Create a Razorpay order, capture the payment, and verify the signature

Verified steps

1. Create an order server-side: POST /v1/orders with 'amount' in paise (1 INR = 100 paise), 'currency' as 'INR' (or supported foreign currency), and 'receipt' as your internal order reference; authenticate with HTTP Basic using your key_id and key_secret.
2. Pass the returned 'order_id' to the Razorpay checkout.js or mobile SDK on the client along with 'key' (your public key_id), 'amount', and 'currency'; the SDK handles UPI, netbanking, cards, and wallets.
3. On successful payment, Razorpay invokes your handler callback with 'razorpay_payment_id', 'razorpay_order_id', and 'razorpay_signature'.
4. Verify the signature server-side: construct the message as '{razorpay_order_id}|{razorpay_payment_id}', compute HMAC-SHA256 using your key_secret, hex-encode it, and compare to 'razorpay_signature' with a constant-time comparison.
5. If the signature is valid, capture the payment if your account is not set to auto-capture: POST /v1/payments/{payment_id}/capture with 'amount' and 'currency'.
6. Subscribe to Razorpay webhooks in the dashboard for 'payment.captured' and 'payment.failed' events as the authoritative source of truth, since client callbacks can be tampered with or interrupted.