Hosted Payment Page

Hosted Payment page API Reference

Overview

Zapper Hosted Payment Page is a quick set-up, PCI DSS compliant service that enables customers to complete transactions on a secure payment page hosted by Zapper.

How it works

All encryption is handled internally and cardholder data will not be transmitted between Zapper and the merchant sites.

1. Create Session and Receive RedirectUrl

   The merchant initiates the payment process by creating a session using Zapper's API. The merchant receives a redirectUrl, which is used to redirect user to the Hosted Payment Page for payment processing.

2. Redirect User to Zapper's Hosted Payment Page

   The merchant is required to redirect the user to the Hosted Payment Page, where they are presented with payment options, such as QR code or card payment.

3. User Completes the Payment

   The user completes the payment process on the Hosted Payment Page.

4. Zapper Notifies Merchant via Webhook

   After payment, Zapper sends a payment notification to the merchant's notificationUrl (provided by the merchant when the session is created). The merchant is required to implement a webhook endpoint to receive these payment notifications. It is recommended that the merchant validate the signature.

5. Zapper Redirects User Back to Merchant's Store

   Upon completing the payment process, Zapper redirects the user back to the merchant's store.

Integration Workflow

API Reference

Create a new session

POST https://gateway.zapper.com/api/v3.1/sessions

Headers

Name	Type	Description
merchantId*	String	The Zapper merchant ID
merchantSiteId*	String	The Zapper merchant site ID

Request Body

Name	Type	Description
requestId*	String	The unique identifier for a given request.
merchantOrderId*	String	The identifier or reference of the order generated by the merchant. It provides a way to link the session to a specific order or transaction within the merchant's system.
amount*	Integer	The total value of the transaction in the smallest unit of the currency specified (eg in cents).
currencyISOCode*	String	The 3 letter currency code as per ISO 4217. Currently only 'ZAR' is supported.
notificationUrl*	String	Payment notifications are sent to the provided notificationUrl.
returnUrl*	String	On completing a successful payment, the user is redirected to the provided returnUrl.
cancelUrl*	String	On clicking the back-to-store button, the user is redirected to the cancelUrl.
origin*	String	The site or domain that the request originated from.
siteName	String	The name or identifier of the site associated with the request.
customFields	Array	Additional information that is needed by the merchant in the payment details. See the model below.

200: OK OK

{
    "sessionId": "9a1e2b26-d9c3-4b2a-9fe1-e6a3cd97af06",
    "redirectUrl": "https://zapper.zmsa-tech.com/pay?sessionId={guid}",
    "status": "Success",
    "errors": []
}

400: Bad Request Bad Request

{
    "status": "Bad Request",
    "errors": ["Message": "Bad Request"]
}

403: Forbidden Forbidden

{
    "status": "Forbidden",
    "errors": ["Message": "Forbidden"]
}

500: Internal Server Error Internal Server Error

{
    "status": "Internal Server Error",
    "errors": ["Message": "Internal Server Error"]
}

Create Session Request Example:

curl --location 'https://gateway.zapper.com/api/v3.1/sessions' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'merchantId: 1234' \
--header 'merchantSiteId: 1234' \
--header 'x-api-key: cb67xxxxxx0546f68806b62a36xxxxxx' \
--data '{
  "merchantOrderId": "c93d99c8-20e1-4fc6-95b8-10d50eb9a90e",
  "amount": 1000,
  "currencyISOCode": "ZAR",
  "notificationUrl": "https://merchantstore.com/somePaymentNotificationPath",
  "returnUrl": "https://merchantstore.com/someReturnPath",
  "cancelUrl": "https://merchantstore.com/someCancelPath",
  "requestId": "ad7234d5-4e6b-4acf-8e29-451c056b2bdc",
  "origin": "https://merchantstore.com",
  "customFields":[
      {
          "key": "FieldLabel",
          "value": "FieldValue"
      }
  ]
}'

Get payments by sessionId

GET https://gateway.zapper.com/api/v3.1/payments

Query Parameters

Name	Type	Description
sessionId*	String	The unique identifier for the ecommerce session

Headers

Name	Type	Description
merchantSiteId*	String	The Zapper Merchant Site ID
merchantId*	String	The Zapper Merchant ID

200: OK OK

{
  "status": "Success",
  "errors": [],
  "merchantOrderId": "dea3d7a0-5e11-497a-8fa8-c3987623bce4",
  "paymentReference": "NN7WE7WXXDNR4925PW",
  "amount": 500,
  "currencyISOCode": "ZAR",
  "paymentStatus": "Failed",
  "userMessage": "Declined",
  "sessionId": "9a1e2b26-d9c3-4b2a-9fe1-e6a3cd97af06",
  "paymentUTCDate": "2023-06-20T12:29:11.6664948Z"
}

400: Bad Request Bad Request

{
    "status": "Bad Request",
    "errors": ["Message": "Bad Request"]
}

403: Forbidden Forbidden

{
    "status": "Forbidden",
    "errors": ["Message": "Forbidden"]
}

404: Not Found Not Found

{
    "status": "Not Found",
    "errors": ["Message": "Not Found"]
}

500: Internal Server Error Unexpected Error

{
    "status": "Success",
    "errors": []
}

Get Payments by SessionId Request Example:

curl --location 'https://gateway.zapper.com/api/v3.1/payments?sessionId=20908573-a1ea-412d-8a25-26e48e58c548' \
--header 'Accept: application/json' \
--header 'merchantId: 8712' \
--header 'merchantSiteId: 8727' \
--header 'x-api-key: cb67xxxxxx0546f68806b62a36xxxxxx'

Get payment by paymentReference

GET https://gateway.zapper.com/api/v3.1/payments/{paymentReference}

Path Parameters

Name	Type	Description
paymentReference*	String	The unique identifier of the payment

Headers

Name	Type	Description
merchantId*	String	The Zapper Merchant ID
merchantSiteId*	String	The Zapper Merchant Site ID

200: OK OK

{
  "status": "Success",
  "errors": [],
  "merchantOrderId": "dea3d7a0-5e11-497a-8fa8-c3987623bce4",
  "paymentReference": "NN7WE7WXXDNR4925PW",
  "amount": 500,
  "currencyISOCode": "ZAR",
  "paymentStatus": "Failed",
  "userMessage": "Declined",
  "sessionId": "9a1e2b26-d9c3-4b2a-9fe1-e6a3cd97af06",
  "paymentUTCDate": "2023-06-20T12:29:11.6664948Z"
}

400: Bad Request Bad Request

{
  "status": "Success",
  "errors": []
}

403: Forbidden Forbidden

{
  "status": "Success",
  "errors": []
}

404: Not Found Not Found

{
  "status": "Success",
  "errors": []
}

500: Internal Server Error Unexpected Error

{
  "status": "Success",
  "errors": []
}

Get Payments by PaymentReference Request Example:

curl --location 'https://gateway.zapper.com/api/v3.1/payments/XZR8K9QKWVYE2E159L' \
--header 'Accept: application/json' \
--header 'merchantId: 8712' \
--header 'merchantSiteId: 8727' \
--header 'x-api-key: cb67xxxxxx0546f68806b62a36xxxxxx'

Models

Payment Notification Webhook Model

signature	string	The signature property represents a cryptographic value or digital signature associated with a payment notification webhook.
sessionId	string	The unique identifier for the sessionreference
amount	integer	The total value of the transaction in the smallest unit of the currency specified (eg in cents)
currencyISOCode	string	The 3 letter currency code as per ISO 4217. Currently only 'ZAR' is supported.
merchantOrderId	string	The identifier or reference of the order generated by the merchant. It provides a way to link the session to a specific order or transaction within the merchant's system.
paymentReference	string	A unique identifier assigned to a specific payment.
paymentStatus	PaymentStatus	The status or outcome of a payment transaction
userMessage	string	A user friendly message. Only populated when paymentStatus is not 'Success'.
paymentUTCDate	string	The UTC date and time of the payment.
status	ResponseStatus	The API response status. A response other than 'Success' indicates that there was an error on the API level (such as request validation, or errors interpreting the gateway response). Refer to the 'errors' list for more information.
errors	Error	The list of errors if the status is not 'Success'.

PaymentStatus

Value	Type	Description
1	string	Success
2	string	Failed

ResponseStatus

Value	Type	Description
1	string	Success
2	string	BadRequest
3	string	NotFound
4	string	Unauthorized
5	string	InternalServer

Error

Value	Type	Description
message	string	A human readable error message

Custom Fields

Additional information that is needed by the merchant in the payment details.

Field	Datatype	Required	Description
key	String	Yes	Label or Title of the additional custom field
value	String	Yes	Value of the additional custom field

Signature Validation

To ensure the authenticity and integrity of the payment notification data, validating the signature is recommended.

V3.1 - The PaymentNotificationWebhook is used along with the Merchant Site API Key when creating a SHA256 signature hash.

V3 - The PaymentNotificationWebhook is used along with the Merchant API Key when creating a SHA256 signature hash.

The following are an examples of signature validation:

C#

private bool IsSignatureValid(string signature, ZapperEcomAPIV3Client.PaymentNotificationWebhook paymentNotificationWebhook, string x-api-key)
{
    string signatureInput = $"{x-api-key}|{paymentNotificationWebhook.SessionId}|{paymentNotificationWebhook.Amount}|{paymentNotificationWebhook.CurrencyISOCode}|{paymentNotificationWebhook.MerchantOrderId}|{paymentNotificationWebhook.PaymentReference}|{paymentNotificationWebhook.paymentStatus}|{paymentNotificationWebhook.PaymentUTCDate}|{paymentNotificationWebhook.UserMessage}";

    using (SHA256 sha = SHA256.Create())
    {
        byte[] hashBytes = sha.ComputeHash(Encoding.UTF8.GetBytes(signatureInput));
        StringBuilder builder = new StringBuilder();

        foreach (byte b in hashBytes)
        {
            builder.Append(b.ToString("x2"));
        }

        string generatedSignature = builder.ToString();

        return generatedSignature.Equals(signature, StringComparison.OrdinalIgnoreCase);
    }
}

JavaScript:

const crypto = require('crypto');

function isSignatureValid(signature, paymentNotificationWebhook, x-api-key) {
  const signatureInput = `${x-api-key}|${paymentNotificationWebhook.sessionId}|${paymentNotificationWebhook.amount}|${paymentNotificationWebhook.currencyISOCode}|${paymentNotificationWebhook.merchantOrderId}|${paymentNotificationWebhook.paymentReference}|${paymentNotificationWebhook.paymentStatus}|${paymentNotificationWebhook.paymentUTCDate}|${paymentNotificationWebhook.userMessage || ""}`;
  const generatedSignature = sha256Hash(signatureInput);
  return generatedSignature.toLowerCase() === signature.toLowerCase();
}

function sha256Hash(value) {
  const hash = crypto.createHash('sha256');
  const hashBytes = hash.update(value, 'utf-8').digest();
  return hashBytes.toString('hex');
}

Java:

private static boolean isSignatureValid(String signature, PaymentNotificationWebhook paymentNotificationWebhook, String x-api-key) {
       String signatureInput = x-api-key + "|" +
                paymentNotificationWebhook.getSessionId() + "|" +
                paymentNotificationWebhook.getAmount() + "|" +
                paymentNotificationWebhook.getCurrencyISOCode() + "|" +
                paymentNotificationWebhook.getMerchantOrderId() + "|" +
                paymentNotificationWebhook.getPaymentReference() + "|" +
                paymentNotificationWebhook.getPaymentStatus() + "|" +
                paymentNotificationWebhook.getPaymentUTCDate() + "|" +
                paymentNotificationWebhook.getUserMessage();

        String generatedSignature = sha256Hash(signatureInput);
        return generatedSignature.equalsIgnoreCase(signature);
  }

 private static String sha256Hash(String value) {
       
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    byte[] hashBytes = digest.digest(value.getBytes(StandardCharsets.UTF_8));

    StringBuilder builder = new StringBuilder();
    for (byte b : hashBytes) {
        builder.append(String.format("%02x", b));
    }
    return builder.toString();
 }

Payments: The payment process is as follows:

1. When the user selects the Zapper payment option on checkout and proceeds to finalize their order, they will be presented with Zapper Hosted Payment page.

2. If the user prefers the familiar convenience of our dynamic QR code solution, they can proceed by using the Zapper mobile app to effortlessly scan the on-screen QR Code. For users accessing the store from a mobile device, the QR Code is seamlessly replaced with a deep-link button, ensuring a smooth transition to the Zapper application.

3. However, if the user prefers to use their credit or debit card for payment, they can now opt for the new card payment option. This straightforward method allows users to directly input their card details and complete the payment process right on the spot.

4. Once the payment is successfully processed – whether through QR code scanning or card payment – users will receive a confirmation in the form of a checkmark symbol. With this assurance of payment, they will then be seamlessly redirected back to the store's default payment confirmation page.

Zapper Payment Gateway - Desktop Card Payment

Zapper Payment Gateway - Desktop QR Payment

Zapper Payment Gateway - Desktop Success

Zapper Payment Gateway - Mobile Payment Methods

Zapper Payment Gateway - Mobile Card Payment

The order on the merchants store will automatically be updated with payment complete.