R
Redsys
Redsys / Sermepa TPV Virtual payment provider plugin for MedusaJS v2
@jsm406/medusa-plugin-redsys
Redsys / Sermepa TPV Virtual payment provider plugin for MedusaJS v2.
This plugin enables payment processing through Redsys' hosted payment page (TPV Virtual) via redirect flow. Customers are redirected to the Redsys secure payment page to complete their transaction.
Production-proven: This plugin is derived from a live production Medusa store processing real Redsys payments.
Features
- Redsys hosted payment page / TPV Virtual redirect flow
- Bizum mobile payment support via Redsys TPV
- Sandbox and production environments
- One-step payment (immediate capture) and two-step payment (pre-authorization + capture)
- Full and partial refunds via Redsys API
- Payment cancellation
- Webhook handling with HMAC-SHA256 signature verification
- Spanish error messages for Redsys response codes
- Zero PCI scope — card data is handled by Redsys' secure page
Prerequisites
- MedusaJS v2.13.0 or later
- Node.js v20 or later
- A Redsys merchant account (or sandbox test credentials)
- v5.3.0+ (installed automatically as a dependency)
Installation
Configuration
Environment Variables
Add the following to your file:
For sandbox testing, use the following test credentials from Redsys:
Medusa Configuration
In your :
Enable in Region
Enable the Redsys provider(s) in your Medusa admin panel under Settings > Regions:
- Credit/Debit Card: Select Redsys as a payment provider
- Provider ID:
- Bizum: Select Redsys Bizum as a payment provider
- Provider ID:
You can enable one or both providers depending on which payment methods you want to offer.
Options
| Option | Type | Required | Default | Description |
|---|---|---|---|---|
| string | Yes | — | Redsys HMAC-SHA256 secret key | |
| string | Yes | — | Redsys merchant code (FUC) | |
| string | No | Terminal number | ||
| string | No | or | ||
| string | No | — | Webhook URL for Redsys to POST transaction results | |
| string | No | — | URL to redirect after successful payment (URLOK) | |
| string | No | — | URL to redirect after failed payment (URLKO) | |
| string | No | = immediate capture, = pre-authorization |
Payment Flow
- Customer selects Redsys as payment method
- creates a signed redirect form with Redsys merchant parameters
- Customer clicks "Place Order" → storefront calls to create the order, stores a cookie mapping the Redsys internal order ID to the Medusa order ID, then auto-submits the redirect form to Redsys TPV
- Customer completes payment on the Redsys hosted payment page
- Redsys sends a webhook notification to
- validates the HMAC-SHA256 signature and updates the payment status
- Redsys redirects the customer's browser to or with the Redsys order ID as a query parameter
- Storefront callback page reads the sessionStorage to resolve the Medusa order ID and redirects to the order confirmation page
Important: authorizePayment Behavior
This plugin's returns for sessions with status and . This is intentional for the redirect flow: the real authorization happens on Redsys TPV and is confirmed via webhook. Without this, would fail with a 400 error because Medusa requires the payment session to be authorized before completing the cart.
ID Mapping (Redsys → Medusa)
The plugin generates a 12-character alphanumeric (e.g. ) used as Redsys' merchant order reference. When the order is completed via , Medusa generates its own order ID (e.g. ). These are different IDs.
The callback URL from Redsys only contains the Redsys order ID, not the Medusa order ID. To bridge this gap, the storefront stores the mapping → in before redirecting to the TPV. The callback page reads this value to redirect to the correct order confirmation page.
Storefront Integration
Redsys is a redirect-based payment method (no card input in your storefront — the customer enters card data on Redsys' secure TPV). You must adapt your Medusa Next.js storefront with the changes below.
1. — Register the payment methods
Add Redsys and Bizum to the payment info map and add helper functions:
2. — Add order completion without redirect
Add a function. The standard does a (server-side), but Redsys needs to redirect the browser to the TPV instead. This function completes the cart, creates the order, but returns the result so the client can handle the TPV redirect:
3. — Payment buttons
Add payment button components for both Redsys (card) and Bizum. Both use the same redirect flow but with different provider IDs.
4. — Callback page (new file)
Create a client component page that Redsys redirects to after payment. It reads the query param (Redsys internal ID), looks up the real Medusa order ID from , and redirects to the order confirmation page:
5. — Bypass region redirect
If your storefront uses middleware to enforce region/country code prefixes in URLs (as the default Medusa Next.js storefront does), add a bypass so is not redirected. Add this early in the function:
6. — CORS
Ensure your storefront domain is allowed in CORS:
Session Data Reference
The payment session field returned by :
Note: The identifier in the URL callback is the value returned by the library and is normal. This does not indicate a problem - the actual signature computation follows the Redsys v4.1 specification. The value is informational in the callback URL.
These fields are used in step 3 to build the auto-submitting redirect form.
Webhook
Medusa automatically exposes webhook endpoints for the Redsys providers at:
For local development with sandbox, you must expose your backend to the internet (e.g., via ngrok) so Redsys can reach the webhook. Set to the ngrok URL.
Important: Redsys sends the notification to but the signature verification and payment status update happens through the Medusa webhook handler — make sure points to the same endpoint or forward notifications accordingly.
Test Cards (Sandbox)
Card Payments
| Card Number | Brand | Behavior |
|---|---|---|
| 4548810000000003 | VISA | 3DS v2 approved |
| 5576441563045037 | Mastercard | 3DS v2 approved |
| 4548814479727229 | VISA | 3DS frictionless |
| 4548817212493017 | VISA | 3DS challenge |
| Any + CVV 999 | Any | Payment declined |
Bizum (Sandbox)
Important: In sandbox, Bizum transactions cannot exceed 10€. Use a discount coupon or low-price test product.
| Field | Value |
|---|---|
| Phone number | |
| PIN | |
| SMS code |
Test scenarios by amount:
| Amount | Result |
|---|---|
| < 5€ | Payment approved |
| 5€ - 10€ | Payment approved |
| 10€ - 15€ | Payment declined (exceeds sandbox limit) |
| > 15€ | Payment declined (no Bizum user) |
Transaction Types
| Code | Type | Description |
|---|---|---|
| Payment | Authorization + immediate capture (default) | |
| Pre-authorization | Reserve funds only | |
| Confirmation | Capture pre-authorized funds | |
| Refund | Full or partial refund | |
| Cancellation | Cancel/void a transaction |
Security
- Never log PAN, CVV, or the secret key. The provider strips sensitive fields from log output.
- Always validate signatures server-side. uses 's for HMAC-SHA256 verification.
- Use HTTPS for all communication with Redsys.
- Do not trust client-side payment data. The webhook with signature verification is the source of truth.
- The redirect flow keeps you out of PCI scope — card data is handled by Redsys' secure page.
Currency Support
The plugin includes built-in numeric currency codes for all major currencies. If your currency is not listed, it defaults to EUR (). See for the full list.
Development
Local Testing with a Medusa Project
License
MIT — see LICENSE file for details.
Version History
v1.1.0 (2026-06-16)
- Added: Bizum payment method support via Redsys TPV
- New provider with parameter
- Full lifecycle support: initiate, authorize, capture, cancel, refund, webhook
- Same configuration as card provider (can share credentials)
- Separate webhook endpoint at
v1.0.12 (2026-05-13)
- Fixed: Response code validation for payment authorization (codes 0-99), refunds/confirmations (code 900), cancellations (code 400)
- Note: The in the callback URL is normal - it's the identifier returned by the redsys-es library. The actual HMAC computation follows Redsys v4.1 specification.
v1.0.0 (2025-05-05)
- Initial release
Support
For issues and questions, please open an issue on GitHub.