Documentation Paymob
Documentation Paymob
Documentation
updated: 23.08.2023
Table of Contents
Test environment endpoints 4
Production environment endpoints 4
Test Cards 5
Payment Types 7
Changes compared to v3 9
NEW PAYMENT STATUSES 9
2-STEP PAYMENT PROCESS 9
OPEN BANKING REFUNDS 10
API Endpoints 10
The API endpoints for initiating payments 10
Important Factors 13
Token agreement 13
Nonce 13
Order Reference 13
Callback Notification 14
Request Parameter Types 15
Payment Statuses 15
2
API Details 16
Supported Formats 16
Security 17
Authentication 17
HMAC calculation 17
Payment Endpoints 18
POST /payments/oneoff 18
POST /payments/mit 24
POST /payments/cit 26
GET /payments/:payment_reference 30
POST /payments/void 34
POST /payments/capture 35
POST /payments/refund 37
POST /payments/charge 38
POST /refunds/xml_payment_file 42
POST /refunds/revert 42
GET /shops 44
GET /shops/:id 45
GET /processing_accounts/:account_name 47
POST /mobile_payments/card_details 49
Token Endpoints 51
POST /tokens/delete 51
GET /tokens/get_card_art 52
GET /tokens/status 53
Version history 54
https://igw-demo.every-
Gateway API For JSON API
pay.com/api/v4
3
Merchant Portal https://mwt-seb-demo.every-pay.co Access API username and
m secret and track payment
data.
Note: API username and
secret are different in
Production and Test
environment.
Test Cards
Please note that only test cards must be used for testing. The following test cards can be used
to perform successful test payments:
4
1. Payment Integration Overview
5
1.2. Payment Integration Variants
To integrate payments to e-shop, there are two possible variants:
1. Redirect Integration – the Customer is redirected away from the e-shop and payment
UI is displayed full screen.
2. Iframe integration – the Customer does not leave e-shop, but payment UI is integrated
inside an iframe. Payment UI will detect automatically if it is rendered inside an iframe
and adjust accordingly. Iframe solution is based on redirect solution, so merchants
should first implement redirect flow and then switch to iframe. Please also note that
some banks do not allow the use of iFrame, so open banking payments might break
out of iFrame.
The payment UI would remain mostly the same regardless of the integration option. In case of
iframe integration, certain parts of the UI are omitted, such as Merchant’s logo at the top and
payment gateway details at the bottom of the page.
Customer selects one of the available payment methods (card payment, open banking, etc.).
Based on the selected payment method, PSU needs to perform a different number of
operations. For example, while in card payments these operations include entering card
details and 3DS operations, in open banking, PSU is supposed to complete initial
authentication, selection of IBAN and authorization of payment. After completion of payment,
merchant gets the notification and merchant queries then update payment information with the
payment status (/payments/:payment_reference). Finally, PSU is redirected back to the
merchant’s website to see the payment information.
This endpoint also can be used for tokenization (currently only for card payments) by setting
the required request parameters (explained in payment endpoints). Additionally, without any
purchase, tokenization for further payments can be made by setting the amount as 0.
Note: The redirection of PSU is explicitly visible only in redirect integration. In iframe
integration the parent page will stay in place and redirection happens inside the iframe.
Get Payment Methods List
6
For one-off payment, it uses the same endpoint as above but differs from regular one-off
payment with initial payment methods list call
(/processing_accounts/:account_name). Merchant gets the payment methods list
belonging to a specific processing account. Afterwards, operations which are used for
regular one-off payment are performed. It is highly recommended to use
(/processing_accounts/:account_name) endpoint to get the payment methods list
instead of (/payments/oneoff) endpoint. With this way, there won’t be new payment
initiation when the user goes back and forth in the checkout page and payments which are in
initial status will reflect actually initiated payments.
MIT payment is initiated by the merchant by using the token which has been received with
one-off payment when storing the credentials. Steps for payment method selection and
processing payments are eliminated. There is no PSU involvement and 3DS is not available
in this payment type. Simply, the merchant initiates the payment
/payments/charge (/payments/mit) and and usesto complete the payment.
Notification is also sent to the merchant for any case. (If the merchant cannot get the results
(e.g. connection issues), they will be able to get the final payment status with the payment
reference in the notification). MIT payment can be performed as recurring payment (fixed
amount and interval) or as unscheduled credential-on-file transaction (fixed or variable
amount, fixed or variable frequency) as established in an agreement between the Merchant
and Customer.
7
2. Payment API Overview
2.1. Changes compared to v3
APIv4 is built on top of v3 with few critical changes to make the API work better for different
use cases.
With the addition of Open Banking and other APM payment methods, the statuses for
payments are being refactored to present the true state more correctly. The payment
statuses can be divided into two categories:
● Major statuses – these statuses affect Merchant’s use-cases and Merchants are
expected to know how to handle all of them. NOTE: it is possible for a payment to
move from one final state to another (e.g. when a payment is voided or refunded).
Changes to major statuses are considered breaking and are always published as
new API versions.
● Minor statuses – used internally by the gateway to process payments. Mostly
merchants should not even see these statuses, unless they happen to fetch payment
status or list payments in Portal during processing. Merchants are expected to ignore
any minor statuses and gateway could add new minor statuses between two API
releases.
CHARGE ENDPOINT
The charge endpoint to complete One-off, CIT or MIT payment.
Also via charge endpoint it is possible to share a token.Token Sharing is the process of two
8
Merchants acting together to allow Customers to use the saved Token of one Merchant to
pay for goods or services of the other. In this process, one merchant, the Token Owner (TO)
authorises the use of the saved token by the other merchant – the Token User (TU).
Token Owner must gather the following information and forward it to Token User:
● token – the credit card Token to be shared to Token User.
● token_owner – the api_username of Token Owner (as given in the Merchant portal).
● token_timestamp – UNIX timestamp of the token sharing authorisation moment in UTC. This
timestamp cannot be older than 5 minutes by the time the request reaches Gateway.
● token_hmac – HMAC that proves to the Gateway that Token Owner does allow the sharing.
See chapter HMAC calculation.
The JSON API is protected by TLS and authenticated using HTTP Basic Auth with the
api_username and api_secret that can be found in the Merchant portal.
● /payments/oneoff – this endpoint can be used for the following use cases:
○ For regular one-off payment; when the value of the request_token parameter is
false, card details will not be stored and regular one-off payment is made. PSU
can make card, open banking or PayPal payment.
9
○ To save card details for MIT and CIT; when request_token = ‘true’ and
token_agreement is specified as ‘unscheduled’, card details are saved
and payment is made. The stored card can be used in future MIT/CIT
payments.
○ To save card details for recurring payments and subscriptions; when
request_token = ‘true’ and token_agreement is specified as ‘recurring’,
card details are saved and payment is made.
○ To save card details without any purchase; when the amount is set as 0,
request_token = ‘true’ and token_agreement is selected as either
‘unscheduled’ or ‘recurring’ card details are saved for future
MIT/CIT or subscription without any purchase.
Note: Token_agreement must be specified when request_token=’true’.
● /payments/mit - Merchant Initiated Transaction payment, the token agreement can
be ‘unscheduled’ or ‘recurring’. To finalize the payment merchant needs to
use /payments/charge endpoint. This is only used for card transactions.
● /payments/cit - Customer Initiated Transaction payment, the token agreement can
only be ‘unscheduled’. To finalize the payment merchant needs to use
/payments/charge endpoint. This is only used for card transactions.
● /payments/charge - .endpoint to complete the payment for the one-off, cit or mit
payment. Note: for one-off payments, this charge endpoint is only available for PCI
DSS Compliant merchants. Other merchants need to redirect customers to the
Payment Page. Also with charge endpoint it is possible to share a token between
merchants.
10
to align transaction status with real payment status. After the refund is reverted and
the standing amount becomes equal to the initial amount payment status becomes
“Settled”.
● /mobile_payments/card_details – It can be used by SDKs to set card details.
● /payments/charge this is only used for card transactions, to collect card details
from the PCI DSS Compliant merchants.
The exact content of the response depends on the state of the payment – if the payment was
finalised upon creation (e.g MIT payment), then the response would not contain Payment
11
Link or the Payment Methods list, but instead details regarding the used payment method (e.g.
credit card details).
After initiating the payment and receiving the response, the response should always be
examined especially for CIT payment, as the results can vary depending on the 3DS
requirements by Issuing Bank – it could be waiting for 3DS authentication in which case
Payment Link is provided in the response.
After payment is processed by us, notification is sent to the merchant (e-shop) which contains
payment reference and order reference. With this payment reference and order reference, the
merchant gets the updated payment status as well as other payment information.
The token agreement indicators are only used with payment methods that support/require
them (e.g. card payments) and ignored for others (e.g. SEPA payment). If not specified, then
payments default to regular one-off payment.
2.4.2. Nonce
All message requests contain the ‘nonce’ field that can be used to verify the uniqueness of the
request messages. This approach helps to prevent possible message replay attacks.
12
attacks. However, if needed the order_reference uniqueness validation can be turned off.
When disabled, multiple successful payments are allowed for the same order reference.
The timestamp field, as well as all other datetime fields, will use ISO 8601 standard
formatting, for example: 2019-05-31T09:14:58+03:00.
2.5. Callback Notification
Callback notifications are used to inform merchants to get the updated status of the payments.
When the payment is finalized either by a customer or automatically after the payment
initiation, notification is sent to the merchant’s callback_url.
Merchants must set their callback_url in the merchant portal under e-shop settings.
Callback_url includes payment_reference , order_reference (deprecated)
and event_name merchants can use this reference to get the payment information by using
GET/payments/:payment_reference endpoint. Event_name is sent for payment
status, fraud and dispute updates as well as token updates.
NB! Please do not use order_reference when you integrate, we are planning to remove
it in the next API version from the callbacks.
13
Possible values for instrument token updates: card_art_updated - Card art is
received. Merchants can get the card art after this notification.
token_updated - Token status is updated by the issuer. Merchants can check the status of
the token after getting this notification.
status_update - When payment acquiring is completed and funds received to the
merchant's account. Available only if the acquiring bank supports this functionality.
Note: If initial callback notification does not reach the merchant's server, we try to resend the
callback several times until it succeeds or fails permanently.
Maximum 6 retries will be done according to the schedule below.
1 1 second
2 5 minutes
3 1 hour
4 24 hours
5 48 hours
6 72 hours
M - field is mandatory
O - field is optional
OF - field is optional, but including it improves fraud detection (therefore it’s highly
recommended to provide this information whenever possible)
C - field is conditional, which means this parameter needs to be sent in case of the existence
of another parameter. (e.g. token_agreement) or depends on a payment method.
14
used for a case in which payment is confirmed by the user but final confirmation by the bank
has not arrived yet. In case of this status, a customer can be returned to the e-shop depending
on the merchant’s preference. So, customer return should be treated similarly as a trigger as
if callback notification was received and merchants need to check payment status. Until the
callback notification for final status is received, merchants should show a proper message to
the customer which says payment is in progress.It is possible to test sent for processing status
with any open banking payment method in the demo environment. When initiating payment,
set the amount to 33 EUR and go through the payment flow like normally. After confirming the
payment, it will stay in sent for processing status for 30 seconds and then it will go to final
status, normally it will be settled.
Abandoned: This state refers to the case in which a customer does not complete the payment
confirmation and abandon the payment. For card payments every customer has 15 minutes
to perform 3DS authentication. If the time is exceeded and 3DS authentication is not finalised
the payment status is changed from ‘Waiting for 3DS‘ to ‘Abandoned‘. It is Final status and
means failed payment.
Failed: payment that failed for technical reasons (either our or processors, i.e 399, 4999
failures) or authorization was declined by a card issuer. This is the final status of the payment.
Settled: For card payments it is the settlement of the transaction, the acquirer bank has
transferred the funds to the merchant’s bank account. For open banking payments this state is
obtained after the customer completes SCA and payment passes all the checks on the bank side.
This is the final state. For Paypal payments, it means settlement is completed to the merchant's
PayPal account.
Authorised: Initialization of the payment. A process whereby a card Issuer approves or
declines the use of the card for a particular purchase transaction at a merchant. If the
authorization is successful the purchase amount will be reserved on the cardholder’s account.
In the case of 3DS payments, the authorization process also involves cardholder
authentication*.
Voided: Cancellation of authorization. Void blocks funds transfer for an authorized payment.
This is the final status of the payment.
Refunded: payment is partially or fully refunded, reimbursement of the payment.
Charged Back: The cardholder has disputed payment and Issuer bank has initiated a
chargeback process.
3DS confirmed: Intermediate status when 3DS flow is completed but payment is not processed
further due to technical errors.
* Authentication: A process whereby the card Issuer assures that the presenter of the card is a valid card owner.
3. API Details
All below API endpoints are accessible under the top level APIv4 endpoint: /api/v4
15
● operations on resources are performed using standard HTTP methods (GET, POST,
etc)
● each request must specify a media type for the resource presentation format
● error conditions on operations are expressed as HTTP response codes
3.3. Authentication
Payment Gateway will authenticate Merchant’s API client using HTTP Basic Auth, using the
api_username and api_secret as the username and password.
401 Unauthorised
Returned if processing the request is refused because of
failed authentication, nonce or timestamp.
16
422 Unprocessable Entity
Returned if processing the request was not successful for
any reason, including processing errors such as validation
(e.g. invalid CC details) , fraud check or issuer declines.
1. Create hmac_string:
"cc_token=<Token>&token_owner=<api_username>&token_timestamp=
<timestamp>"
a. This is the api_username of Token Owner.
b. The keys in the string are in alphabetical order.
2. Calculate HMAC: hmac_sha1(hmac_string, api_secret)
a. This is the api_secret of Token Owner
b. The HMAC must be lowercase hex
ENDPOINT: /payments/oneoff
METHOD: POST
REQUEST PARAMS
17
api_username M The api_username of the Merchant sending the
request. Must match with username in the
Authorization HTTP header.
token_agreement C
It must be sent when request_token=true. It is the
type of the agreement. Valid values: `unscheduled`
or `recurring`. See the above Payment Types. It is
a conditional parameter.
mobile_payment O
Payment is initiated via mobile apps like SDK. Valid
values: true, false. The default value is false.
18
payment_description O When this parameter is provided, it will be used with
open banking payment methods instead of the
standard generated description value.
Allowed characters: [a-zA-Z0-9/-?:().,'+]
19
shipping_city O Cardholder shipping address city. It will be sent if
available.
20
● ‘nl’ - Dutch
● ‘pt’ - Portuguese
● ‘no’ - Norwegian
● ‘hu’ - Hungarian
● ‘sk’ - Slovak
● ‘cz’ - Czech
Note: User’s previous preference overrides the
locale requested by the merchant.
integration_details O
Details of integration. Following fields are subfields of
this.
21
customer_ip Customer’s IP address.
payment_methods[#]. A display name for the Payment Method. Ex: ‘Card Payment’.
display_name
URL to fetch logo for this Payment Method.
payment_methods[#].
logo_url
payment_methods[#]. Country code for this Payment Method, to be used for better UX
country_code (e.g. group Open Banking links by country). Omitted if not relevant
for this payment method.
payment_methods[#].' Link to complete the payment with this specific payment method. If
payment_link a customer is directly redirected to this link, he will skip payment
method selection and continue to pay.
Example request
22
{
"api_username": "abc12345",
"account_name": "EUR3D1",
"amount": 10.00,
"order_reference": "912987",
"token_agreement": "unscheduled",
"nonce": "a9b7f7e794367c2c85d73154a01b9902",
"timestamp": "2019-06-05T13:14:15+03:00",
"email": "[email protected]",
"customer_ip": "1.2.3.4",
"customer_url": "https://shop.example.com/cart",
"preferred_country": "EE",
"billing_city": "Tartu",
"billing_country": "EE",
"billing_line1": "Main street 1",
"billing_line2": "Building 3",
"billing_line3": "Room 11",
"billing_postcode": "51009",
"billing_state": "EE",
"locale": "en",
"request_token": true,
"integration_details":
{
"software": "magento",
"version": "1.6.4",
"integration": "plugin"
}
Example response
23
{
"api_username": "abc12345"
"account_name": "EUR3D1",
"initial_amount": 10.00,
"standing_amount": 10.00,
"order_reference": "feiwhp28qy8ks7i12i63",
"email": "[email protected]",
"customer_ip": "1.2.3.4",
"customer_url": "www.abc.com/callback",
"payment_created_at": "2019-06-05T13:14:15+03:00",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"payment_link": "https://igw-demo.every-pay.com/lp/aedf32/ed4dod",
"payment_state":
"initial"
"payment_methods": [ {
"source": "card",
"display_name": "VISA/Mastercard",
"logo_url": "https://igw-demo.every-pay.com/assets/card_logo.png",
"payment_link": "https://igw-demo.every-pay.com/lp/aedf32/ed4dod?method_source=card"
},
{
"source": "ob_mybank_ee",
"display_name": "MyBank Eesti",
"country_code": "EE",
"logo_url": "https://igw-demo.every-pay.com/assets/mybank_logo.png",
"payment_link":"https://igw-demo.every-pay.com/lp/aedf32/ed4dod?method_source=ob_mybank_ee"
}
]
ENDPOINT: /payments/mit
METHOD: POST
REQUEST PARAMS
24
amount M Transaction amount, use decimal number with 2 digit
precision, e.g. 10.55. The currency is taken from the
specified processing account.
merchant_ip M
The IP of the Merchant server (as Customer is not
involved in the payment process).
O
integration_detai Details of integration. Following fields are subfields of
ls this.
O Type of integration.
integration_detai
ls.integration
RESPONSE PARAMS
Parameter Description
account_name
Processing Account name that was used to process the
transaction.
25
initial_amount The initial payment amount.
standing_amount
Payment standing amount. ( It might be different than the initial
amount in the case that payment is refunded).
26
"order_reference": "feiwhp28qy8ks7i12i63",
"stan": null,
"email": "[email protected]",
"fraud_score": null,
"warnings": {},
"payment_created_at": "2019-06-05T13:14:15+03:00",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"payment_state": "initial"
ENDPOINT: /payments/cit
METHOD: POST
REQUEST PARAMS
27
customer_ip OF Customer’s IP address. Used for Fraud Prevention. Do
not set this to some fixed value, e.g Merchant’s server,
as this will start generating false positives in Fraud
Check.
28
billing_line1 O Cardholder Billing address line 1.
available.
integration_details O
Details of integration. Following fields are subfields of
this.
29
O Type of integration.
integration_details.
integration
RESPONSE PARAMS
Parameter Description
account_name
Processing Account name that was used to process the
transaction.
payment_method What payment method was used. See above Payment Methods
for valid values here (only card at the moment). Depending on
payment_link
Link to complete payment. Used when payment needs user
action (e.g. to fill card details or complete 3DS, etc).
30
payment_state Current status of the payment.
31
METHOD: GET
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
detailed O
Boolean to indicate that payment result should return
fraudcheck details
RESPONSE PARAMS
Parameter Description
payment_method What payment method was used. See above Payment Methods
for valid values here. Depending on the payment method, other
fields in the response would be present or omitted. Returned
when payment is completed.
stan
Payment STAN number - a unique ID to identify payments on
acquiring bank payment reports.
32
warnings Payment processing warnings in JSON format.
sca_exemption There are several transaction types out of the scope of strong
customer authentication (SCA) or not requiring SCA with card
payments. We call them SCA exemptions. We currently use the
following exemptions - mit, recurring, one-leg
this
33
cc_details.token Token referencing a bank card that can later be used to initiate
recurring payments. It is returned only if the token was
requested with request_token.
cc_details.issuer_count Card issuer country. ISO 3166 two-letter (alpha-2) format (e.g.
ry EE).
ob_details.debtor_iban
Customer IBAN which money is taken from (in case of SEPA
payment).
34
Reference of the payment in the bank.
ob_details.ob_payment
_reference
/payments/db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a?api_username=abc12345
Example response
35
{
"api_username": "abc12345",
"account_name": "EUR1",
"initial_amount": 10.00,
"standing_amount": 10.00,
"order_reference": "feiwhp28qy8ks7i12i63",
"stan": "1234",
"email": "[email protected]",
"payment_method": "card",
"cc_details": {
"token": "d841bcc672b0f76523a7fa13",
"last_four_digits": "1234",
"month": "1",
"year": "2017",
"holder_name": "Tom Smith",
"type": "master_card",
"issuer_country": "EE",
"issuer": "LHV Bank",
"cobrand": "Partner deebet",
"funding_source": "Debit",
"product": "DEBIT STANDARD",
"state_3ds": "no3ds",
"authorization_code": "00590A"
},
"processing_error": {
"code": null,
"last_four_digits": null
},
"fraud_score": "500",
"warnings": {
"country_match": [
"Card issuer country (Estonia) does not match the buyer country ()."
]
},
"customer_ip": "1.2.3.4",
"customer_url": "https://customerurl.com"",
"transaction_time": "2019-06-05T13:15:20+03:00",
"payment_created_at": "2019-06-05T13:14:15+03:00",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"payment_state": "settled"
}
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
36
M Reference ID of the payment.
payment_referenc
e
timestamp M
Timestamp of request’s creation time (see below for
details).
RESPONSE PARAMS
Parameter Description
payment_reference
Reference ID of the payment created by the completed
transaction.
Example response
{
"api_username": "abc12345",
"transaction_time": "2015-04-02T07:53:07Z",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"payment_state": "voided"
}
37
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the request.
Must match with username in Authorization HTTP
header.
amount M
Amount to be captured, use a decimal number with 2
digit precision, e.g. 10.55.
timestamp M
Timestamp of request’s creation time (see below for
details).
RESPONSE PARAMS
Parameter Description
Example response
38
{
"api_username": "abc12345",
"initial_amount": 10.00,
"standing_amount": 10.00,
"transaction_time": "2015-04-02T07:53:07Z",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"payment_state": "settled"
}
ENDPOINT: /payments/refund
METHOD: POST
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
amount M
Amount to be refunded, use a decimal number with 2 digit
precision, e.g. 10.55.
timestamp M
Timestamp of request’s creation time (see below for
details).
customer_name C
The name of the customer to whom the money will be
credited. Used only with open banking payments.
RESPONSE PARAMS
Parameter Description
39
initial_amount Initial payment amount.
Example response
{
"api_username": "abc12345",
"initial_amount": "2.50",
"standing_amount": "1.50",
"transaction_time": "2015-04-02T07:53:07Z",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"transaction_reference": "c4ad248765023341e35377dc6c8176331089def474c9da7a2586177d45daffab",
"payment_state": "refunded"
}
Parameter Description
Mandatory/
Optional
api_username M
The api username of the Merchant sending the
request. Must match with username in
Authorization HTTP header.
40
payment_reference M Reference ID of the payment.
token_details.token_
O the api_username of Token Owner (as given in
owner merchant portal)
token_details.token_t O
imestamp UNIX timestamp of the token sharing authorisation
moment in UTC. This timestamp cannot be older
than 5 minutes by the time the request reaches
Gateway.
token_details.token_
O HMAC that proves to the Gateway that Token
hmac Owner does allow the sharing.
41
token_consented O It shows if the user consents to save the card
details. Boolean: true, false.
RESPONSE PARAMS
Parameter Description
account_name
Processing Account name that was used to process the
transaction.
payment_method What payment method was used. See above Payment Methods
for valid values here (only card at the moment). Depending on
the payment method, other fields in the response would be
present or omitted. Returned when payment is completed.
42
payment_reference Reference ID of the payments.
payment_link
Link to complete payment. Used when payment needs user
action (e.g. to fill card details or complete 3DS, etc).
cc_details.issuer_country
Card issuer country. ISO 3166 two-letter (alpha-2) format (e.g.
EE).
43
Authorisation code of the transaction.
cc_details.authorisation_c
ode
Example request
{
"api_username": "abc12345",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"token_details": {
"token": "1234567812345678"
},
"token_consented": true,
"nonce": "xcncndkjsfkjdhuyr843y8579837458798327592hsfdkj",
"timestamp": "2019-06-05T13:14:15+03:00"
}
Example response
{
"api_username": "abc12345",
"account_name": "EUR1",
"initial_amount": 10.00,
"standing_amount": 10.00,
"order_reference": "feiwhp28qy8ks7i12i63",
"email": "[email protected]",
"payment_method": "card",
"payment_link": "https://igw-demo.every-pay.com/lp/aedf32/ed4dod",
"payment_state": "waiting_for_3ds_response",
"fraud_score": 325,
"warnings": {
"country_match": [
"Card issuer country (Estonia) does not match the buyer country ()."
]
},
"cc_details": {
"token": "d841bcc672b0f76523a7fa13",
"last_four_digits": "1234",
"month": "1",
"year": "2017",
"holder_name": "Tom Smith",
"type": "master_card",
"issuer_country": "EE",
"issuer": "LHV Bank",
"cobrand": "Partner deebet", "funding_source": "Debit",
"product": "DEBIT STANDARD",
"state_3ds": "3ds",
"authorization_code": "00590A"
},
"customer_ip": "1.2.3.4",
"customer_url": "https://shop.example.com/cart",
"payment_created_at": "2019-06-05T13:14:15+03:00",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a" }
44
METHOD: POST
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the request.
Must match with username in Authorization HTTP
header.
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the request.
Must match with username in Authorization HTTP
header.
transaction_ref M
Reference ID of the refund transaction. Transaction
erences
references can be separated by a comma and the
maximum amount of allowed transaction reference is
1500.
45
timestamp M A timestamp of request’s creation time (see below for
details)
RESPONSE PARAMS
Parameter Description
api_username
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
Example request
{
"api_username": "abc12345",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"transaction_reference": "abc8561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88abc1",
"nonce": "xcncndkjsfkjdhuyr843y8579837458798327592hsfdkj",
"timestamp": "2019-06-05T13:14:15+03:00"
}
Example response
{
"api_username": "abc12345",
"payment_reference": "db98561ec7a380d2e0872a34ffccdd0c4d2f2fd237b6d0ac22f88f52a",
"initial_amount": 10.00,
"standing_amount": 10.00,
"payment_state": "settled"
}
46
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the request.
Must match with username in Authorization HTTP
header.
RESPONSE PARAMS
Parameter Description
api_username
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
shops
List of shops for a merchant that makes the
request.
Example request
/shops/api_username=abc12345
Example response
47
{
"api_username":
"abc12345", "shops": [ {
"id": "1",
"url": "https://electronicshop.com/",
"descriptor": "Eesti Electronic Shop",
"mcc": "1234"
},
{
"id": "2",
"url": "https://myshoes.com/",
"descriptor": "My Shoes AS",
"mcc": "1235"
},
{
"id": "3",
"url": "https://rentacar.com/",
"descriptor": "My Car Rental",
"mcc": "2222"
}
]}
ENDPOINT: /shops/:id
METHOD: GET
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
Parameter Description
48
url Web address of the shop.
processing_acounts
List of processing accounts belong to the
shop.
processing_accounts[#].account_name
Processing Account name that was used
to process the transaction.
processing_accounts[#].pre_authorisation
Type of authorization. Pre or Final
Authorization.False means it is not
pre_authorisation.
processing_accounts[#].support_3ds
It shows if the processing account
supports 3ds or not.
processing_accounts[#].capture_delay_days
It shows the delay days for automatic
capture of the transaction.
processing_accounts[#].bav_required
It shows if bank account verification is
necessary or not.
Example request
/shops/id=8?api_username=abc12345
Example response
{
"api_username": "abc12345",
"id": "8",
49
"url": "https://electronicshop.com/",
"descriptor": "Eesti Electronic Shop",
"mcc": "1234",
"processing_accounts": [
{
"account_name": "EUR3D1",
"pre_authorisation": "true",
"currency": "EUR",
"support_3ds": "true",
"capture_delay_days": "0",
"bav_required": "false",
},
{
"account_name": "EUR1",
"pre_authorisation": "false",
"currency": "EUR",
"support_3ds": "false",
"capture_delay_days": "3",
"bav_required": "false",
},
{
"account_name": "USD3D1",
"pre_authorisation": "false",
"currency": "USD",
"support_3ds": "true",
"capture_delay_days": "0",
"bav_required": "false",
},
{
"account_name": "AUD1",
"pre_authorisation": "false",
"currency": "AUD",
"support_3ds": "false",
"capture_delay_days": "0",
"bav_required": "false",
}
]}
REQUEST PARAMS
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the request.
Must match with username in Authorization HTTP
header.
account_name M
Processing Account name that was used to process the
transaction.
50
RESPONSE PARAMS
Parameter Description
api_username
The api_username of the Merchant sending the
request. Must match with username in
Authorization HTTP header.
account_name
Processing Account name that was used to
process the transaction.
support_3ds
It shows if the processing account supports 3ds or
not.
capture_delay_days
It shows the delay days for automatic capture of
the transaction.
bav_required
It shows if bank account verification is necessary
or not.
payment_methods
List of available payment methods for the
processing account.
payment_methods[#].display_name
Display name for the Payment Method. Ex: ‘Card
Payment’.
payment_methods[#].country_code
Country code for this Payment Method, to be used
for better UX (e.g. group Open Banking links by
country). Omitted if not relevant for this payment
method.
51
payment_methods[#].card_acceptor_ Only for card payments. It is the terminal name.
id
Example request
/processing_accounts/EUR3D2?api_username=abc12345
Example response
{
"api_username": "abc12345",
"account_name": "EUR3D2",
"pre_auth": "final",
"currency": "EUR",
"support_3ds": "true",
"capture_delay_days": "0",
"bav_required":
"false",
"payment_methods": [ {
"source": "card",
"display_name": "VISA/Mastercard",
"logo_url": "https://igw-demo.every-pay.com/assets/card_logo.png",
"card_acceptor_id": "10234957 100",
"terminal_id": "EVR20797"
},
{
"source": "ob_mybank_ee",
"display_name": "MyBank Eesti",
"country_code": "EE",
"logo_url": "https://igw-demo.every-pay.com/assets/mybank_logo.png"
}
]
NB! Merchant should validate information about card details before sending it to the
gateway. Validation information can be found under description.
ENDPOINT: /mobile_payments/card_details
METHOD: POST
REQUEST PARAMS
52
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending
the request. Must match with username in
Authorization HTTP header.
Parameter Description
53
payment_state
The status of the payment. Possible values; "initial", "settled",
"failed", "waiting_for_3ds_response", "waiting_for_sca" and
"confirmed_3ds".
Headers:
Authorization: ‘Bearer bb760db84c9b53dc4bbcc7cbe799fd0f1237d56d’
Content-Type: ‘application/json’
{
"api_username": "abc12345",
"mobile_access_token": "Bearer bb760db84c9b53dc4bbcc7cbe799fd0f1237d56d",
"payment_reference": "abc12345sdjkfhuweyruirkdj",
"cc_details": {
"cc_number": "1234567812345678",
"month": "11",
"year": "2019",
"holder_name": "Tom Smith",
"cvc": "100"
},
"token_consented": true,
"timestamp": "2019-06-05T13:14:15+03:00"
}
Example response
{
"payment_state": "waiting_for_3ds_response",
"processing_errors": []
}
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
54
token M
Instrument token which is got from
payments/:payment reference endpoint.
RESPONSE PARAMS
Parameter Description
Example response
{
"api_username": "abc12345",
"token": "d841bcc672b0f76523a7fa13",
"status": "DEACTIVATED"
}
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
token M
Instrument token which is got from
payments/:payment reference endpoint.
RESPONSE PARAMS
Parameter Description
55
api_username The api_username of the Merchant sending the request.
Example response
{
"api_username": "abc12345",
"token": "d841bcc672b0f76523a7fa13",
"media_contents":
{
"data":
"https://s3-eu-west-1.amazonaws.com/production-ups-logos/images/12/large/4d32c959-094b-47ab-8a4e-448
62fce351c.png?1606925690",
"type": "image/png"
}
}
Parameter Description
Mandatory/
Optional
api_username M
The api_username of the Merchant sending the
request. Must match with username in Authorization
HTTP header.
token M
Instrument token which is got from payment/:payment
reference endpoint.
RESPONSE PARAMS
56
Parameter Description
Example response
{
"api_username": "abc12345",
"token": "d841bcc672b0f76523a7fa13",
"status": "ACTIVE"
"card_art": "null"
"last_four_digits": "1234"
"month": "12"
"year": "2020"
"holder_name": "John Doe"
}
Version history
Date Change
09.12.2022
Allowed characters for order_reference and payment_description:
[a-zA-Z0-9/–?:().,‘+]
57
14.12.2021 New optional parameter payment_description for
payments/oneoff endpoint.
01.12.2021
order_reference should not be used when callback is sent. It will
be removed in the next API version from callbacks.
27.09.2021 Description and new endpoints that are related to open banking
refunds.
58