API Endpoints Roles & Tiers Payment Integration

Payment Integration with checkout.gfavip.com

Status: ✅ Fully integrated and production-ready

Payment Flow Overview

  1. Student clicks "Enroll" on a paid course
  2. System checks membership eligibility (chapters/tickets/wallet)
  3. System calculates price based on user's tier
  4. Invoice created via checkout.gfavip.com API
  5. Student redirected to payment page
  6. Student pays with GFAVIP wallet balance
  7. checkout.gfavip.com sends webhook to learning platform
  8. Platform auto-enrolls student

Invoice Creation

POST https://checkout.gfavip.com/api/admin/invoices
Headers:
Authorization: Bearer {SSO_TOKEN}
Content-Type: application/json
Request Body:
{
  "recipient": "user@email.com",
  "amount": 25.00,
  "description": "Course Enrollment - Course Title",
  "dueInDays": 7,
  "currency": "USD",
  "metadata": {
    "course_id": 1,
    "user_id": "sso-user-id",
    "source": "learning.gfavip.com",
    "redirect_url": "https://learning.gfavip.com/student",
    "webhook_url": "https://learning.gfavip.com/webhooks/payment"
  }
}
Response:
{
  "success": true,
  "invoice": {
    "id": "uuid-here",
    "gfaInvoiceId": "GFA-INV123",
    "paymentUrl": "https://checkout.gfavip.com/pay/{uuid}",
    ...
  }
}

Webhook Integration

Security: All webhooks are verified using HMAC-SHA256 signatures with WEBHOOK_SECRET
POST /webhooks/payment
Headers:
X-Webhook-Signature: {HMAC_SHA256_SIGNATURE}
Content-Type: application/json
Payload Structure:
{
  "event": "invoice.paid",
  "invoice": {
    "id": "uuid",
    "amount": 25.00,
    "metadata": {
      "course_id": 1,
      "user_id": "sso-user-id",
      "source": "learning.gfavip.com"
    }
  }
}
Supported Events:
  • invoice.paid → Auto-enrolls student in course
  • invoice.failed → Cancels enrollment
  • invoice.expired → Cancels enrollment
  • invoice.cancelled → Cancels enrollment

Pricing Tiers

Membership Type Check Via Price Multiplier Example (Base $100)
Chapter Member chapters.gfavip.com API 0.5x (50% off) $50.00
Ticket Holder tickets.gfavip.com API 0.7x (30% off) $70.00
Global Member wallet.gfavip.com API 0.8x (20% off) $80.00
Standard - 1.0x (No discount) $100.00

Security Features

Webhook Verification
  • HMAC-SHA256 signature validation
  • Timing-safe comparison
  • Requires WEBHOOK_SECRET env var
  • Rejects unsigned webhooks (401)
SSO ID Handling
  • All external APIs use SSO IDs
  • Webhook converts SSO → internal ID
  • Prevents enrollment mismatches
  • Returns 404 if user not found

Testing

How to Test Payment Flow:
  1. Ensure WEBHOOK_SECRET is configured in environment
  2. Create a test course with pricing tiers set
  3. Login as a test student
  4. Click "Enroll" on paid course
  5. Verify redirect to checkout.gfavip.com
  6. Complete payment (or simulate webhook)
  7. Check student is auto-enrolled
  8. Review server logs for debug output

Environment Variables

Required for Production:
  • WEBHOOK_SECRET - HMAC signature key (REQUIRED)
  • SESSION_SECRET - Flask session encryption
  • DATABASE_URL - PostgreSQL connection