Checkout
One POST creates the session, your customer pays on a Fluxa-hosted page styled in your brand, you receive a signed webhook the instant the payment captures. Apple Pay and Google Pay out of the box. Tokens, layout, copy, behaviour, A/B variants and scheduling all editable from your dashboard with live preview, click-to-edit overlay, and continuous WCAG audit before publish.
This is the actual Fluxa hosted checkout. The pieces above are the same elements rendered at pay.fluxapay.co.uk when a customer follows the session URL. The editor panels either side are a slice of the merchant dashboard editor wired to the live preview. One POST to /v1/checkout/sessions, customer pays, signed webhook fires.
Same checkout, three integrations. Pick the one that fits your stack. Hosted is one POST and a redirect. Embedded mounts the same checkout inside an iframe on your domain, no PCI uplift. Payment Link is a shareable URL for invoices, SMS, social and QR. All three render from the same theme stored on your dashboard.
Your customer redirects to pay.fluxapay.co.uk styled as your brand. Sub-second load on a UK edge. Zero PCI scope on your servers. Customer returns to your success URL when the payment captures.
Mount the Fluxa checkout inside an iframe on your domain. Same payment fields, same theme, same Apple Pay and Google Pay handshakes. Customer stays on your site through capture. SAQ-A scope held by Fluxa.
A shareable URL or QR code for invoices, SMS, email, social, and one-off requests. No code on your side. Generate from the dashboard or the API. Expires when paid or after the window you set.
No tiered pricing. No charge for Apple Pay. No premium for subscriptions. Every Fluxa merchant gets every feature on this page at the flat rate of 1.8% for UK businesses. Card data never touches your servers. PCI scope held at SAQ-A by Fluxa under the payment partner.
Visa and Mastercard on UK domestic rails, including international cards. Apple Pay and Google Pay through the same Visa or Mastercard tokens, with one-tap biometric authentication. No Amex, no PayPal, no third-party wallets. 98% of UK card transactions covered between them.
SCA exemptions applied automatically where the issuer allows. No challenge step when the issuer marks the transaction low-risk. Full liability shift on every challenge. Native 3DS challenge UI, no redirect to a separate domain for the customer.
Save card on file at checkout, charge on schedule, generate proration on plan changes. Card updates stay valid through every reissue. Dunning emails branded under your domain. Same 1.8% flat on every recurring charge, no per-event fee.
Static HTML server-rendered from a UK edge. First paint under three hundred milliseconds on a 4G mobile connection. No SPA hydration to wait through. Three taps from cart to receipt on iOS and Android.
Thirteen languages out of the box, including Arabic and Hebrew with right-to-left rendering handled. GBP for UK, with EUR and USD presentment supported on hosted and embedded modes. Currency choice driven by IP geolocation or set explicitly per session.
Continuous WCAG 2.2 audit on every theme save. Contrast ratio reads live as you change colour pairs. Publish is blocked on AA fail. Field-by-field screen reader labels, focus order tested with axe-core and manual VoiceOver / NVDA passes before each release.
HMAC-SHA256 signature over every webhook body, with your endpoint secret. Idempotency keys enforced. Every delivery replayable for ninety days from the dashboard. Retries follow exponential backoff up to seventy-two hours before giving up.
Up to four merchant-defined fields per session with regex validation, label and placeholder per locale. Optional tipping row for hospitality and service businesses, fixed amounts or percentage presets. Both included in the standard rate.
Disputes and chargebacks are included in the 1.8% flat rate with no additional Fluxa per-event fee. Scheme chargeback fees pass through at cost on lost chargebacks. Evidence collection prompted automatically from the dashboard. Liability-shift status surfaced per dispute. Fluxa handles communication with the payments partner.
The dashboard ships a six-panel editor with live preview, click-to-edit overlay, undo and redo, A/B variants, scheduled publishes, and a continuous WCAG audit that blocks publish on contrast fail. Everything in the checkout above is editable. Card number, expiry, CVV, the security badge and the PCI footer are locked, because PCI scope and brand integrity say they have to be.
Brand colour, accents, success, warning, danger. Corner radius on buttons, fields, surfaces. Typography family, weight, sizes. Field density and surface treatment. WCAG contrast ratio reads live as you change pairs.
Header style, merchant block placement, wallet row layout, divider treatment, field order. Vertical or horizontal expiry/CVV. Single-column or two-column form on desktop.
Pay button text, support strings, success message, expiry copy. Across thirteen languages including Arabic and Hebrew with right-to-left rendering handled.
Expiry timer on or off, guest checkout, save-card prompt, postcode capture, custom merchant-defined fields with regex validation. Per-product themes for marketplaces.
A/B variants with statistical-significance auto-promote, traffic-split slider, scheduled publishes for launches and campaigns. Full version history with one-click rollback.
Brand Extractor scrapes your homepage for palette, fonts, and logo. AI Designer turns a sentence into a theme patch. AI Coach reads your current theme and proposes improvements with one-click apply.
Five things stay locked on every Fluxa checkout: the card number, expiry and CVV inputs (PCI DSS SAQ-A boundary), the security badge (brand integrity for end customers), the PCI compliance footer (regulatory disclosure), the 3D Secure challenge UI (network specification), and the error message catalogue (consistent customer-facing language across the network). Editing these breaks PCI scope or scheme rules. Fluxa refuses the save.
ChatGPT, Gemini, Claude, Copilot and Perplexity can all discover your products and check out on behalf of their users. Fluxa supports the Agentic Commerce Protocol (Stripe and OpenAI, September 2025) and Google AP2 out of the box, on the same checkout, the same webhook, the same 1.8% rate. No other UK platform ships ACP-ready by default.
Flip Enable agentic commerce in the dashboard. ACP version 2025-09-spec-1.0 for Stripe and OpenAI Shared Payment Tokens. AP2 trust-tier tokens for Google partners. Hosted catalogue feed at pay.fluxapay.co.uk/{merchant_id}/catalogue.json and ACP endpoint at POST /v1/acp/checkout.
Agent-initiated charges decline less than card-on-file. Visa and Mastercard agentic network tokens carry richer authorisation context to the issuer than a stored card number. Live rolling thirty-day rates surfaced for every merchant.
Five major agents trusted by default. Unknown agents blocked. Every SPT bound to a specific buyer, agent, scope, and cap. Active, used, expired, and revoked counts roll forward live. Bulk revoke wipes every active SPT on the platform if a customer or agent ever needs cutting off.
Agentic commerce plugs into the checkout editor (ACP toggle, agent allow-list, catalogue exposure per product), the fraud network (different signals from human-initiated charges), and the standard webhook contract (the same payment.captured event with an additional agent field).
UK card processing sits inside a stack of regulations. Hosted and embedded checkout keep merchants at the lightest scope where the spec allows. Fluxa Ltd operates as a Referrer under an FCA-authorised payments partner and holds the heavier obligations on behalf of every merchant on the platform.
PCI DSS 4.0.1, mandatory across the industry since 31 March 2025. Both hosted and embedded keep merchants at SAQ-A, the lightest of the twelve self-assessment questionnaires, per the PCI SSC FAQ 1588 eligibility criteria. Requirements 6.4.3 and 11.6.1 (payment-page script integrity) are handled by Fluxa on the pay.fluxapay.co.uk domain.
Card processing in the UK is regulated by the FCA under the Payment Services Regulations 2017. Fluxa Ltd operates as a Referrer under an FCA-authorised payment partner. Merchant onboarding includes KYC and KYB checks under the Money Laundering Regulations 2017 (MLR 2017) before any first transaction.
Strong Customer Authentication under PSD2 and the UK’s onshored Regulatory Technical Standards. Every card payment runs through 3D Secure 2, with exemptions applied automatically where the issuer allows (low value, low risk, recurring on saved card, merchant initiated). Liability shift on every challenge.
UK GDPR and the Data Protection Act 2018 govern UK merchant data. Customer card data is processed by the FCA-authorised payments partner under their lawful basis. Cardholder PII stays inside the UK on infrastructure resident in London. EU customers benefit from EU GDPR under the UK adequacy decision.
WCAG 2.2 AA continuous audit on every theme save. Publish is blocked on AA contrast fail. The European Accessibility Act (EAA), effective 28 June 2025, requires EU-targeting checkouts to meet AA outcomes. Fluxa checkout meets both the EAA and the UK Equality Act 2010 reasonable-adjustments standard.
Visa Core Rules and Visa Product and Service Rules, Mastercard Rules and Mastercard Standards Manual. Card scheme rules cover acceptance marks, surcharging, statement descriptors, refund timelines, chargeback rights, and dispute evidence requirements. Fluxa handles compliance with the scheme rules at the payments partner level.
The integration ships in five lines. You POST the order details, you receive a session URL, you redirect or embed. Fluxa renders the checkout from the theme stored on your dashboard, handles every form field, every wallet handshake, every 3D Secure step. The customer returns to your success URL the moment the payment captures, with a signed webhook hitting your endpoint at the same time.
api.fluxapay.co.uk, with sandbox keys returning test transactions and a full set of test cards including 3DS challenge and decline paths.# Create a checkout session curl https://api.fluxapay.co.uk/v1/checkout/sessions \ -H "Authorization: Bearer sk_live_..." \ -H "Idempotency-Key: ord_7f3a" \ -d '{ "amount": 14900, "currency": "gbp", "mode": "hosted", "success_url": "https://yoursite.co.uk/thanks", "cancel_url": "https://yoursite.co.uk/cart", "reference": "ord_7f3a" }' # Response { "id": "cs_8f2a...", "url": "https://pay.fluxapay.co.uk/cs_8f2a...", "embed_url": "https://pay.fluxapay.co.uk/embed/cs_8f2a...", "status": "open", "expires_at": 1748441820, "fee": 268 }
// server.js const fluxa = require('fluxa')('sk_live_...'); const session = await fluxa.checkout.create({ amount: 14900, currency: 'gbp', mode: 'hosted', // or 'embedded' success_url: 'https://yoursite.co.uk/thanks', cancel_url: 'https://yoursite.co.uk/cart', reference: 'ord_7f3a', }, { idempotencyKey: 'ord_7f3a' }); // session.fee is in the response, not on an invoice console.log(session.fee); // → 268 res.redirect(session.url);
// Verify the signature, then handle the event app.post('/webhooks/fluxa', (req, res) => { const sig = req.headers['fluxa-signature']; const event = fluxa.webhooks.construct(req.rawBody, sig, endpointSecret); if (event.type === 'payment.captured') { fulfil(event.data.checkout_id); } if (event.type === 'payment.settled') { credit(event.data.checkout_id, event.data.fee); } res.status(200).end(); });