SDK is an iframe + a thin host script. The pieces:The sheet
Overlay + responsive sheet (bottom-sheet on mobile, centred card on desktop), themed from the merchant’s appearance tokens.
OTP input
Six-box code field with paste support, a resend timer, and an “open WhatsApp” deep link.
Saved-methods carousel
The identity’s cards/mandates after OTP, with last-4 and brand — never the raw token.
Callback bridge
postMessage to the host page: onSuccess, onClose, onError.