Hosted Checkout Overview
MMG Hosted Checkout
The MMG Hosted Checkout allows you to redirect customers to a secure, MMG-hosted payment page. Customers authenticate and authorize the payment directly with MMG, reducing your PCI compliance burden.
Because the checkout relies on local RSA encryption and decryption, the SDK provides specialized utility functions to generate the redirect URLs and decrypt the incoming webhooks safely.
The Checkout Lifecycle
- Initiate: Your customer clicks “Pay with MMG” on your application.
- Generate URL: Your backend uses the SDK to encrypt the checkout details and generates a secure MMG redirect URL.
- Redirect: You redirect the customer to the generated URL.
- Authorize: The customer logs into MMG, verifies the OTP, and confirms the payment.
- Callback: MMG securely
POSTs the encrypted transaction result to your server’s Webhook URL. - Decrypt & Fulfill: Your server uses the SDK to decrypt the webhook payload and fulfills the customer’s order.
Prerequisites
Before building the checkout flow, ensure you have received the following credentials from your MMG onboarding representative:
- Merchant Client ID (
X-CLIENT-ID) - Merchant Mobile Number (7-digit Merchant ID)
- Secret Key
- PEM Public Key (Used to encrypt the outgoing payload)
- PEM Private Key (Used to decrypt the incoming webhook)
Important Security Note: Because this flow requires the use of a Private PEM Key, the checkout utility must only be used on your backend server. Never expose your keys or run these SDK methods in a frontend browser environment (like React, Vue, or plain HTML).

