orcaqubits/medusa-payments
dist/codex/medusa-commerce/skills/medusa-payments/SKILL.md
Implement Medusa v2 payment processing — payment module, provider abstraction, payment sessions, authorization/capture/refund lifecycle, and Stripe/PayPal integration. Use when adding payment providers.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins medusa-paymentsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 7:02 AM148.1s1 file scanned
SKILL.md
- name:
- medusa-payments
- description:
- >
Medusa v2 Payment Processing
Before writing code
Fetch live docs:
- Web-search
site:docs.medusajs.com payment modulefor payment data model and service methods - Web-search
site:docs.medusajs.com payment providerfor the provider abstraction layer - Web-search
site:docs.medusajs.com stripe paymentfor Stripe integration setup - Fetch
https://docs.medusajs.com/resources/references/paymentand review theIPaymentModuleServiceinterface - Web-search
medusajs v2 AbstractPaymentProvider 2026for latest provider interface
Payment Module Architecture
Entity Relationships
| Entity | Contains | Key Fields | |--------|----------|------------| | PaymentCollection | Sessions, Payments | status, amount, currency_code | | PaymentSession | Provider data | provider_id, status, amount, data (JSON) | | Payment | Captures, Refunds | provider_id, amount, captured_at |
Module Links
Cart Module ──link──> Payment Module (payment collection)
Order Module ──link──> Payment Module (payment collection)
Region Module ──link──> Payment Module (available providers)
Fetch live docs for exact link definitions and how payment collections bridge carts and orders.
Payment Lifecycle
PaymentSession Statuses
| Status | Meaning |
|--------|---------|
| pending | Session initialized, awaiting customer action |
| requires_more | Additional steps needed (e.g., 3DS) |
| authorized | Payment authorized, funds reserved |
| canceled | Payment voided/canceled |
| error | Payment failed |
Payment Statuses
After authorization, a Payment entity is created from the session:
| Status | Meaning |
|--------|---------|
| captured | Funds captured to merchant |
| partially_refunded | Partial refund issued |
| refunded | Full refund issued |
Payment Provider Abstraction
All payment providers extend AbstractPaymentProvider:
// Skeleton: custom payment provider
// Fetch live docs for AbstractPaymentProvider interface
class MyPaymentProvider extends AbstractPaymentProvider {
// Implement: initiatePayment, authorizePayment,
// capturePayment, refundPayment, cancelPayment
// Fetch live docs for exact method signatures
}
Key Provider Methods
| Method | Purpose |
|--------|---------|
| initiatePayment | Create payment session with provider |
| authorizePayment | Authorize payment (reserve funds) |
| capturePayment | Capture authorized payment |
| refundPayment | Refund captured payment |
| cancelPayment | Cancel/void payment |
| deletePayment | Clean up provider-side session |
| getPaymentStatus | Query current status from provider |
| updatePayment | Update an existing payment session |
| retrievePayment | Retrieve payment data from provider |
| getWebhookActionAndData | Parse incoming webhook events |
Fetch live docs for the full method list — the provider interface has additional methods beyond those listed above (e.g.,
createAccountHolder,listPaymentMethods,savePaymentMethod). Always verify the currentAbstractPaymentProviderinterface.
Stripe Integration
| Configuration | Description |
|---------------|-------------|
| apiKey | Stripe secret key |
| webhookSecret | Stripe webhook signing secret |
| capture | Auto-capture or manual (true/false) |
Stripe Webhook Events
| Event | Medusa Action |
|-------|---------------|
| payment_intent.succeeded | Mark session authorized/captured |
| payment_intent.payment_failed | Mark session errored |
| charge.refunded | Mark refund completed |
Fetch live docs for Stripe provider configuration options and webhook endpoint setup.
PayPal Integration
| Configuration | Description |
|---------------|-------------|
| clientId | PayPal client ID |
| clientSecret | PayPal client secret |
| sandbox | Use sandbox environment (true/false) |
Fetch live docs for PayPal provider options, redirect handling, and webhook configuration.
Payment Workflows
| Workflow | Purpose |
|----------|---------|
| createPaymentCollectionForCartWorkflow | Create collection linked to cart |
| initializePaymentSessionWorkflow | Start session with specific provider |
| authorizePaymentSessionWorkflow | Authorize a pending session |
| capturePaymentWorkflow | Capture an authorized payment |
| refundPaymentWorkflow | Refund a captured payment |
| cancelPaymentWorkflow | Cancel/void a payment |
Key Service Methods
| Operation | Method |
|-----------|--------|
| Create collection | paymentModuleService.createPaymentCollections() |
| Create session | paymentModuleService.createPaymentSession() |
| Authorize session | paymentModuleService.authorizePaymentSession() |
| Capture payment | paymentModuleService.capturePayment() |
| Refund payment | paymentModuleService.refundPayment() |
Fetch live docs for workflow input shapes and provider-specific data requirements.
Admin API Routes
| Route Pattern | Method | Purpose |
|---------------|--------|---------|
| /admin/payments | GET | List payments |
| /admin/payments/:id | GET | Retrieve payment |
| /admin/payments/:id/capture | POST | Capture payment |
| /admin/payments/:id/refund | POST | Refund payment |
Best Practices
Provider Implementation
- Always extend
AbstractPaymentProvider— do not implement from scratch - Store provider-specific data in the session
datafield (not in metadata) - Handle
requires_morestatus for providers with multi-step flows (3DS, redirect) - Implement idempotent operations — captures and refunds may be retried
Webhook Handling
- Validate webhook signatures before processing events
- Use idempotency keys to prevent duplicate payment processing
- Log all webhook events for audit trails and debugging
- Handle out-of-order webhook delivery gracefully
Security
- Never store raw API keys in code — use environment variables
- Never expose payment session secrets to the client
- Use HTTPS-only webhook endpoints
- Implement amount validation — verify captured amount matches the order total
Testing
- Use provider sandbox/test modes during development
- Test the full lifecycle: initiate -> authorize -> capture -> refund
- Test error scenarios: declined cards, insufficient funds, network timeouts
Fetch the Medusa v2 payment module documentation and provider interface references for exact method signatures, webhook configuration, and provider registration patterns before implementing.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026