Paylink Api
CityPay Paylink makes online e-commerce easier to implement by providing a hosted form to handle the card payment process directly with the cardholder's browser, allowing you to concentrate on your business whilst allowing CityPay to manage the payment process on your behalf.
-
Simplified payment solutions.
-
payment processing is handled by our secure web servers adding security and confidence to your shoppers.
-
3D-Secure authentication is available within the application without any difficult MPI integration, allowing for immediate Verified by Visa and MasterCard SecureCode processing.
-
customisation may be performed on the secure payment form.
-
significantly reduced technical and financial overheads associated with software implementation and PCI compliance.
-
reduced time-to-market.
Marks a Paylink Token as cancelled. This cancels the Token for any future request for processing.
Response
{
"code":"1201",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Token Cancelled",
"token":"1234567890"
}
Marks a Paylink Token as closed. This closes the Token for any future action and the Token will not appear in any status request calls.
Response
{
"code":"1201",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Token closed",
"token":"1234567890"
}
CityPay Paylink supports invoice and bill payment services by allowing merchants to raise an invoice in their systems and associate the invoice with a Paylink checkout token. CityPay will co-ordinate the checkout flow in relationship with your customer. Our bill payment solution may be used to streamline the payment flow with cardholders to allow your invoice to be paid promptly and via multiple payment channels such as Card Payment, Apple Pay or Google Pay.
The bill payment service allows
- setting up notification paths to an end customer, such as SMS or Email
- enabling attachments to be included with Paylink tokens
- produce chaser notifications for unpaid invoices
- provide callbacks for notification of the payment of an invoice
- support part payments against an invoice
- support of field guards to protect the payment screen
- support of status reporting on tokens
- URL short codes for SMS notifications
Notification Paths
Notification paths can be provided which identify the channels for communication of the invoice availability. Up to 3 notification paths may be provided per request.
Each notification uses a template to generate the body of the message. This allows for variable text to be sent out and customised for each call.
SMS messages use URL Short Codes (USC) as a payment link to the invoice payment page. This allows for a standard payment
URL to be shortened for optimised usage in SMS. For instance a URL of https://checkout.citypay.com/PL1234/s348yb8yna4a48n2f8nq2f3msgyng-psn348ynaw8ynaw/en
becomes citypay.com/Za48na3x
. Each USC is unique however it is a requirement that each USC generated is protected
with Field Guards to ensure that sensitive data (such as customer contact details and GDPR) is protected.
To send a notification path, append a notification-path
property to the request.
{
"sms_notification_path": {
"to": "+441534884000"
},
"email_notification_path": {
"to": ["help-desk@citypay.com"],
"cc": ["third-party@citypay.com"],
"reply": ["help@my-company.com"]
}
}
Notification paths trigger a number of events which are stored as part of the timeline of events of a Paylink token
-
BillPaymentSmsNotificationQueued
- identifies when an SMS notification has been queued for delivery -
BillPaymentSmsNotificationSent
- identifies when an SMS notification has been sent to the upstream network -
BillPaymentSmsNotificationDelivered
- identifies when an SMS notification has been delivered as notified by the upstream network -
BillPaymentSmsNotificationUndelivered
- identifies when an SMS notification has undelivered notification is provided by the upstream network -
BillPaymentSmsNotificationFailure
- identifies when an SMS notification has failed -
BillPaymentEmailNotificationQueued
- identifies when an email notification has been queued for delivery -
BillPaymentEmailNotificationSent
- identifies when an email notification has been accepted by our SMS forwarder -
BillPaymentEmailNotificationFailure
- identifies when an email notification has failed delivery
SMS Notification Path
SMS originated from a CityPay pool of numbers and by default only sends to country codes where the service is registered.
SMSs may contain a From field which is configured as part of you onboarding and have a name associated to identify the service
origin. For example if your business is titled Health Surgery Ltd
the SMS may be sent to originate from Health Surgery
.
SMS is also configured for a "polite mode". This mode ensures that SMSs aren't sent in the middle of the night when backend services ordinarily run. SMSs will be queued until the time range is deemed as polite. Normally this is between 8am and 9pm.
Field | Type | Usage | Description |
---|---|---|---|
template | string | Reserved | An optional template name to use a template other than the default. |
to | string | Reserved | The phone number in E.164 format to send the message to. |
Email Notification Paths
Field | Type | Usage | Description |
---|---|---|---|
template | string | Reserved | An optional template name to use a template other than the default. |
to | string[] | Required | An array of email addresses to be used for delivery. A maximum of 5 addresses can be added. |
cc | string[] | Required | An array of email addresses to be used for cc delivery. A maximum of 5 addresses can be added. |
bcc | string[] | Required | An array of email addresses to be used for bcc delivery. A maximum of 5 addresses can be added. |
reply_to | string[] | Required | An array of email addresses to be used for the Reply-To header of an email. |
Field Guards
To ensure that invoices are paid by the intended recipient, Paylink supports the addition of Field Guards.
A Field Guard is an intended field which is to be used as a form of guarded authentication. More than 1 field can be requested.
To determine the source value of the field, each field name is searched in the order of
- identifier
- cardholder data such as name
- custom parameters
- pass through data
If no field values are found, the token request returns a D041 validation error.
Authentication and Validation
When values are entered by the user, resultant comparisons are performed by
- Transliteration of both the source value and entered value. For example, names with accents (e.g. é will become e)
- Only Alphanumeric values are retained any whitespace or special characters are ignored
- Case is ignored
Should all values match, the user is authenticated and can continue to the payment form rendered by the Paylink server.
On successful login, an event will be added to include that the access guard validated access.
Access-Key
To ensure that a user does not need to re-enter these values multiple times, a cookie is pushed to the user’s browser with an access-key digest value. This value will be presented to the server on each refresh therefore allowing the guard to accept the call. Each value is uniquely stored per merchant account and cannot be shared cross merchant. The lifetime of the cookie is set to 24 hours.
Brute Force Prevention
To prevent multiple calls hitting the server, attempting a brute force attack, the login process
- is fronted by a contemporary web application firewall
- creates an event for each token when access was denied
- should the number of failed events breach more than 5 in 30 minutes, the token is locked for an hour
- should the number of events breach more than 20 the token is fully locked
Attachments
Attachments can be included in the request in 2 ways
- Via a data element direct in the request
- Via a URL upload to a provided pre-signed URL
The decision of which option is dependent on the size of the attachments. Should the attachment size be greater than 32kb a URL upload is required. Small attachments can be included in the JSON request. This is to prevent our web firewall from blocking your request and to also ensure efficiency of larger file uploads.
There is a maximum of 3 attachments that can be added to a request.
[{
"filename": "invoice1.pdf",
"mime-type": "application/pdf"
},{
"filename": "invoice2.pdf",
"data": "b4sE64Enc0dEd...=",
"mime-type": "application/pdf"
}]
Field | Type | Usage | Description |
---|---|---|---|
filename | string | Required | The name of the attachment normally taken from the filename. You should not include the filename path as appropriate |
data | string | Optional | base64 encoding of the file if less than 32kb in size |
mime-type | string | Required | The mime type of the attachment as defined in RFC 9110. Currently only application/pdf is supported |
Attachment Result
A result of an attachment specifies whether the attachment was successfully added or whether a further upload is requried
Field | Type | Usage | Description |
---|---|---|---|
result | string | Required | OK should the file have uploaded or UPLOAD if the file is required to be uploaded. |
name | string | Required | The filename that was specified in the upload process |
url | string | Optional | Should an upload be required, this URL is available for an upload to be issued. The URL is only available for uploads for 24 hours from creation. |
Request
{
"addressee":"Jack Sparrow",
"attachments":{},
"descriptor":"",
"due":"2024-12-02",
"email_notification_path":{},
"memo":"Invoice #12345",
"request":{},
"sms_notification_path":{}
}
Response
{
"date_created":"2024-12-02T10:38:07Z",
"errors":{
"code":"001",
"msg":"An example error response"
},
"id":"00000000-0000-0000-0000-000000000000",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"mode":"test",
"qrcode":"https://payments.citypay.com/AAAAAAA/AAAZZZCCCDDDEEE/qrcode",
"result":0,
"server_version":"x.x.x",
"source":"x.x.x.x",
"token":"AAAZZZCCCDDDEEE",
"url":"https://payments.citypay.com/AAAAAAA/AAAZZZCCCDDDEEE"
}
Creates a Paylink token from the CityPay API.
Request
{
"amount":677,
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"merchantid":11223344
}
Response
{
"date_created":"2024-12-02T10:38:07Z",
"errors":{
"code":"001",
"msg":"An example error response"
},
"id":"00000000-0000-0000-0000-000000000000",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"mode":"test",
"qrcode":"https://payments.citypay.com/AAAAAAA/AAAZZZCCCDDDEEE/qrcode",
"result":0,
"server_version":"x.x.x",
"source":"x.x.x.x",
"token":"AAAZZZCCCDDDEEE",
"url":"https://payments.citypay.com/AAAAAAA/AAAZZZCCCDDDEEE"
}
Adjusts a TokenRequest's amount value when for instance
- a Token is created and the shopping cart is updated
- an invoice is adjusted either due to part payment or due to increased incurred costs.
Request
{
"amount":19995,
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"reason":""
}
Response
{
"code":"701",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Amount changed to 199.95",
"token":"1234567890"
}
Allows for the changes to a pre-existing token.
Request
{
"after":"2024-12-02T10:38:07Z",
"maxResults":50,
"merchantid":11223344,
"nextToken":"n34liuwn435tUAGFNg34yn...",
"orderBy":"date"
}
Response
{
"count":25,
"maxResults":50,
"nextToken":"n34liuwn435tUAGFNg34yn...",
"tokens":[
{
"amount_paid":1186,
"auth_code":"",
"card":"Visa/0002",
"created":"2024-12-02T10:38:07Z",
"datetime":"2024-12-02T10:38:07Z",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"is_attachment":false,
"is_cancelled":false,
"is_closed":true,
"is_customer_receipt_email_sent":false,
"is_email_sent":false,
"is_expired":false,
"is_form_viewed":false,
"is_merchant_notification_email_sent":true,
"is_open_for_payment":false,
"is_paid":true,
"is_payment_attempted":false,
"is_postback_ok":true,
"is_request_challenged":false,
"is_sms_sent":true,
"is_validated":true,
"last_event_date_time":"2024-12-02T10:38:07Z",
"last_payment_result":"",
"mid":11223344,
"payment_attempts_count":2408,
"state_history":[
{
"datetime":"2024-12-02T10:38:07Z",
"message":"message on this state",
"state":"FormInput"
}
],
"token":"",
"trans_no":885
}
]
}
Obtains the full status of a given Paylink Token.
Response
{
"amount_paid":1186,
"auth_code":"",
"card":"Visa/0002",
"created":"2024-12-02T10:38:07Z",
"datetime":"2024-12-02T10:38:07Z",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"is_attachment":false,
"is_cancelled":false,
"is_closed":true,
"is_customer_receipt_email_sent":false,
"is_email_sent":false,
"is_expired":false,
"is_form_viewed":false,
"is_merchant_notification_email_sent":true,
"is_open_for_payment":false,
"is_paid":true,
"is_payment_attempted":false,
"is_postback_ok":true,
"is_request_challenged":false,
"is_sms_sent":true,
"is_validated":true,
"last_event_date_time":"2024-12-02T10:38:07Z",
"last_payment_result":"",
"mid":11223344,
"payment_attempts_count":2408,
"state_history":[
{
"datetime":"2024-12-02T10:38:07Z",
"message":"message on this state",
"state":"FormInput"
}
],
"token":"",
"trans_no":885
}
Purges any attachments for a token for GDPR or DP reasons.
Response
{
"code":"1204",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Purged 1 attachment",
"token":"1234567890"
}
Marks a Paylink Token as reconciled when reconciliation is performed on the merchant's side.
Response
{
"code":"1202",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Token Reconciled",
"token":"1234567890"
}
Allows for a Paylink Token to be reopened if a Token has been previously closed and payment has not yet been made.
Response
{
"code":"1203",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Token Reopened",
"token":"1234567890"
}
Resend a notification for Paylink Token.
Request
{
"email":false,
"sms":true
}
Response
{
"code":"1207",
"context":"aspiu352908ns47n343598bads",
"identifier":"95b857a1-5955-4b86-963c-5a6dbfc4fb95",
"message":"Queued Email",
"token":"1234567890"
}