Payments API Overview
Accept credit and debit card payments through WiPay's Hosted Payment Pages
Payments API
The WiPay Payments API (also known as the Plugins Payment Request API) enables merchants to accept credit and debit card payments through WiPay's secure Hosted Payment Pages. Rather than handling card data directly, your application redirects customers to WiPay's hosted checkout where they securely enter their payment credentials.
How It Works
- Your application sends a
POSTrequest to the Payments API with transaction details - The API returns a URL to WiPay's Hosted Payment Page (or redirects directly for HTML form submissions)
- The customer enters their card details on the secure Hosted Payment Page
- After payment, the customer is redirected to your
response_urlwith transaction result parameters appended as a query string
This hosted-checkout model is also reused by WAPI Trusted Card flows. See Hosted Checkout Flows for the shared behavior.
Prerequisites
See Getting Started for the canonical Payments API prerequisites, including verified business-account requirements, live and sandbox credentials, and server-side hash-verification expectations.
Endpoint
POST https://{country_code}.wipayfinancial.com/plugins/payments/requestSee Platforms and Environments for live and sandbox base URLs and Payment Request for full endpoint details.
Request Identification
The Payments API does not require any form of authentication header or token. Requests are identified by the account_number parameter — your WiPay account number linked to a verified WiPay BUSINESS Account.
- Sandbox: Use
account_number=1234567890for testing - Live: Use the account number from your verified WiPay BUSINESS Account
The sandbox API Key for response-hash verification is 123.
Response Verification
While the request endpoint has no authentication gate, you must always verify the transaction response using the response hash. This is the critical security mechanism that ensures the response has not been tampered with.
After a successful transaction, the response includes a hash parameter that you must validate on your server before fulfilling any order. Use the original total from the Payments API request, not the customer-facing total value returned in the response parameters, when validating that response hash. See Transaction Response for the current calculation and validation details.
Response Formats
The API supports two response modes: Web Redirect (HTML form submission redirects directly to checkout) and JSON Response (Accept: application/json returns a JSON bootstrap with the checkout url). See Payment Request — Responses for details.
Definitions
| Term | Description |
|---|---|
| 3DS | 3-Domain Secure — an additional layer of security for online card transactions |
| API Key | A unique string generated by WiPay for your BUSINESS Account, used as a private key for response-hash verification |
| AVS | Address Verification System — validates the cardholder's billing address |
| CVV | Card Verification Value — the 3 or 4 digit security code on the card |
| Hash | The response hash returned for successful transaction verification |
| Payee | The merchant receiving payment (your WiPay BUSINESS Account) |
| Payor | The customer making the payment |
API Collection
Download the Payments API collection for API testing. The Bruno collection is the canonical source; the Postman export is auto-generated from it.
Next Steps
- Payment Request — Full API endpoint reference with all parameters
- Transaction Response — Understanding response parameters
- Testing — Test cards and sandbox environment
- Examples — HTML, PHP, and JavaScript code examples