Embedded QR Codes
Comprehensive guide on integrating and using Embedded QR Code payments through HitPay API.
Introduction
Embedded QR Code Payments allow seamless integration of QR payments directly into your platform without redirecting the users away.
Core Concept
At a high level, integrating payments into your system involves a 4-step process:
Create a Payment Request
The first step is to create a payment request in your system
Generate and Present the QR Code
Once the payment request is ready, generate and present the QR code to the user.
Client Scans and Initiates Payment
The client scans the QR code and initiates the payment through their banking app.
Handle Webhooks and Server Communication
After the payment is processed, handle webhooks to receive payment notifications and manage server-client communication.
Supported Methods
Please note that not all payment methods support embedded QR Codes. Here is the list of methods that support QR Codes:
Payment Method | Code |
---|---|
PayNow | paynow_online |
ShopeePay | shopee_pay |
QRIS | doku_qris |
QRPH | qrph_netbank |
WeChatPay | wechat_pay |
VietQR | vietqr_payme |
PromptPay | opn_prompt_pay |
TrueMoney | opn_true_money_qr |
GrabPay | grabpay_direct |
GrabPay PayLater | grabpay_paylater |
ShopBack | Coming Soon |
Authentication
Before integration, it’s essential to understand how Hitpay APIs are authenticated. Hitpay utilizes API keys to grant access to the API. You can locate this key in your dashboard under “API keys.”
Hitpay requires the API key to be included in all API requests to the server. This key should be placed in a header that follows the format shown below:
X-BUSINESS-API-KEY: meowmeowmeow
Step 1: Create a Payment Request
This is the first step of the payment flow. Once you have all the details from the user and are ready to collect payments, use this API to create a payment request.
Endpoint
POST /v1/payment-requests
Creates a payment request and generates a QR code for the paynow_online
payment method.
Request Parameters
Parameter | Type | Description |
---|---|---|
amount | string | Required. The amount to be paid. |
currency | string | Required. The currency of the payment (e.g., “sgd”). |
payment_methods[] | array | Required. Specify paynow_online as the payment method. |
generate_qr | boolean | Required. Set to true to generate the QR code. |
name | string | Optional. The name of the customer. |
string | Optional. The email of the customer. | |
phone | string | Optional. The phone number of the customer. |
purpose | string | Optional. The purpose of the payment. |
reference_number | string | Optional. A reference number for the payment. |
Example Request
Response
The response will include a qr_code_data object, which contains the data to be converted into a scannable QR code (qr_code).
Step 2: Generate and Present the QR Code
Once the payment request is created, generate the QR code using the response data and present it to the user.
Step 3: Client Scans and Initiates Payment
The client scans the presented QR code with their banking app and initiates the payment process.
Step 4: Handle Webhooks and Server Communication
After the payment is processed, handle webhooks to receive payment notifications and manage server-client communication to update the payment status in your system.
What is a Webhook?
Webhook is a POST request sent from HitPay’s server to your server about the payment confirmation. If you are using hitpay APIs to integrate into your e-commerce checkout you must mark your order as paid ONLY after the webhook is received and validated.
Handling the webhook
- Create an endpoint (E.g. /payment-confirmation/webhook) in your server that accepts POST requests. This request is application/x-www-form-urlencoded.
- Validate the webhook data using your salt value
- Return HTTP status code 200 to Hitpay
- Mark your order as paid
- Sample webhook payload data
Sample Webhook Payload
Webhook fields
Following fields are sent with the webhook request:
Parameter | Description | |
---|---|---|
payment_id | Payment ID | |
payment_request_id | Payment request ID | |
phone | Buyer’s phone number | |
amount | Amount related to the payment | |
currency | Currency related to the payment | |
status | Payment status (completed / failed) | |
reference_number | Arbitrary reference number mapped during payment request creation | |
hmac | Message Authentication code of this webhook request |
Validating a Webhook
To validate a webhook payload from HitPay, follow these steps:
- Payload Extraction: Extract the key-value pairs from the webhook payload. For example:
-
Exclude HMAC and Values: Remove the "hmac" key and its corresponding value from the extracted payload. For example:
-
Concatenation and Sorting: Concatenate the keys and values from the remaining key-value pairs without using "&" and "=", and arrange them in alphabetical order of the keys. For example:
-
Signature Generation: Use the HMAC-SHA256 algorithm along with the secret salt from your dashboard to generate a signature for the concatenated string. This signature will be unique to this payload.
-
Comparison and Validation: Compare the generated signature with the HMAC value present in the original payload, both values must match.
By following these steps, you can ensure the authenticity and integrity of the webhook payload received from HitPay. This process guarantees that the payload can be trusted and processed securely.
Sample Code
FAQs
Was this page helpful?