X-Payments:API
From Qualiteam Help
API requests
All API requests are made to the httрs://<xpayments_url>//api.php/ URL. Only HTTPS protocol is used. A request is an XML document, which is encrypted using RSA method with the key, generated by X-Payments.
Request/Response encryption
- Used encryption method: RSA;
- Key length: 2048 bit;
- A public key is created with a 32 character password;
- The password is generated randomly;
- The number of password characters varies from 33 to 127.
For each online store X-Payments generates 2 pairs of keys:
- public and private to encrypt requests/responses from the online store to X-Payments
- public and private to encrypt requests/responses from X-Payments to the online store
So when the online store sends a request to X-Payments, this request is encrypted using the public key from the first pair, X-Payments decrypts it using the private key of the first pair. Then X-Payments response is encrypted using the public key of the second pair, and the online store decrypts this response using the private key of the second pair.
X-Payments interface shows and X-Payments connector module store the public key from the first pair, and the private key from the second pair.
Encryption algorithm:
- an empty string is created for pre-prepared data
- a 32-character salt-block is formed of random characters from 33 to 255
- the length of the salt-block in bites is taken and transformed into a 12-character string by adding zeros before it
- the salt-block length string and the salt-block are added to the pre-prepared data
- MD5 digital signature is taken from the data. The signature is formed as a HEX (32-character string)
- the length of the digital signature in bites is taken and transformed into a 12-character string by adding zeros before it
- the digital signature length string and the digital signature are added to the pre-prepared data
- the length of the data string in bites is taken and transformed into a 12-character string by adding zeros before it
- the data string length string and the data string are added to the pre-prepared data
- the string of pre-prepared data is divided into 128 bite chunks
- each chunk is encrypted using a public key
- each chunk is encoded with base64
- chunks are glued together using a line feed character (0x0a)
- API prefix is added to the glued chunks
cURL as a means of sending requests
Using libcurl v.7.10 and above is recommended.
TTL should be specified depending on the productivity of the server, where X-Payments is installed.
It is recommended to use SSL v.3 and above.
Data types
Used data types:
- string - a UTF-8 string
- email - an email address not longer than 255 characters
- URL - a URL address not longer than 255 characters
- currency - a floating point number, denoting a certain sum of money. The mantissa size is the same as the payment currency mantissa size, but not longer than 3. All the exceeding characters will be truncated.
- integer - an integer number
ISO 4217 Alpha-3 in the upper register is always used as the payment currency code.
ISO 639-1 Alpha-2 in the lower register is always used as the language code.
Payment initialisation request
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal init |
| confId | Y | integer | Payment module configuration ID |
| refId | Y | string, 128 | Order ID in the online store |
| returnUrl | Y | URL, 255 | URL of the page to redirect the customer after payment |
| callbackUrl | Y | URL, 255 | URL to which X-Payments sends background requests with service information |
| language | N | code of ISO 639-1 (Alpha-2) | Language code. If not specified - en |
| cart | Y | container | A container with addresses description |
| cart/billingAddress | Y | container | A container with the billing address description |
| cart/billingAddress/firstname | Y | string, 255 | |
| cart/billingAddress/lastname | N | string, 255 | |
| cart/billingAddress/company | N | string, 255 | |
| cart/billingAddress/address | Y | string, 255 | |
| cart/billingAddress/city | Y | string, 255 | |
| cart/billingAddress/state | Y | string, 255 | |
| cart/billingAddress/country | Y | string, 255 | |
| cart/billingAddress/zipcode | Y | string, 32 | |
| cart/billingAddress/email | Y | emai, 255l | |
| cart/billingAddress/phone | Y | string, 255 | |
| cart/billingAddress/fax | N | string, 255 | |
| cart/shippingAddress | Y | container | A container with the shipping address description |
| cart/shippingAddress/firstname | Y | string, 255 | |
| cart/shippingAddress/lastname | N | string, 255 | |
| cart/shippingAddress/company | N | string, 255 | |
| cart/shippingAddress/address | Y | string, 255 | |
| cart/shippingAddress/city | Y | string, 255 | |
| cart/shippingAddress/state | Y | string, 255 | |
| cart/shippingAddress/country | Y | string, 255 | |
| cart/shippingAddress/zipcode | Y | string, 32 | |
| cart/shippingAddress/email | Y | email, 255 | |
| cart/shippingAddress/phone | Y | string, 255 | |
| cart/shippingAddress/fax | N | string, 255 | |
| cart/items | Y | container | A container with product description |
| cart/items/sku | Y | string, 64 | SKU (product code) |
| cart/items/name | Y | string, 255 | Product name |
| cart/items/price | Y | currency | Product item price |
| cart/items/quantity | N | integer | Ordered number of products. If not specified - 1 |
| cart/login | Y | string, 255 | Unique customer ID in the online store (login, username, userid, etc.) |
| cart/currency | N | string, 3 | Payment currency code (ISO 4217 Alpha-3). If not specified, default payment configuration currency is used |
| cart/shippingCost | - | currency | Shipping cost. By default - 0 |
| cart/taxCost | - | currency | Tax amount. By default - 0 |
| cart/discount | - | currency | Discount amount. By default - 0 |
| cart/totalCost | Y | currency | Total payment amount. Must equal to a sum of cart/items/price * cart/items/quantity + cart/shippingCost + cart/taxCost - cart/discount |
| cart/description | - | string, 65536 | |
| cart/merchantEmail | Y | email, 255 | |
| cart/forceTransactionType | - | one of values: A or S or empty A - authorize S - sale | A flag of forced Sale or Authorize operation. Overrides the setting from the payment configuration. If the value is empty of the item is missing, the corresponding value from the payment configuration is taken |
Request example
<confId>8</confId> <refId>1120</refId> <cart> <login>customer</login> <billingAddress> <firstname>John</firstname> <lastname>Smith</lastname> <address>10 Main street</address> <city>Fillmore</city> <state>UT</state> <country>US</country> <zipcode>84631</zipcode> <company>IQ testing</company> <email>bit-bucket@x-cart.com</email> <phone>927348572</phone> <fax></fax> </billingAddress> <shippingAddress> <firstname>John</firstname> <lastname>Smith</lastname> <address>10 Main street</address> <city>Fillmore</city> <state>UT</state> <country>US</country> <zipcode>84631</zipcode> <company>IQ testing</company> <email>bit-bucket@x-cart.com</email> <phone>927348572</phone> <fax></fax> </shippingAddress> <items type="cell"> <sku>SKU17513</sku> <name>Three Stone Princess Cut Diamond Ring</name> <price>399.99</price> <quantity>1</quantity> </items> <currency>USD</currency> <shippingCost>15</shippingCost> <taxCost>0</taxCost> <discount>0</discount> <totalCost>414.99</totalCost> <description>Order(s) #1120</description> <merchantEmail>bit-bucket@x-cart.com</merchantEmail> <forceTransactionType></forceTransactionType> </cart> <returnUrl>https://example.com/xcart/payment/cc_xpc.php</returnUrl> <callbackUrl>https://example.com/xcart/payment/cc_xpc.php</callbackUrl> <language>ru</language> <target>payment</target> <action>init</action>
Response specification
| Field | Type | Description |
| token | string,32 | Temporary payment token, expires immediately after the customer has submitted the cardholder data form |
| txnId | string,32 | A unique payment ID. Is used for all further requests to this payment through the API. |
Response example
<data> <token>41b2ef3b34698d4f6ed73151ae7307d2</token> <txnId>e7f398cee98ec062abac0d2c937da181</txnId> <error></error> <error_message></error_message> </data>
Redirecting a customer to the cardholder data entering page
A POST form is created, which sends data to the URL <XPayments_web_root>/payment.php containing the following fields:
- target - has value main
- action - has value start
- token - has value from the payment initialisation request (token field)
Request protocol - HTTPS The form must be sent by the POST method. All data must also be sent as POST variables.
Payment information request
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal get_info |
| txnId | Y | string, 32 | Unique payment ID |
| refresh | N | 0 или 1 | A flag specifying that the data in X-Payments must be overwritten by the data from the payment gateway. By default - 0 |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <refresh>0</target> <target>payment</target> <action>get_info</action>
Response specification
| Field | Type | Description |
| status | integer, 1 | Payment status code |
| message | string, 65536 | Human-read message containing the payment status |
| isFraudStatus | 0 or 1 | Means that the payment is blocked by the gateway, because the customer has not passed the gateway security check |
| currency | string, 3 | Payment currency code |
| amount | currency | Payment total |
| authorized | currency | Authorized payment total |
| chargedAmount | currency | Charged payment total |
| capturedAmount | currency | Captured amount of the authorized amount |
| capturedAmountAvail | currency | Amount, which is authorized and can be captured |
| voidedAmount | currency | Amount which is authorized but voided |
| voidedAmountAvail | currency | Amount which is authorized and can be voided |
| refundedAmount | currency | Amount which can be refunded |
| refundedAmountAvail | currency | Amount which can be refunded |
| fraudAuthorized | currency | A part of authorized amount, which was blocked by the gateway because the customer has not passed the gateway security check |
| fraudCharged | currency | A part of charged amount, which was blocked by the gateway because the customer has not passed the gateway security check |
| authorizeInProgress | currency | A part of authorized amount, which is being handled by the gateway |
| chargeInProgress | currency | A part of charged amount, which is being handled by the gateway |
| transactionInProgress | 0 или 1 | Are there any payment transactions handled by the gateway |
| capturedAmountAvailMin | currency | Minimum amount which can be captured from the authorized amount |
| capturedAmountAvailGateway | currency | Amount which can be captured from the authorized amount through the gateway |
| capturedAmountAvailMinGateway | currency | Minimum amount which can be captured from the authorized amount through the gateway |
| voidedAmountAvailGateway | currency | Amount which can be voided from the authorized amount through the gateway |
| refundedAmountAvailGateway | currency | Amount which can be refunded from the authorized amount through the gateway |
| txnId | string, 32 | Unique payment ID |
| lastMessage | string, 65536 | Last gateway message |
| error | string, 128 | Error code |
| error_message | string, 65536 | Error message |
Note: Fields ending in "Gateway" contain amounts which can be used in transactions through the gateway. For example, if $100 was authorized and then capture transaction was emulated for $100, the next refund operation will be available in the emulation mode only. The field refundedAmountAvailGateway will be equal to 0.
Response example
<data> <status>2</status> <message>Payment is authorized</message> <isFraudStatus></isFraudStatus> <currency>USD</currency> <amount>414.99</amount> <authorized>414.99</authorized> <chargedAmount>0.00</chargedAmount> <capturedAmount>0.00</capturedAmount> <capturedAmountAvail>414.99</capturedAmountAvail> <voidedAmount>0.00</voidedAmount> <voidedAmountAvail>414.99</voidedAmountAvail> <refundedAmount>0.00</refundedAmount> <refundedAmountAvail>0.00</refundedAmountAvail> <fraudAuthorized>0.00</fraudAuthorized> <fraudCharged>0.00</fraudCharged> <authorizeInProgress>0.00</authorizeInProgress> <chargeInProgress>0.00</chargeInProgress> <transactionInProgress></transactionInProgress> <capturedAmountAvailMin>0.00</capturedAmountAvailMin> <capturedAmountAvailGateway>414.99</capturedAmountAvailGateway> <capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway> <voidedAmountAvailGateway>414.99</voidedAmountAvailGateway> <refundedAmountAvailGateway>0.00</refundedAmountAvailGateway> <txnId>8e67e0da23ce7ed451b2c1adbbd7373c</txnId> <lastMessage>Success</lastMessage> <error></error> <error_message></error_message> </data>
Detailed payment and transaction information request
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal get_additional_info |
| txnId | Y | string, 32 | A unique payment ID, received in the payment initialisation request response |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <target>payment</target> <action>get_additional_info</action>
Response specification
| Field | Type | Description |
| payment | container | Payment information request response |
| transactions | container | Transaction list |
| transactions/date | integer, 11 | Transaction date (Unix timestamp) |
| transactions/action | string, 255 | Transaction name |
| transactions/status | string, 255 | Transaction status |
| transactions/message | string, 65536 | Gateway transaction message |
| transactions/total | string, 32 | Transaction amount and currency |
| transactions/txnid | string, 255 | Gateway transaction unique ID |
| transactions/payment_status | string, 255 | The payment status after the transaction |
| transactions/fields | container | Transaction additional fields list |
| transactions/fields/name | string, 255 | Field name |
| transactions/fields/name | string, 255 | Field value |
Response example
<data> <payment> <status>2</status> <message>Payment is authorized</message> <isFraudStatus></isFraudStatus> <currency>USD</currency> <amount>414.99</amount> <authorized>414.99</authorized> <chargedAmount>0.00</chargedAmount> <capturedAmount>0.00</capturedAmount> <capturedAmountAvail>414.99</capturedAmountAvail> <voidedAmount>0.00</voidedAmount> <voidedAmountAvail>414.99</voidedAmountAvail> <refundedAmount>0.00</refundedAmount> <refundedAmountAvail>0.00</refundedAmountAvail> <fraudAuthorized>0.00</fraudAuthorized> <fraudCharged>0.00</fraudCharged> <authorizeInProgress>0.00</authorizeInProgress> <chargeInProgress>0.00</chargeInProgress> <transactionInProgress></transactionInProgress> <capturedAmountAvailMin>0.00</capturedAmountAvailMin> <capturedAmountAvailGateway>414.99</capturedAmountAvailGateway> <capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway> <voidedAmountAvailGateway>414.99</voidedAmountAvailGateway> <refundedAmountAvailGateway>0.00</refundedAmountAvailGateway> </payment> <transactions type="cell"> <date>1264597135</date> <action>Authorize</action> <status>Success</status> <message>Success</message> <total>414.99 USD</total> <txnid>48405381W4268581P</txnid> <fields type="cell"> <name>AVS</name> <value>Exact match. Address and five-digit ZIP code</value> </fields> <fields type="cell"> <name>CVV</name> <value>Match</value> </fields> <payment_status>Charged</payment_status> </transactions> <error></error> <error_message></error_message> </data>
Capture authorized transaction request
Request specification
| Field | Required | Type | Description |
| target | Y | string,128 | Must equal payment |
| action | Y | string, 128 | Must equal capture |
| txnId | Y | string, 32 | Unique payment ID |
| amount | N | currency | The amount to capture from the previously authorized transaction. By default equals the amount of authorized transaction |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <amount>50.00</amount> <target>payment</target> <action>capture</action>
Response example
| Field | Type | Description |
| status | integer, 1 | Operation status code |
| message | string, 65536 | Gateway transaction message |
Note:
- Values of "status" field:
- 0 - transaction failed
- 1 - transaction is successful
- 2 - transaction is successful and is duplicate
<data> <status>1</status> <message>Success</message> <error></error> <error_message></error_message> </data>
Void authorized transaction request
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal capture |
| txnId | Y | string, 32 | Unique payment ID |
| amount | N | currency | Amount to void of the authorized transaction. By default equals to the amount of the authorized transaction |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <amount>50.00</amount> <target>payment</target> <action>void</action>
Response specification
| Field | Type | Description |
| status | integer, 1 | Operation status code |
| message | string, 65536 | Gateway transaction message |
Note:
- Values of "status" field:
- 0 - transaction failed
- 1 - transaction is successful
- 2 - transaction is successful and is duplicate
Response example
<data> <status>1</status> <message>Success</message> <error></error> <error_message></error_message> </data>
Refund captured transaction request
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal capture |
| txnId | Y | string, 32 | Unique payment ID |
| amount | N | currency | Amount to be refunded to the customer of the previously captured transactions. By default equals to the amount of captured transactions |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <amount>50.00</amount> <target>payment</target> <action>refund</action>
Response specification
| Field | Type | Description |
| status | integer, 1 | Operation status code |
| message | string, 65536 | Gateway transaction message |
Note:
- Values of "status" field:
- 0 - transaction failed
- 1 - transaction is successful
- 2 - transaction is successful and is duplicate
Response example
<data> <status>1</status> <message>Success</message> <error></error> <error_message></error_message> </data>
Blocked by gateway transaction accept request (Accept)
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal accept |
| txnId | Y | string, 32 | Unique payment ID |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <target>payment</target> <action>accept</action>
Response example
| Field | Type | Description |
| status | integer, 1 | Operation status code |
| message | string, 65536 | Gateway transaction message |
Note:
- Values of "status" field:
- 0 - transaction failed
- 1 - transaction is successful
- 2 - transaction is successful and is duplicate
<data> <status>1</status> <message>Success</message> <error></error> <error_message></error_message> </data>
Blocked by gateway transaction decline request (Decline)
Request specification
| Field | Required | Type | Description |
| target | Y | string, 128 | Must equal payment |
| action | Y | string, 128 | Must equal decline |
| txnId | Y | string, 32 | Unique payment ID |
Request example
<txnId>e7f398cee98ec062abac0d2c937da181</txnId> <target>payment</target> <action>decline</action>
Response specification
| Field | Type | Description |
| status | integer, 1 | Operation status code |
| message | string, 65536 | Gateway transaction message |
Note:
- Values of "status" field:
- 0 - transaction failed
- 1 - transaction is successful
- 2 - transaction is successful and is duplicate
Response example
<data> <status>1</status> <message>Success</message> <error></error> <error_message></error_message> </data>
