DOKU DocsChangelogDOKU Github

DOKU JS Integration Guide

What is DOKU JS ?

The DOKU JS Integration feature enables non-PCI DSS certified merchants to securely collect customer card details for online transactions by embedding a Javascript into their HTML files while still having the freedom to manages how their checkoutpage will looks like. PCI DSS compliance is needed before activating this feature please contact DOKU team first.

Integration steps

Understanding the complete payment flow from merchant perspective:

Prerequisites:

  • Create session_id from your backend: Call POST /request-payment-page to get payment URL and get session ID

  • A valid DOKU payment session ID from your backend

  • Basic HTML/JavaScript knowledge

  • Web server or local development environment

DOKU JS Transaction Flow

Example HTML Files

Step 1: Include the SDK

Add the SDK script to your HTML page according to your environment:

⚠️ Important:

  1. Each SDK URL is environment-specific. Always use sandbox URL for testing and production URL for live payments. Never use sandbox SDK in production!

  2. HTML ID must be the same as stated in this documentation

  3. Note: Place this in your <head> section or before the closing </body> tag.

Step 2: Create Your Payment Form

Create a form with the required input fields:

ID must be the same as stated in this documentation

Step 3: Initialize the SDK

Add this script to initialize the SDK:

Place this after the SDK script is loaded, preferably in a tag at the bottom of your page.

Step 4: Handle Form Submission

Capture the form submission and send the payment data to DOKU:

API References

PG.init()

Initialize the Payment Gateway SDK. Call this once when the page loads.

Parameters: None

Returns: void

PG.payment.collectCardData(cardData, callback)

Submit card data for payment processing.

Required Parameters (cardData object):

Field
Type
Description
Example

session_id REQUIRED

string

Payment session ID from backend

"ps_sandbox_1762256259630_lRDnbpJT3c"

card_number REQUIRED

string

Card number (no spaces)

"4512490000000907"

expiry_month REQUIRED

string

Card expiry month (MM)

"12"

expiry_year REQUIRED

string

Card expiry year (YY or YYYY)

"27" or "2027"

cvv REQUIRED

string

Card CVV/CVV2 code

"123"

card_holder_first_name REQUIRED

string

Cardholder first name

"John"

card_holder_last_name REQUIRED

string

Cardholder last name

"Doe"

Callback Function:

Callback Parameters:

  • error: Error object if payment fails (null on success)

    • error.message: Error message string

  • response: Response object if payment succeeds (null on error)

    • Contains payment result data

Troubleshooting

Common Issues

1. SDK Not Loaded

Error: PG is not defined

Solution: Make sure the SDK script is loaded before your code:

2. Invalid Session ID

Error: Invalid session ID

Solution: Ensure you're getting a valid payment session ID from your backend API.

3. Card Validation Errors

Error: Invalid card number

Solution:

  • Remove all spaces from card number

  • Verify the card number is valid

  • Use test cards in sandbox environment

4. Network Errors

Error: Network request failed

Solution:

  • Check your internet connection

  • Verify the SDK URL is correct for your environment

  • Check browser console for CORS errors

5. Form Not Submitting

Issue: Clicking submit button does nothing

Solution:

  • Ensure e.preventDefault() is called in the submit handler

  • Check browser console for JavaScript errors

  • Verify all required fields have values

Debug Mode

Enable console logging to debug issues:

Security Best Practices

1. Never Store Card Data

Never save card numbers, CVV, or sensitive data in your database or logs. The SDK handles secure transmission of card data to DOKU's servers.

2. Use HTTPS

Always serve your payment page over HTTPS to ensure encrypted communication between the user's browser and your server.

3. Validate Input

Validate user input on both client and server side to prevent malicious data submission and improve user experience.

4. Session Management

Generate payment session IDs server-side with proper authentication. Never expose your API credentials on the client side.

5. Anti-Clickjacking Protection

What is Clickjacking? Clickjacking is an attack where a malicious actor tricks users into clicking on hidden elements by overlaying transparent layers on your payment page.

Protect your payment integration by implementing these defense mechanisms:

JavaScript Frame-Breaker

Add this script to prevent your payment page from being loaded in unauthorized iframes:

Add this style in your page <head> to hide content until the frame-breaker runs:

X-Frame-Options HTTP Header

Configure your web server to send the X-Frame-Options header to prevent framing:

Apache (.htaccess or httpd.conf):

Nginx:

Node.js/Express:

Content-Security-Policy Header

Implement CSP with frame-ancestors directive for more granular control:

Apache:

Nginx:

Node.js/Express:

Best Practice: Defense in Depth

Implement multiple layers of clickjacking protection for maximum security:

  • JavaScript frame-breaker (client-side)

  • X-Frame-Options header (HTTP-level)

  • Content-Security-Policy header (modern standard)

Reference: OWASP Clickjacking Defense Cheat Sheet

6. PCI Compliance

The SDK handles card data securely, but ensure your implementation follows PCI DSS guidelines. This includes:

  • Never logging sensitive card data

  • Implementing proper access controls

  • Regular security assessments

  • Secure coding practices

Next Steps

  1. Test the integration in sandbox environment

  2. Implement proper error handling

  3. Add form validation

  4. Style your payment form

  5. Set up production environment

  6. Implement server-side payment verification

PreviousHost-To-Host Integration GuideNextRefund

Last updated

Was this helpful?