PayShare · Mode 2
Stack-specific patterns for create session, webhook receiver + HMAC, and calling record-payment after your PSP succeeds. PayShare never runs card capture; templates stay server-side only (NEXT_PUBLIC_* must never hold API keys or webhook secrets).
Before wiring templates, run scripts/mode2-self-test.sh against staging — shell exports are documented in docs/15-INTEGRATION-SELF-TEST.md (see environment reference and commented hints in .env.example).
Deploying to production (e.g. Vercel): configure PayShare's server env before traffic — Vercel / production checklist on the Integrate hub (dashboard cookies, cron, health). Keep API keys and webhook secrets server-side only.
| Variable | Use |
|---|---|
| PAYSHARE_API_BASE | Origin for all server calls |
| PAYSHARE_INTEGRATION_ID | Create-session body |
| PAYSHARE_API_KEY | Header X-PayShare-API-Key — never expose |
| PAYSHARE_WEBHOOK_SIGNING_SECRET | Verify X-PayShare-Signature — never expose (legacy alias: PAYSHARE_WEBHOOK_SECRET) |
Webhook HMAC uses sorted JSON keys like lib/webhook/canonical-json-sorted.ts / canonicalCompletionString — see Integrate hub for contract links and self-test. Live creates (?mode=live) need the Partner Settings live-session toggle on; optional env go-live gating is in docs/14.
Where: `app/api/payshare/create-session/route.ts`, webhook route, and your domain hook that calls `record-payment` after your PSP succeeds.
Where: `routes/payshare.js` — register webhook with **raw body** before `express.json()` on that path, or use a verify callback.
Where: `routes/api.php` + `App\Http\Controllers\PayShareController.php`; use **`Request::getContent()`** when re-verifying the webhook.
Where: `payshare_routes.py` — confirm canonical JSON matches Node **`JSON.stringify`** (spacing); golden-test against staging.
Doc `16` calls out PHP/Python serialization pitfalls; prefer contract tests from doc `15`.
Where: Shell examples for **`POST …/sessions`** and **`record-payment`** — good for smoke tests and non-Node stacks.
docs/16-TEMPLATE-PACKS.md. The zip downloads are a convenience starter — validate the contract against docs/14-INTEGRATION-CONTRACT.md.