// docs · wordpress

WooCommerce
gateway setup.

PHP plugin · hosted checkout · webhooks · same API as custom integrations

Download: GitLab — lolipop-woocommerce-plugin releases (ZIP per version).

// requirements

  • Self-hosted WordPress with WooCommerce installed and activated.
  • A lolipop merchant account with wallet address and view key saved (dashboard).
  • A paid plan that allows API order creation if you rely on server-side checkout creation from the plugin path — same rules as POST /v1/pay on the main API (free tier uses dashboard payment links instead).

// install the plugin

The gateway ships as a WordPress plugin ZIP. Download a versioned build from GitLab — lolipop-woocommerce-plugin releases, then in WP Admin go to Plugins → Add New → Upload Plugin, choose the ZIP, and click Install Now → Activate.

If WordPress asks for FTP credentials, fix filesystem permissions or define FS_METHOD per WordPress docs — that is a host configuration issue, not lolipop-specific.

// configure the gateway

  1. In WordPress: WooCommerce → Settings → Payments. Enable lolipop (or the label shown for this gateway).
  2. Open the gateway's settings screen. Copy from the lolipop dashboard (settings):
    • API key — a sk_live_…… secret with permission to create orders (and any other permissions the plugin expects). Use a dedicated key per store if you rotate credentials.
    • Webhook URL — the HTTPS URL where lolipop should POST payment.confirmed (same URL you configure under webhooks in the dashboard, unless the plugin offers a per-site override).
    • Webhook signing secret — the secret used for X-Lolipop-Signature HMAC verification on your server (must match what you store in lolipop).
  3. Save WooCommerce settings. If the plugin exposes an API base URL field (staging vs production), set it to your lolipop API host (e.g. https://api.lolipop.cash).

// checkout flow

When the buyer chooses Monero at WooCommerce checkout, the plugin creates or redirects to a lolipop checkout session. Payment UI (address, amount, QR, refresh) is served from lolipop's hosted page — not inside your theme — so Tor and no-JS constraints stay intact.

After enough on-chain confirmations, lolipop marks the order paid and sends your webhook; your WordPress/Woo stack should mark the order complete when verification succeeds (plugin behavior depends on version — ensure you are on a build that verifies HMAC before updating order state).

// webhooks

Use the same HMAC model as any custom integration: verify X-Lolipop-Signature on the raw POST body with your webhook secret. Payload fields are documented on the main docs page under webhook payload.

From the dashboard you can send a test delivery (webhook test) if your API key has the webhook_test permission — useful before taking live orders.

// testing

Use a staging WordPress site and a separate lolipop API key. Confirm a small test order on stagenet if your stack supports it, or use production with minimal amounts only after webhook verification is proven in logs.

If checkout never opens, check API key permissions, plan limits, and that your server can reach the lolipop API over HTTPS (no TLS interception stripping headers).