Integrate Sage Pay (now Opayo by Elavon) with Bolt.new using the Server Integration method: your API route calls Opayo to register a transaction and receives a NextURL pointing to Opayo's hosted payment page. Redirect the customer there — the redirect works from the WebContainer preview. After payment, Opayo calls your notification URL with the result, which requires a deployed public URL. Opayo is the leading UK and Ireland payment gateway for SMBs.
Accept UK Payments in Your Bolt.new App with Sage Pay (Opayo)
Sage Pay — rebranded to Opayo and now operated by Elavon — is the most widely used payment gateway among UK and Irish SMBs. If your Bolt.new app targets British or Irish customers, Opayo is often the preferred gateway due to its strong brand recognition, competitive pricing, and deep integration with Sage accounting software. Merchants familiar with Sage's business software naturally gravitate toward Opayo for payment processing, and many UK-focused e-commerce platforms have an Opayo integration requirement.
Opayo offers two main integration styles: the Server Integration (hosted payment page) and the Direct Integration (API-based card processing that requires PCI DSS SAQ D compliance). For Bolt.new, the Server Integration is the clear choice. Your API route registers a transaction with Opayo and receives a NextURL — a redirect URL to Opayo's hosted payment page where the customer enters their card details. Opayo handles card data security, 3D Secure authentication, and PCI compliance entirely on their infrastructure. You simply redirect the customer to the NextURL and wait for the notification.
The architectural flow has two halves that behave differently in Bolt's WebContainer environment. The outbound part — your API route calling Opayo to register a transaction and the browser redirect to Opayo's hosted page — works perfectly from the WebContainer preview. The inbound part — Opayo's server calling your notification URL with the payment result — cannot reach the WebContainer's browser-local environment. Deploy to Netlify or Bolt Cloud first, then configure your notification URL in Opayo's Virtual Terminal settings to point to your deployed endpoint. This two-stage testing approach (preview for the registration and redirect, deployed URL for the notification) lets you build and validate the complete integration.
Integration method
Opayo (Sage Pay) integrates with Bolt.new through the Server Integration method: an API route authenticates with Opayo using Basic Auth and registers a transaction, receiving back a NextURL for Opayo's hosted payment page. The browser redirect to this page works from the WebContainer preview. Opayo sends the payment result to your notification URL via server-to-server HTTP POST, which requires a deployed public URL. The hosted page approach avoids PCI compliance for card data handling entirely.
Prerequisites
- An Opayo (Sage Pay) sandbox account at sandbox.opayo.eu/oltp/register (free registration)
- Opayo sandbox Vendor Name, Integration Key, and Integration Password from the sandbox Virtual Terminal
- A Bolt.new project with Next.js API routes for server-side Opayo calls
- A deployed URL on Netlify or Bolt Cloud for receiving Opayo transaction notification callbacks
- SSL/HTTPS on your deployed URL — Opayo requires HTTPS for all notification callbacks
Step-by-step guide
Register for Opayo Sandbox and Get Credentials
Register for Opayo Sandbox and Get Credentials
Opayo provides a sandbox environment for testing without processing real payments. Register a sandbox account at sandbox.opayo.eu/oltp/register — the registration is free and straightforward, requiring basic business information. Once registered, access the sandbox Virtual Terminal (the merchant management interface) and navigate to Settings → Merchant Auth. Here you'll find the three credentials needed for API authentication: Vendor Name (your merchant identifier on Opayo's system — a short alphanumeric string), Integration Key (equivalent to a public API key), and Integration Password (equivalent to a private API key). These credentials authenticate using HTTP Basic Auth to Opayo's API — the Integration Key is the Basic Auth username and the Integration Password is the password. The sandbox base URL is `https://pi-test.sagepay.com/api/v1/` and the production URL is `https://pi.sagepay.com/api/v1/`. Store all three credentials plus the base URL in your Bolt `.env` file. For the notification URL (where Opayo sends payment results), you'll configure this in the Virtual Terminal settings once you have your deployed URL. During development, you can use a placeholder URL for this setting and test the transaction registration and redirect flow from the WebContainer. The full end-to-end test including notifications requires a deployed URL.
1# .env — Opayo (Sage Pay) sandbox credentials2# Found in sandbox Virtual Terminal → Settings → Merchant Auth3OPAYO_VENDOR_NAME=your-vendor-name4OPAYO_INTEGRATION_KEY=your-integration-key5OPAYO_INTEGRATION_PASSWORD=your-integration-password67# Sandbox base URL (change to pi.sagepay.com for production)8OPAYO_BASE_URL=https://pi-test.sagepay.com/api/v1910# Notification URL (update after deploying)11OPAYO_NOTIFICATION_URL=https://your-app.netlify.app/api/opayo/notification12OPAYO_SUCCESS_URL=https://your-app.netlify.app/payment/success13OPAYO_FAILURE_URL=https://your-app.netlify.app/payment/failure1415# Opayo test card: 4929000000006 (Visa, success), any future expiry, CVV 123Pro tip: Opayo sandbox test cards: 4929000000006 (Visa Debit, success), 4929000005559 (Visa, 3D Secure required), 4111111111111111 (Visa, decline). Use any valid future expiry date and CVV 123.
Expected result: You have Opayo sandbox credentials in your .env file. Access the sandbox Virtual Terminal to verify your Vendor Name matches what's stored.
Register a Transaction and Get the Payment Page URL
Register a Transaction and Get the Payment Page URL
The first step in Opayo's Server Integration flow is registering a transaction: your API route sends the payment details to Opayo and receives back a session token (VPSTxId) and a NextURL pointing to Opayo's hosted payment page. This API call is an outbound HTTPS request that works perfectly from Bolt's WebContainer during development. The request to `POST /transactions` on Opayo's API includes the transaction type (Payment), your Vendor Name, a unique VendorTxCode (your internal order reference), the amount in pence, the currency, a description, and the Notification URL where Opayo will send the payment result. The Notification URL must be a publicly accessible HTTPS URL — during development you can set a placeholder here; Opayo will attempt to call it after the test payment but it won't affect whether you receive the NextURL for testing the redirect. Authentication uses HTTP Basic Auth with your Integration Key as the username and Integration Password as the password. Opayo responds with a Status (0000 for success), a VPSTxId (Opayo's transaction reference), a SecurityKey (for verifying notifications), and the NextURL for the hosted payment page. Your API route returns the NextURL to the frontend, which then performs a `window.location.href = nextUrl` redirect.
Create an Opayo transaction registration API route at app/api/opayo/register-transaction/route.ts. Accept POST requests with: amount (number, in pence), description (string), and vendorTxCode (string, your unique order reference). Authenticate with Opayo using Basic Auth from OPAYO_INTEGRATION_KEY and OPAYO_INTEGRATION_PASSWORD. POST to ${OPAYO_BASE_URL}/transactions with the transaction details. Return the nextUrl and vpsTxId from Opayo's response. Store the vpsTxId and securityKey in Supabase against the order record.
Paste this in Bolt.new chat
1// app/api/opayo/register-transaction/route.ts2import { NextResponse } from 'next/server';3import { createClient } from '@supabase/supabase-js';45function getOpayoAuth() {6 const key = process.env.OPAYO_INTEGRATION_KEY!;7 const password = process.env.OPAYO_INTEGRATION_PASSWORD!;8 return `Basic ${Buffer.from(`${key}:${password}`).toString('base64')}`;9}1011export async function POST(request: Request) {12 const { amount, description, vendorTxCode, orderId } = await request.json();1314 const payload = {15 transactionType: 'Payment',16 paymentMethod: {17 card: {18 merchantSessionKey: '', // Not used in Server Integration19 },20 },21 vendorTxCode,22 amount,23 currency: 'GBP',24 description,25 notificationURL: process.env.OPAYO_NOTIFICATION_URL,26 customerFirstName: '',27 customerLastName: '',28 billingAddress: {29 address1: '',30 city: '',31 postalCode: '',32 country: 'GB',33 },34 apply3DSecure: 'UseMSPSetting',35 applyAVSCVV: 'UseMSPSetting',36 };3738 const response = await fetch(`${process.env.OPAYO_BASE_URL}/transactions`, {39 method: 'POST',40 headers: {41 'Authorization': getOpayoAuth(),42 'Content-Type': 'application/json',43 },44 body: JSON.stringify(payload),45 });4647 const data = await response.json();4849 if (data.statusCode !== '0000') {50 return NextResponse.json(51 { error: data.statusDetail ?? 'Opayo registration failed', code: data.statusCode },52 { status: 400 }53 );54 }5556 // Store transaction reference for notification verification57 const supabase = createClient(58 process.env.NEXT_PUBLIC_SUPABASE_URL!,59 process.env.SUPABASE_SERVICE_ROLE_KEY!60 );6162 await supabase63 .from('orders')64 .update({65 opayo_vps_tx_id: data.transactionId,66 opayo_security_key: data.merchantSessionKey ?? '',67 payment_status: 'pending',68 })69 .eq('id', orderId);7071 return NextResponse.json({72 nextUrl: data.nextURL,73 vpsTxId: data.transactionId,74 });75}Pro tip: The VendorTxCode must be unique for each transaction attempt — if you retry a failed registration, generate a new VendorTxCode. A good pattern is to use your order UUID plus a retry counter (e.g., 'order-uuid-1', 'order-uuid-2').
Expected result: Calling POST /api/opayo/register-transaction returns a nextUrl pointing to Opayo's hosted payment page and a vpsTxId transaction reference. The order record in Supabase is updated with the Opayo transaction ID.
Redirect to Opayo's Hosted Payment Page
Redirect to Opayo's Hosted Payment Page
With the NextURL from the transaction registration, your frontend component performs a browser redirect to Opayo's hosted payment page. This is the simplest step in the integration but the most visible to the user — it navigates them away from your app to Opayo's branded checkout interface where they enter card details. Since this is a standard browser navigation (window.location.href redirect), it works perfectly from Bolt's WebContainer preview. You'll see Opayo's sandbox hosted payment page load in the same browser tab. The hosted page handles everything: card entry, real-time validation, 3D Secure challenges (showing the card issuer's authentication screen if required), and payment processing. After the payment attempt, Opayo redirects the browser back to your configured URLs based on the outcome. Build a simple PayWithOpayo component that calls your registration API route, handles the loading state, and performs the redirect. Add clear loading feedback since the registration API call may take 1-2 seconds and users should not click the button again during this time.
Create a PayWithOpayo React component. On clicking 'Pay Now', call /api/opayo/register-transaction with the order amount in pence, a description, and a unique VendorTxCode using the order ID. Show a spinner while waiting for the registration. On success, redirect to the nextUrl using window.location.href. On failure, show an error message with the error details. Also create simple success and failure pages at /payment/success and /payment/failure that display the appropriate message.
Paste this in Bolt.new chat
1// components/PayWithOpayo.tsx2'use client';3import { useState } from 'react';45interface PayWithOpayoProps {6 amountInPence: number;7 description: string;8 orderId: string;9}1011export function PayWithOpayo({ amountInPence, description, orderId }: PayWithOpayoProps) {12 const [loading, setLoading] = useState(false);13 const [error, setError] = useState<string | null>(null);1415 async function handlePayment() {16 setLoading(true);17 setError(null);1819 const vendorTxCode = `${orderId}-${Date.now()}`;2021 const response = await fetch('/api/opayo/register-transaction', {22 method: 'POST',23 headers: { 'Content-Type': 'application/json' },24 body: JSON.stringify({25 amount: amountInPence,26 description,27 vendorTxCode,28 orderId,29 }),30 });3132 const data = await response.json();3334 if (!response.ok || !data.nextUrl) {35 setError(data.error ?? 'Failed to initialize payment');36 setLoading(false);37 return;38 }3940 // Redirect to Opayo's hosted payment page41 window.location.href = data.nextUrl;42 }4344 return (45 <div>46 {error && (47 <p className="text-red-600 text-sm mb-3 p-3 bg-red-50 rounded-lg">{error}</p>48 )}49 <button50 onClick={handlePayment}51 disabled={loading}52 className="w-full bg-green-600 text-white py-3 px-6 rounded-lg font-medium hover:bg-green-700 disabled:opacity-50 flex items-center justify-center gap-2"53 >54 {loading ? (55 <><span className="animate-spin h-4 w-4 border-2 border-white border-t-transparent rounded-full" />Preparing payment...</>56 ) : (57 `Pay £${(amountInPence / 100).toFixed(2)} securely with Opayo`58 )}59 </button>60 </div>61 );62}Pro tip: Opayo's hosted page automatically handles 3D Secure (3DS2) authentication for eligible cards. You don't need to implement 3DS flows — the hosted page handles the card issuer challenge and returns to your notification URL with the final payment status.
Expected result: Clicking the Pay button shows a loading spinner, then redirects to Opayo's sandbox hosted payment page where test card details can be entered.
Handle Transaction Notifications After Deploying
Handle Transaction Notifications After Deploying
After a customer completes or abandons payment on Opayo's hosted page, Opayo sends a server-to-server POST notification to your Notification URL with the payment result before redirecting the browser. This server notification is separate from the browser redirect — it's Opayo's systems calling your app directly, not the customer's browser. Your notification handler receives the payment details, verifies their authenticity, updates your order record in Supabase, and returns a response telling Opayo where to redirect the customer next. This server-to-server call is what makes testing the full flow require a deployed URL — the WebContainer's browser-local environment is not accessible from Opayo's servers. Deploy to Netlify or Bolt Cloud first, then update the OPAYO_NOTIFICATION_URL environment variable in your deployment settings. In the Opayo sandbox Virtual Terminal, update the Default Notification URL to your deployed endpoint. The notification payload includes VPSProtocol, TxType, VendorTxCode, VPSTxId, Status (OK for success, NOTAUTHED for failed), Amount, and a VPSSignature for verification. Your handler must return a specific redirect instruction response telling Opayo where to send the customer.
Create an Opayo transaction notification handler at app/api/opayo/notification/route.ts. Accept POST requests with Opayo's notification payload (URL-encoded form data). Parse the VendorTxCode, VPSTxId, Status, and Amount fields. If Status is 'OK', update the order in Supabase to 'paid'. If Status is 'NOTAUTHED' or 'REJECTED', update to 'payment_failed'. Return the required Opayo notification response format that redirects the customer to the success or failure page based on status.
Paste this in Bolt.new chat
1// app/api/opayo/notification/route.ts2import { NextRequest, NextResponse } from 'next/server';3import { createClient } from '@supabase/supabase-js';45export async function POST(request: NextRequest) {6 const body = await request.text();7 const params = new URLSearchParams(body);89 const status = params.get('Status') ?? '';10 const vendorTxCode = params.get('VendorTxCode') ?? '';11 const vpsTxId = params.get('VPSTxId') ?? '';12 const statusDetail = params.get('StatusDetail') ?? '';1314 const supabase = createClient(15 process.env.NEXT_PUBLIC_SUPABASE_URL!,16 process.env.SUPABASE_SERVICE_ROLE_KEY!17 );1819 const isPaid = status === 'OK';20 // Extract order ID from VendorTxCode (format: orderId-timestamp)21 const orderId = vendorTxCode.split('-').slice(0, -1).join('-');2223 await supabase24 .from('orders')25 .update({26 payment_status: isPaid ? 'paid' : 'failed',27 opayo_status: status,28 opayo_status_detail: statusDetail,29 paid_at: isPaid ? new Date().toISOString() : null,30 })31 .eq('id', orderId);3233 // Opayo requires this specific response format34 const redirectUrl = isPaid35 ? `${process.env.OPAYO_SUCCESS_URL}?order=${orderId}`36 : `${process.env.OPAYO_FAILURE_URL}?order=${orderId}`;3738 // Opayo reads this response to know where to redirect the browser39 const notificationResponse = [40 'Status=OK',41 `RedirectURL=${redirectUrl}`,42 'StatusDetail=Transaction processed',43 ].join('\r\n');4445 return new Response(notificationResponse, {46 status: 200,47 headers: { 'Content-Type': 'text/plain' },48 });49}Pro tip: Opayo's notification response must be plain text in key=value format separated by CRLF (\r\n), not JSON. The Status field in your response must be 'OK' (not the payment status) — it tells Opayo your notification was received successfully. The RedirectURL tells Opayo where to send the customer's browser next.
Expected result: After deploying and configuring the notification URL, completing a test payment triggers Opayo's server to POST to your notification handler, which updates the order status in Supabase and tells Opayo where to redirect the customer.
Common use cases
UK E-Commerce Checkout with Hosted Payment Page
Build a checkout for a UK-based online store where customers pay via Opayo's hosted page. The integration handles Visa, Mastercard, Amex, and all major UK debit cards. 3D Secure authentication is handled automatically by Opayo for eligible cards.
Add an Opayo (Sage Pay) checkout to my e-commerce app. When the user clicks 'Checkout', call /api/opayo/register-transaction with the cart total in pence. Redirect to the NextURL from Opayo's response. After payment, redirect to /order-confirmation with the order details. Store the VPSTxId from Opayo in Supabase alongside the order. Use the OPAYO_VENDOR_NAME and OPAYO_INTEGRATION_KEY from .env.
Copy this prompt to try it in Bolt.new
Recurring Membership Billing with Opayo Tokens
Store customer card tokens in Opayo's secure vault (Opayo Repeat Transactions) to charge members monthly without requiring card re-entry. The first transaction stores the token; subsequent charges use it server-side.
Build a membership subscription system using Opayo. For the first payment, use the standard Server Integration and store the returned token in Supabase. For monthly renewal, create an API route that uses Opayo's Repeat Transaction feature to charge the stored token without redirecting the user. Update the member's renewal date in Supabase after each successful charge.
Copy this prompt to try it in Bolt.new
Invoice Payment Portal for UK Clients
Build a B2B invoice payment portal where UK business clients pay outstanding invoices using their company credit or debit cards. Opayo's hosted page handles the full payment UI; your portal shows invoice details and payment status.
Create an invoice payment page at /invoices/[id]/pay. Fetch invoice details from Supabase. Show invoice number, amount, and due date. Add a 'Pay Invoice' button that registers an Opayo transaction for the invoice amount, with the invoice ID as the VendorTxCode. Redirect to Opayo's hosted page. After payment confirmation, update the invoice status in Supabase to 'paid' and send a payment receipt email.
Copy this prompt to try it in Bolt.new
Troubleshooting
Transaction registration returns statusCode '3003' or '4001' — authentication failed
Cause: The Integration Key or Integration Password is incorrect, or Basic Auth encoding is wrong. Opayo uses the Integration Key as the username and Integration Password as the password for Basic Auth.
Solution: Verify OPAYO_INTEGRATION_KEY and OPAYO_INTEGRATION_PASSWORD in your .env match exactly what's in the Opayo Virtual Terminal under Settings → Merchant Auth. Ensure the Base64 encoding uses 'IntegrationKey:IntegrationPassword' format (key first, password second). Check OPAYO_BASE_URL uses the sandbox URL (pi-test.sagepay.com) for test credentials.
1// Correct Basic Auth for Opayo2const auth = Buffer.from(`${process.env.OPAYO_INTEGRATION_KEY}:${process.env.OPAYO_INTEGRATION_PASSWORD}`).toString('base64');3// Header: 'Authorization': `Basic ${auth}`Transaction notification is not being received after deploying
Cause: The notification URL is misconfigured, points to the WebContainer preview URL (which Opayo cannot reach), or the deployed app is returning a non-200 response to Opayo's notification POST.
Solution: Deploy your app first — Opayo cannot reach the WebContainer's browser-local environment. Update OPAYO_NOTIFICATION_URL in your Netlify environment variables to your deployed endpoint (https://your-app.netlify.app/api/opayo/notification). In the Opayo Virtual Terminal, update the Default Notification URL to match. Ensure your notification handler returns 200 with the Status=OK response format.
Customer is redirected to /payment/failure even though test payment succeeded
Cause: The notification handler returned an error response or couldn't parse the notification body, causing Opayo to use its fallback failure redirect URL.
Solution: Check your notification handler logs in Netlify for errors. Ensure you're parsing the notification as URL-encoded form data (new URLSearchParams(body)) not JSON — Opayo sends form-encoded data. Verify the response format is plain text Status=OK\r\nRedirectURL=...\r\n with correct CRLF line endings.
1// Parse Opayo notification correctly — it's URL-encoded, not JSON2const body = await request.text();3const params = new URLSearchParams(body);4const status = params.get('Status'); // 'OK', 'NOTAUTHED', 'REJECTED'Best practices
- Use the Server Integration (hosted payment page) rather than Direct Integration — it removes PCI DSS scope for card data handling and works with the WebContainer redirect pattern
- Generate unique VendorTxCodes for each transaction attempt using a combination of your order ID and a timestamp to avoid 'duplicate transaction' errors on retries
- Store the Opayo VPSTxId and SecurityKey against each order record for notification verification and dispute resolution
- Return 'Status=OK' (plain text, CRLF separated) from your notification handler — any other response causes Opayo to consider the notification unacknowledged
- Test all payment scenarios in the Opayo sandbox before going live: successful payment, 3D Secure challenge, card declined, and user abandonment
- Deploy before testing the notification flow — Opayo's servers cannot reach the WebContainer's browser-local environment
- Configure both a RedirectURL for success and failure cases in your notification response — users should always land on an appropriate page regardless of payment outcome
- Use Opayo's test card 4929000005559 to test 3D Secure flows — it triggers the card issuer authentication screen which is important to validate in sandbox
Alternatives
Worldpay is larger and more enterprise/global — better for high-volume merchants or organizations needing international payment processing beyond UK and Ireland.
Stripe has native Bolt.new integration, instant developer access, and better documentation — the first choice for new projects that don't have existing Opayo merchant contracts.
Adyen offers enterprise-level payment infrastructure with global acquiring and advanced fraud tools — suited for large-scale platforms that have outgrown gateway-only solutions.
Authorize.net is a Visa-owned gateway with a similar hosted payment page model to Opayo but focused on US merchants rather than UK and Ireland.
Frequently asked questions
Is Sage Pay and Opayo the same thing?
Yes. Sage Pay was rebranded to Opayo in 2020 when it was acquired by Elavon (a US Bancorp subsidiary). The underlying payment gateway technology, merchant accounts, and API are the same. Some documentation and integrations still use the Sage Pay name. The current branding is Opayo, but many UK merchants still refer to it as Sage Pay.
Can I test Opayo payments in Bolt's WebContainer preview?
Partially. The transaction registration API call (getting the NextURL) and the browser redirect to Opayo's hosted payment page both work in the WebContainer preview since they're outbound operations. After completing the test payment, Opayo sends a server-to-server notification to your Notification URL — this cannot reach the WebContainer's browser-local environment. Deploy to Netlify or Bolt Cloud first to test the complete notification-driven flow.
Do I need PCI DSS compliance to use Opayo with Bolt.new?
Using Opayo's Server Integration (hosted payment page), you qualify for SAQ A — the simplest PCI DSS self-assessment questionnaire for merchants who redirect to a hosted payment page. Opayo handles all card data on their infrastructure. You're not in scope for the complex SAQ D requirements that apply to merchants handling raw card data directly.
What response format does Opayo expect from my notification handler?
Opayo expects a plain text response (not JSON) with key=value pairs separated by CRLF (\r\n): 'Status=OK\r\nRedirectURL=https://yourapp.com/success\r\nStatusDetail=Transaction processed'. The Status in your response means your notification handler received it successfully (always send OK unless you want Opayo to retry). The RedirectURL tells Opayo where to send the customer's browser after the payment.
How do I move from Opayo sandbox to production?
Update OPAYO_BASE_URL from pi-test.sagepay.com to pi.sagepay.com in your deployment environment variables. Replace OPAYO_VENDOR_NAME, OPAYO_INTEGRATION_KEY, and OPAYO_INTEGRATION_PASSWORD with your production merchant credentials from the live Opayo Virtual Terminal. Update your notification URL to your production endpoint and configure it in the live Opayo Virtual Terminal settings. All credential values differ between sandbox and production environments.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation