PayHere MCP Server
The PayHere MCP Server enables developers to integrate, debug, and manage PayHere (Sri Lanka's payment gateway) payments directly from MCP-aware clients like Claude Code or Claude Desktop.
Generate checkout payloads: Build correctly signed form fields and an HTML snippet needed to POST a payment request to PayHere, including automatic MD5 hash computation and amount formatting.
Retrieve payment records: Look up all payment attempts (successful, refunded, chargebacked) associated with a given
order_idto check status or attempt history.Issue refunds: Refund a payment by
payment_id, either fully or partially, with a required description/reason for the refund.Generate or verify signatures: Compute PayHere MD5 hashes for both checkout submissions and notify URL callbacks, and optionally verify an incoming notify signature against an expected value — useful for debugging hash mismatches.
Verify credentials: Health-check your environment configuration and confirm that your App credentials can successfully fetch an OAuth token from PayHere's Merchant API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@PayHere MCP ServerGenerate a checkout payload for order 12345 with amount 1500 LKR"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@lk-pay/payhere-mcp
A Model Context Protocol server for PayHere, Sri Lanka's payment gateway. It exposes PayHere's Merchant API and checkout flow as tools any MCP-aware client can call.
Status
v0.1 — early preview. All five tools have been validated end-to-end against the PayHere sandbox. The transport is stdio only.
Related MCP server: PayFast MCP
What this is
This is an MCP server for developers integrating PayHere. It lets you retrieve payments, issue refunds, generate signed checkout payloads, and compute or verify PayHere hashes directly from Claude Code, Claude Desktop, or any other MCP client.
The audience is developers, not merchants. It helps you debug an integration, pull a payment record, issue a refund, and get a checkout signature right — it is not a dashboard replacement.
PayHere uses snake_case fields and MD5-based hashes throughout its API. The tools here mirror that surface exactly and handle the parts that are easy to get wrong, like amount formatting and signature computation.
Quick start
Requires Node 18 or newer. If you already have a PayHere Business App and a whitelisted domain, run it directly:
npx @lk-pay/payhere-mcpIt reads configuration from the environment. The minimum is:
PAYHERE_MODE=sandbox
PAYHERE_MERCHANT_ID=your_merchant_id
PAYHERE_MERCHANT_SECRET=your_domain_bound_secret
PAYHERE_APP_ID=your_app_id
PAYHERE_APP_SECRET=your_app_secretIn Claude Code, add it to ~/.claude/mcp.json (or a project-local .claude/mcp.json):
{
"mcpServers": {
"payhere": {
"command": "npx",
"args": ["-y", "@lk-pay/payhere-mcp"],
"env": {
"PAYHERE_MODE": "sandbox",
"PAYHERE_MERCHANT_ID": "your_merchant_id",
"PAYHERE_MERCHANT_SECRET": "your_domain_bound_secret",
"PAYHERE_APP_ID": "your_app_id",
"PAYHERE_APP_SECRET": "your_app_secret"
}
}
}
}Setup
The Merchant API calls (get_payment, issue_refund, verify_credentials) need a Business App and a whitelisted domain. The checkout and signature tools work with just your merchant credentials.
Step 1 — Create a PayHere Business App
Log in to sandbox.payhere.lk (or www.payhere.lk for live). Go to Settings → Business Apps → Create API Key. Name the app, fill in the Allowed Domains field, and enable at least the Payment Retrieval API permission. Enable the Refund API permission too if you plan to issue refunds.
Step 2 — How PayHere binds credentials to domains
This is the part that trips most people up, so it's worth stating plainly.
PayHere generates a separate merchant_secret for each domain you whitelist. A Merchant API call only succeeds when the merchant_secret you send is tied to a domain that PayHere can currently verify is reachable. If the domain can't be reached, the secret is rejected.
It is not a Referer check and not a source-IP check. It is a binding between the secret and a verifiable domain. So the secret in your environment and a live, reachable whitelisted domain have to line up at request time.
Step 3 — Configure your domain
Local development. Use ngrok or any similar publicly reachable tunnel. VS Code dev tunnels don't work here because their auth interstitial stops PayHere from verifying the domain. Run:
ngrok http <your-port>Whitelist the ngrok URL in PayHere's Allowed Domains, then copy the merchant_secret PayHere generates for that domain into your .env. Keep the tunnel running the whole time you use the MCP server — if it stops, the domain stops being reachable and calls start failing.
Production. Deploy to a server with a stable domain or static IP. For sandbox, whitelist the domain through the dashboard. For live, PayHere whitelists by IP — email support@payhere.lk with your production server IP and they'll add it.
Step 4 — Note your credentials
From the dashboard, collect:
Merchant ID
App ID and App Secret (from the Business App you created)
The merchant_secret tied to your whitelisted domain
Step 5 — Install and configure
Install globally, or skip this and use npx:
npm install -g @lk-pay/payhere-mcpSet these environment variables:
Variable | Required | Description |
| Yes |
|
| Yes | Your Merchant ID from the dashboard. |
| Yes | The per-domain secret tied to your whitelisted domain. Used for checkout and notify hashes. |
| Yes | Business App ID, used to fetch OAuth tokens for the Merchant API. |
| Yes | Business App secret, paired with |
| Optional | Bare domain (no scheme, no path), e.g. |
Step 6 — Wire into your MCP client
Add all the variables to your client config:
{
"mcpServers": {
"payhere": {
"command": "npx",
"args": ["-y", "@lk-pay/payhere-mcp"],
"env": {
"PAYHERE_MODE": "sandbox",
"PAYHERE_MERCHANT_ID": "your_merchant_id",
"PAYHERE_MERCHANT_SECRET": "your_domain_bound_secret",
"PAYHERE_APP_ID": "your_app_id",
"PAYHERE_APP_SECRET": "your_app_secret",
"PAYHERE_DOMAIN": "your-tunnel.ngrok.app"
}
}
}
}Once connected, run verify_credentials first to confirm your environment and OAuth token resolve correctly.
Tools
Tool | Purpose | When to reach for it |
| Generate form fields + hash for a | You're building a payment form and need a correctly signed payload. |
| Retrieve all payment attempts for an | You want to check an order's status or attempt history. |
| Refund a payment by | A customer needs money back. |
| Compute or verify PayHere MD5 hashes (checkout + notify) | You're validating a notify callback or debugging a hash mismatch. |
| Health-check env vars and fetch an OAuth token | You're setting up and want to confirm your config works. |
Troubleshooting
The four errors you're most likely to see, and what they mean:
{"status":-1,"msg":"Access denied for the domain"}— Themerchant_secretis bound to a domain PayHere can't currently verify. Check that (a) your ngrok tunnel is up, (b) themerchant_secretin.envmatches the whitelisted domain, and (c) you haven't mixed sandbox and live values.{"status":-2,"msg":"Authentication error"}— The App ID or App Secret is wrong, or the token belongs to a different Business App. RecheckPAYHERE_APP_IDandPAYHERE_APP_SECRET.{"error":"invalid_token"}— The access token is expired or malformed, which usually means the App credentials don't match what PayHere expects. Confirm the App ID and secret, then retry.{"status":-1,"msg":"No payments found"}— Not an error. Theorder_idhas no payments yet.get_paymentreturnsattempts: []with anotefield explaining there's nothing on record.
Design notes
No
list_payments. PayHere's Retrieval API only accepts anorder_id— there is no date-range or status filter endpoint.get_paymentreturns the array of attempts for one order.generate_signatureis the differentiator. Most PayHere integration bugs come from incorrect hash computation. This tool exposes the exact algorithm the gateway uses, with constant-time verification for notify URL validation.stdio transport only in v0.1. That's the supported transport for this release.
Development
git clone https://github.com/lakshitha0526/payhere-mcp.git
cd payhere-mcp
npm install
npm run test # vitest
npm run typecheck # tsc --noEmit
npm run lint # biome check
npm run build # tsupLicense
MIT — see LICENSE.
Part of the lk-* family of Sri Lanka-focused developer tooling.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/lakshitha0526/payhere-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server