This implementation demonstrates complete card payment processing using Python/Flask with Global Payments hosted fields tokenization and JWT authentication.
- Python 3.7 or later
- pip (Python Package Installer)
- Global Payments account with JWT authentication enabled
server.py- Flask server with JWT creation and payment processingrequirements.txt- Project dependencies (Flask, python-dotenv, PyJWT, requests).env.sample- Environment variable templaterun.sh- Startup script with virtual environment creation../index.html- Shared client-side payment form (parent directory)
- Copy
.env.sampleto.env - Update
.envwith your Global Payments credentials:HOSTED_FIELDS_API_KEY=your_hosted_fields_api_key TRANSACTIONS_API_KEY=your_transactions_api_key AUTHTOKEN_JWT_SECRET=your_jwt_secret ACCOUNT_CREDENTIAL=your_account_credential PORT=8000
- Create and activate a virtual environment (recommended):
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
- Install dependencies:
pip install -r requirements.txt
- Run the application:
Or manually:
./run.sh
python server.py
- Open http://localhost:8000 in your browser
The server generates JWT tokens for hosted fields authentication:
- Creates JWT payload with account credential and region
- Signs token using HS256 algorithm with
AUTHTOKEN_JWT_SECRET - Token includes timestamp (milliseconds since epoch) for validation
- Configures token for AuthTokenV2 type
Flask server setup:
- Serves static files from current directory
- Parses JSON request bodies
- Returns JSON responses with appropriate status codes
- Listens on configurable port (default: 8000)
- Client requests configuration via
/configendpoint (receivesHOSTED_FIELDS_API_KEY) - Hosted fields library initializes with API key
- User enters card details in secure iframes
- Hosted fields tokenize card data client-side
- Client submits payment token, amount, and billing zip to
/process-payment - Server constructs JWT token for API authentication
- Server makes direct API call to Global Payments endpoint using
TRANSACTIONS_API_KEY - Payment is processed and transaction ID is returned
- Results are displayed to the client
Implements robust input validation:
- Postal codes: Removes non-alphanumeric characters (except hyphens), limits to 10 characters
- Amounts: Parses and validates as decimal, ensures positive value
- Tokens: Validates presence and format
- Prevents injection attacks and malformed data
Server-to-server payment processing:
- Constructs REST API request with transaction details
- Includes JWT authentication header (
Authorization: AuthToken <jwt>) - Includes API key header (
X-GP-Api-Key) - Sends JSON payload with payment token and billing data
- Handles API responses and errors with proper status codes
- Extracts transaction IDs from successful payments
Returns hosted fields API key for client-side initialization.
Response:
{
"success": true,
"data": {
"apiKey": "your_hosted_fields_api_key"
}
}Processes a card payment using tokenized card data.
Request:
{
"payment_token": "PMT_xxxxx",
"billing_zip": "12345",
"amount": "10.00"
}Response (Success):
{
"success": true,
"message": "Payment successful! Transaction ID: TRN_xxxxx"
}Response (Error):
{
"success": false,
"message": "Payment processing error: [error details]"
}| Variable | Description | Required |
|---|---|---|
HOSTED_FIELDS_API_KEY |
API key for hosted fields client-side | Yes |
TRANSACTIONS_API_KEY |
API key for server-side transactions | Yes |
AUTHTOKEN_JWT_SECRET |
Secret key for JWT signing | Yes |
ACCOUNT_CREDENTIAL |
Global Payments account credential | Yes |
PORT |
Server port (default: 8000) | No |
This implementation includes production-ready security:
- PCI Compliance - Card data never touches your server (hosted fields handle tokenization)
- JWT Authentication - Secure, time-limited tokens for API access
- Input Sanitization - All user inputs are validated and sanitized
- Environment Variables - Credentials stored securely outside source code
- Error Handling - Generic error messages prevent information disclosure
- JSON Responses - Consistent API response format
Before deploying to production:
- Use a production-grade WSGI server (Gunicorn, uWSGI)
- Enable HTTPS (required for PCI compliance)
- Configure rate limiting to prevent abuse
- Add comprehensive logging and monitoring
- Implement CSRF protection
- Implement idempotency keys for payment retries
- Set up webhook handling for async payment notifications
- Add request timeout handling
- Implement proper error tracking
| Issue | Solution |
|---|---|
pip install fails |
Ensure Python 3.7+ is installed. Run python3 --version to check |
| Port already in use | Change port: python server.py --port 8001 or edit server.py |
.env not loading |
Verify .env file exists in the language directory (not project root) |
| Module not found errors | Activate virtual environment and run pip install -r requirements.txt |