As some other expert mentioned last time, your code is too simple and does not care about any security. Please add some extra action to the process:
For example, you can save the payment data to the backend, and store the serial key too. Make sure the API call won’t be able to call in the 2nd time.
Also, you should NOT pass any key on the createPayment() process. This made user able to see the code before they actually paid.
You can also share the site page link here with the functionality.
If you have no idea about advanced coding, please connect to a Velo Expert by submitting a request on Wix Marketplace. Make sure you have selected Velo so only Velo Certified agencies/freelancers can get connected with you.