# Hosted Payment Page ## Overview Zapper Hosted Payment Page is a quick set-up, PCI DSS compliant service that enables customers to complete transactions on a secure payment page hosted by Zapper. ## How it works {% hint style="info" %} All encryption is handled internally and cardholder data will not be transmitted between Zapper and the merchant sites. {% endhint %} 1. **Create Session and Receive RedirectUrl** The merchant initiates the payment process by [creating a session](#create-a-new-session) using Zapper's API. The merchant receives a redirectUrl, which is used to redirect user to the Hosted Payment Page for payment processing. 2. **Redirect User to Zapper's Hosted Payment Page** The merchant is required to redirect the user to the Hosted Payment Page, where they are presented with payment options, such as QR code or card payment. 3. **User Completes the Payment** The user completes the payment process on the Hosted Payment Page. 4. **Zapper Notifies Merchant via Webhook** After payment, Zapper sends a [payment notification](#payment-notification-webhook-model) to the merchant's notificationUrl (provided by the merchant when the session is created). The merchant is required to implement a webhook endpoint to receive these payment notifications. It is recommended that the merchant[ validate the signature](#validate-the-signature). 5. **Zapper Redirects User Back to Merchant's Store** Upon completing the payment process, Zapper redirects the user back to the merchant's store. **Integration Workflow**
## API Reference ## Create a new session `POST` `https://gateway.zapper.com/api/v3.1/sessions` #### Headers | Name | Type | Description | | ------------------------------------------------ | ------ | --------------------------- | | merchantId\* | String | The Zapper merchant ID | | merchantSiteId\* | String | The Zapper merchant site ID | #### Request Body | Name | Type | Description | | ------------------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | requestId\* | String | The unique identifier for a given request. | | merchantOrderId\* | String | The identifier or reference of the order generated by the merchant. It provides a way to link the session to a specific order or transaction within the merchant's system. | | amount\* | Integer | The total value of the transaction in the smallest unit of the currency specified (eg in cents). | | currencyISOCode\* | String | The 3 letter currency code as per ISO 4217. Currently only 'ZAR' is supported. | | notificationUrl\* | String | [Payment notifications](#payment-notification-webhook-model) are sent to the provided notificationUrl. | | returnUrl\* | String | On completing a successful payment, the user is redirected to the provided returnUrl. | | cancelUrl\* | String | On clicking the back-to-store button, the user is redirected to the cancelUrl. | | origin\* | String | The site or domain that the request originated from. | | siteName | String | The name or identifier of the site associated with the request. | | customFields | Array | Additional information that is needed by the merchant in the payment details. See the model below. | {% tabs %} {% tab title="200: OK OK" %} 
{
    "sessionId": "9a1e2b26-d9c3-4b2a-9fe1-e6a3cd97af06",
    "redirectUrl": "https://zapper.zmsa-tech.com/pay?sessionId={guid}",
    "status": "Success",
    "errors": []
}
{% endtab %} {% tab title="400: Bad Request Bad Request" %} ```json { "status": "Bad Request", "errors": ["Message": "Bad Request"] } ``` {% endtab %} {% tab title="403: Forbidden Forbidden" %} 
{
    "status": "Forbidden",
    "errors": ["Message": "Forbidden"]
}
{% endtab %} {% tab title="500: Internal Server Error Internal Server Error" %} ```json { "status": "Internal Server Error", "errors": ["Message": "Internal Server Error"] } ``` {% endtab %} {% endtabs %} #### Create Session Request Example: ```javascript curl --location 'https://gateway.zapper.com/api/v3.1/sessions' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header 'merchantId: 1234' \ --header 'merchantSiteId: 1234' \ --header 'x-api-key: cb67xxxxxx0546f68806b62a36xxxxxx' \ --data '{ "merchantOrderId": "c93d99c8-20e1-4fc6-95b8-10d50eb9a90e", "amount": 1000, "currencyISOCode": "ZAR", "notificationUrl": "https://merchantstore.com/somePaymentNotificationPath", "returnUrl": "https://merchantstore.com/someReturnPath", "cancelUrl": "https://merchantstore.com/someCancelPath", "requestId": "ad7234d5-4e6b-4acf-8e29-451c056b2bdc", "origin": "https://merchantstore.com", "customFields":[ { "key": "FieldLabel", "value": "FieldValue" } ] }' ``` ## Get payments by sessionId `GET` `https://gateway.zapper.com/api/v3.1/payments` #### Query Parameters | Name | Type | Description | | ------------------------------------------- | ------ | ----------------------------------------------- | | sessionId\* | String | The unique identifier for the ecommerce session | #### Headers | Name | Type | Description | | ------------------------------------------------ | ------ | --------------------------- | | merchantSiteId\* | String | The Zapper Merchant Site ID | | merchantId\* | String | The Zapper Merchant ID | {% tabs %} {% tab title="200: OK OK" %} ```json { "status": "Success", "errors": [], "merchantOrderId": "dea3d7a0-5e11-497a-8fa8-c3987623bce4", "paymentReference": "NN7WE7WXXDNR4925PW", "amount": 500, "currencyISOCode": "ZAR", "paymentStatus": "Failed", "userMessage": "Declined", "sessionId": "9a1e2b26-d9c3-4b2a-9fe1-e6a3cd97af06", "paymentUTCDate": "2023-06-20T12:29:11.6664948Z" } ``` {% endtab %} {% tab title="400: Bad Request Bad Request" %} ```json { "status": "Bad Request", "errors": ["Message": "Bad Request"] } ``` {% endtab %} {% tab title="403: Forbidden Forbidden" %} ```json { "status": "Forbidden", "errors": ["Message": "Forbidden"] } ``` {% endtab %} {% tab title="404: Not Found Not Found" %} ```json { "status": "Not Found", "errors": ["Message": "Not Found"] } ``` {% endtab %} {% tab title="500: Internal Server Error Unexpected Error" %} ```json { "status": "Success", "errors": [] } ``` {% endtab %} {% endtabs %} #### Get Payments by SessionId Request Example: ```javascript curl --location 'https://gateway.zapper.com/api/v3.1/payments?sessionId=20908573-a1ea-412d-8a25-26e48e58c548' \ --header 'Accept: application/json' \ --header 'merchantId: 8712' \ --header 'merchantSiteId: 8727' \ --header 'x-api-key: cb67xxxxxx0546f68806b62a36xxxxxx' ``` ## Get payment by paymentReference `GET` `https://gateway.zapper.com/api/v3.1/payments/{paymentReference}` #### Path Parameters | Name | Type | Description | | -------------------------------------------------- | ------ | ------------------------------------ | | paymentReference\* | String | The unique identifier of the payment | #### Headers | Name | Type | Description | | ------------------------------------------------ | ------ | --------------------------- | | merchantId\* | String | The Zapper Merchant ID | | merchantSiteId\* | String | The Zapper Merchant Site ID | {% tabs %} {% tab title="200: OK OK" %} ```json { "status": "Success", "errors": [], "merchantOrderId": "dea3d7a0-5e11-497a-8fa8-c3987623bce4", "paymentReference": "NN7WE7WXXDNR4925PW", "amount": 500, "currencyISOCode": "ZAR", "paymentStatus": "Failed", "userMessage": "Declined", "sessionId": "9a1e2b26-d9c3-4b2a-9fe1-e6a3cd97af06", "paymentUTCDate": "2023-06-20T12:29:11.6664948Z" } ``` {% endtab %} {% tab title="400: Bad Request Bad Request" %} ```json { "status": "Success", "errors": [] } ``` {% endtab %} {% tab title="403: Forbidden Forbidden" %} ```json { "status": "Success", "errors": [] } ``` {% endtab %} {% tab title="404: Not Found Not Found" %} ```json { "status": "Success", "errors": [] } ``` {% endtab %} {% tab title="500: Internal Server Error Unexpected Error" %} ```json { "status": "Success", "errors": [] } ``` {% endtab %} {% endtabs %} #### Get Payments by PaymentReference Request Example: ```javascript curl --location 'https://gateway.zapper.com/api/v3.1/payments/XZR8K9QKWVYE2E159L' \ --header 'Accept: application/json' \ --header 'merchantId: 8712' \ --header 'merchantSiteId: 8727' \ --header 'x-api-key: cb67xxxxxx0546f68806b62a36xxxxxx' ``` ## Models ### Payment Notification Webhook Model
FieldDataTypeDescription
signaturestringThe signature property represents a cryptographic value or digital signature associated with a payment notification webhook.
sessionIdstringThe unique identifier for the sessionreference
amountintegerThe total value of the transaction in the smallest unit of the currency specified (eg in cents)
currencyISOCodestringThe 3 letter currency code as per ISO 4217. Currently only 'ZAR' is supported.
merchantOrderIdstringThe identifier or reference of the order generated by the merchant. It provides a way to link the session to a specific order or transaction within the merchant's system.
paymentReferencestringA unique identifier assigned to a specific payment.
paymentStatusPaymentStatusThe status or outcome of a payment transaction
userMessagestringA user friendly message. Only populated when paymentStatus is not 'Success'.
paymentUTCDatestringThe UTC date and time of the payment.
statusResponseStatusThe API response status. A response other than 'Success' indicates that there was an error on the API level (such as request validation, or errors interpreting the gateway response). Refer to the 'errors' list for more information.
errorsErrorThe list of errors if the status is not 'Success'.
### PaymentStatus
ValueTypeDescription
ValueTypeDescription
1stringSuccess
2stringFailed
### ResponseStatus
ValueTypeDescription
ValueTypeDescription
1stringSuccess
2stringBadRequest
3stringNotFound
4stringUnauthorized
5stringInternalServer
### Error
ValueTypeDescription
ValueTypeDescription
messagestringA human readable error message
### Custom Fields Additional information that is needed by the merchant in the payment details.
FieldDatatypeRequiredDescription
keyStringYesLabel or Title of the additional custom field
valueStringYesValue of the additional custom field
## Signature Validation To ensure the authenticity and integrity of the payment notification data, validating the signature is recommended. **V3.1 -** The PaymentNotificationWebhook is used along with the **Merchant Site API Key** when creating a SHA256 signature hash.
**V3 -** The PaymentNotificationWebhook is used along with the **Merchant API Key** when creating a SHA256 signature hash.
The following are an examples of signature validation: **C#** ```csharp private bool IsSignatureValid(string signature, ZapperEcomAPIV3Client.PaymentNotificationWebhook paymentNotificationWebhook, string x-api-key) { string signatureInput = $"{x-api-key}|{paymentNotificationWebhook.SessionId}|{paymentNotificationWebhook.Amount}|{paymentNotificationWebhook.CurrencyISOCode}|{paymentNotificationWebhook.MerchantOrderId}|{paymentNotificationWebhook.PaymentReference}|{paymentNotificationWebhook.paymentStatus}|{paymentNotificationWebhook.PaymentUTCDate}|{paymentNotificationWebhook.UserMessage}"; using (SHA256 sha = SHA256.Create()) { byte[] hashBytes = sha.ComputeHash(Encoding.UTF8.GetBytes(signatureInput)); StringBuilder builder = new StringBuilder(); foreach (byte b in hashBytes) { builder.Append(b.ToString("x2")); } string generatedSignature = builder.ToString(); return generatedSignature.Equals(signature, StringComparison.OrdinalIgnoreCase); } } ``` **JavaScript:** ```javascript const crypto = require('crypto'); function isSignatureValid(signature, paymentNotificationWebhook, x-api-key) { const signatureInput = `${x-api-key}|${paymentNotificationWebhook.sessionId}|${paymentNotificationWebhook.amount}|${paymentNotificationWebhook.currencyISOCode}|${paymentNotificationWebhook.merchantOrderId}|${paymentNotificationWebhook.paymentReference}|${paymentNotificationWebhook.paymentStatus}|${paymentNotificationWebhook.paymentUTCDate}|${paymentNotificationWebhook.userMessage || ""}`; const generatedSignature = sha256Hash(signatureInput); return generatedSignature.toLowerCase() === signature.toLowerCase(); } function sha256Hash(value) { const hash = crypto.createHash('sha256'); const hashBytes = hash.update(value, 'utf-8').digest(); return hashBytes.toString('hex'); } ``` **Java:** ```java private static boolean isSignatureValid(String signature, PaymentNotificationWebhook paymentNotificationWebhook, String x-api-key) { String signatureInput = x-api-key + "|" + paymentNotificationWebhook.getSessionId() + "|" + paymentNotificationWebhook.getAmount() + "|" + paymentNotificationWebhook.getCurrencyISOCode() + "|" + paymentNotificationWebhook.getMerchantOrderId() + "|" + paymentNotificationWebhook.getPaymentReference() + "|" + paymentNotificationWebhook.getPaymentStatus() + "|" + paymentNotificationWebhook.getPaymentUTCDate() + "|" + paymentNotificationWebhook.getUserMessage(); String generatedSignature = sha256Hash(signatureInput); return generatedSignature.equalsIgnoreCase(signature); } private static String sha256Hash(String value) { MessageDigest digest = MessageDigest.getInstance("SHA-256"); byte[] hashBytes = digest.digest(value.getBytes(StandardCharsets.UTF_8)); StringBuilder builder = new StringBuilder(); for (byte b : hashBytes) { builder.append(String.format("%02x", b)); } return builder.toString(); } ``` **Payments:**\ \ The payment process is as follows: 1. When the user selects the Zapper payment option on checkout and proceeds to finalize their order, they will be presented with Zapper Hosted Payment page. 2. If the user prefers the familiar convenience of our dynamic QR code solution, they can proceed by using the Zapper mobile app to effortlessly scan the on-screen QR Code. For users accessing the store from a mobile device, the QR Code is seamlessly replaced with a deep-link button, ensuring a smooth transition to the Zapper application. 3. However, if the user prefers to use their credit or debit card for payment, they can now opt for the new card payment option. This straightforward method allows users to directly input their card details and complete the payment process right on the spot. 4. Once the payment is successfully processed – whether through QR code scanning or card payment – users will receive a confirmation in the form of a checkmark symbol. With this assurance of payment, they will then be seamlessly redirected back to the store's default payment confirmation page.

Zapper Payment Gateway - Desktop Card Payment

Zapper Payment Gateway - Desktop QR Payment

Zapper Payment Gateway - Desktop Success

Zapper Payment Gateway - Mobile Payment Methods

Zapper Payment Gateway - Mobile Card Payment

{% hint style="info" %} The order on the merchants store will automatically be updated with payment complete. {% endhint %}