C
Comgate v2
Comgate payment provider for Medusa v2
medusa-payment-comgate-v2
Comgate payment provider for Medusa v2. Comgate is a Czech payment gateway (cards, Apple Pay / Google Pay, Czech & Slovak bank buttons, Twisto, etc).
Disclaimer: This is an unofficial, community-built integration. It is not affiliated with, endorsed by, or maintained by Comgate Payments, a.s. "Comgate" and the Comgate logo are trademarks of their respective owner, used here only to identify the payment gateway this plugin integrates with.
Comgate API docs | Medusa Payment Module
Features
- Redirect (background / ) checkout flow.
- Optional pre-authorization mode (reserve now, capture later).
- Capture, cancel, refund from the admin dashboard.
- Background notification (webhook) handling via Medusa's endpoint.
Install
Configure
Add the provider to the Payment Module in :
Options
| Option | Required | Default | Description |
|---|---|---|---|
| yes | — | Comgate e-shop identifier. | |
| yes | — | Password for background communication. | |
| no | Test mode. | ||
| no | Create pre-authorizations; capture later. | ||
| no | Gateway / e-mail language (ISO 639-1). | ||
| no | Payer country (ISO 3166-1). | ||
| no | Statement label, 1–16 chars. | ||
| no | Payment method, or to let the payer choose. | ||
| / / | no | — | Return URLs. See note below — bake your own order id into them. |
| no | API base url (the version prefix is part of each path). |
Pre-authorization
To run both a direct-capture and a pre-auth provider, register the module twice with different s and :
The provider id used in the storefront / API is (and ).
How it works
Uses the Comgate REST v2.0 JSON API (, HTTP Basic auth).
- → . Returns — send the payer there. The Medusa payment session id is passed as Comgate .
- The payer pays on the Comgate gateway.
- Webhook → Comgate POSTs a JSON background notification to . constant-time-verifies the echoed , resolves the session by , and maps , , .
- → no-op for direct capture (already ); in pre-auth mode.
- → . → (storno, PENDING only) or in pre-auth mode.
Per Comgate's spec, order fulfillment must be driven by the background notification, not the payer's browser redirect, since redirect params are user-controlled. Comgate retries the PUSH up to 1000× until it gets a 2xx — Medusa's webhook handling is idempotent.
Comgate authenticates the PUSH by echoing the merchant in the body (no HMAC header). Restrict the webhook to Comgate's IP ranges () as a first layer; the secret check is the second.
Comgate Client Portal setup
In the Client Portal → Integrace → Nastavení obchodů → Přidat propojení obchodu:
| Field (CS) | Field (EN) | Value |
|---|---|---|
| Heslo | Password | → your |
| Povolený způsob založení platby | Payment creation method | HTTP POST protokol - backend (recommended) |
| Url pro předání výsledku platby | Background result URL (PUSH) | |
| Url zaplacený | Paid redirect | storefront order-confirmation page |
| Url zrušený | Cancelled redirect | storefront cart / retry page |
| Url nevyřízený | Pending redirect | storefront "payment processing" page |
| Povolené IP adresy / Povolit všechny IP | Allowed IPs | your backend's egress IP, or allow-all |
The PUSH URL is mandatory — without it payments never confirm in Medusa. The three redirect URLs are browser-facing only and non-authoritative (the payer can forge their params); never mark an order paid from them. Order state is driven solely by the PUSH webhook.
Storefront redirect URLs (Medusa Next.js starter)
The return page must know which order it is. Comgate supports (Comgate transId) and (your reference) placeholders, case-sensitive — but only in the Comgate client-portal return-URL fields, where Comgate substitutes them at redirect time. The API / / request fields are used verbatim (no substitution, no params appended), so if you set the URLs via the API you must bake the identifier in yourself.
Portal (recommended — Comgate substitutes the placeholders):
API options (verbatim — bake in your own id):
is the Medusa payment session id. The return page reads it and looks the order up. The redirect is non-authoritative regardless — the storefront must re-query order/payment status server-side before showing "paid".
Web/Mobile Checkout SDK checkboxes: leave off. This provider uses Comgate's hosted redirect flow, not the embedded checkout SDKs.
Configure the webhook
In the Comgate portal set the background-notification URL ("Url pro předání výsledku platby") to:
Development
Live smoke test against the Comgate v2.0 test API (no Medusa backend needed):
It creates a test payment and prints the URL — open it and pay with a Comgate test card to see the status flip to . Your IP must be allowed on the shop link (portal → Povolené IP adresy / Povolit všechny IP).
Publishing to npm / Medusa integrations page
This is packaged as a Medusa v2 plugin. To list it for free on the Medusa integrations page, the already includes the required keywords (, , ).
Once published with those keywords, the plugin is picked up automatically by the Medusa integrations listing.
License
MIT
This project is an independent, unofficial integration and is not affiliated with or endorsed by Comgate Payments, a.s. All Comgate trademarks and logos are the property of their respective owner.