Download OpenAPI specification:
Throughout this document the following terms are used:
The Yapstone Hosted Payments API allows a merchant to redirect the paying customer to a Yapstone-hosted payment page to collect payment information. The API also allows the merchant to receive notifications of payment events. The workflow is as as follows:
The Yapstone Hosted Payments API is REST based and uses the JSON format for requests and responses. The API uses standard HTTP status codes to indicate the success or failure of an API request.
Following is a list of Http Status codes that could be returned by the platform
| Status Code | Description |
| -----------------------| -------------------------------------------------------------------------------------|
| 200 OK | The request was successfully processed and usually returns a json response |
| 204 OK | The request was successfully processed and no content is returned |
| 400 Bad Request | The request is invalid and should be fixed before retrying |
| 401 Unauthorized | Authentication has failed |
| 404 Not Found | The resource was not found |
| 5xx Server Error | Platform internal error (should rarely happen) |
The Yapstone Hosted Payments API uses webhooks to notify the merchant of payment events.
The merchant can configure the URL of their webhook endpoint when they create an order using the create order API.
The Yapstone Hosted Payments API will send a POST request to the merchant webhook endpoint when a payment event occurs. The request will contain a JSON payload with information about the payment event.
You must include a shared secret when creating a webhook
The platform will use the secret as the key when generating a signature
The signature is a HMAC hex digest using the sha256 hash function and the secret as the HMAC key
The message is the payload of the webhook
The signature is included in the request header as Webhook-Signature
The merchant should verify the signature by generating a signature using the same secret and comparing it to the signature in the request header
If the signatures match, the request is valid and can be processed
An example of how to verify the signature in Node.js is shown below:
const crypto = require('crypto');
// The payload in the webhook
const payload = {
"eventDate" : "2024-04-02T10:28:09.363847Z",
"orderId" : "7dbc18a6-63ce-4ffe-afbe-becdb271bfa4",
"orderStatus" : "ACTIVE",
"paymentType" : "CARD",
"paymentAmount" : {
"value" : 2141,
"currency" : "USD"
},
"referenceNumber" : "1pGh5LJRa2Go9LprMj9f",
"billingAddress" : {
"line1" : "34 High Lane",
"city" : "BOSTON",
"countyOrProvince" : "MA",
"zipOrPostcode" : "02114-3411",
"country" : "US"
}
};
// Secret key
const secretKey = '<The signingKey provided when creating the order>';
// Convert JSON payload to a string
const payloadString = JSON.stringify(payload);
// Generate SHA-256 HMAC signature
const signature = crypto.createHmac('sha256', secretKey)
.update(payloadString)
.digest('hex');
console.log("SHA-256 Signature:", signature);
The platform will retry sending the webhook with an exponential backoff for up to 48 hours if the merchant server does not respond with a 2xx status code
The platform supports idempotency for the following APIs:
The idempotency key is a unique identifier for the request that is provided by the merchant.
It is included in the request header as Idempotency-Key.
The key can be any string value and should be unique for each request. It is recommended to use a UUID.
The platform will return the same response for the same request if the same idempotency key is used
| Webhook-Signature required | string Example: 01HMHCZWVWY12CG36D64CEPRCD The signature of the request This is a HMAC-SHA256 hash of the request body, signed with the signing key provided in the webhook details. |
Webhook Notification
| eventDate required | string <date-time> The date-time timestamp the event occurred in UTC |
| eventType required | string The event that is causing this notification Can be one of [ORDER_CANCELLED, ORDER_TIMEOUT, ORDER_APPROVED, PAYMENT_DECLINED, PAYMENT_FAILED] |
| orderId required | string <uuid> The id of the Order |
| paymentId | string <uuid> The id of the payment, if any. If this event is related to a payment attempt, this value will be supplied. |
| currentPaymentAttempt | integer The current payment (payment attempt) number, if this event was caused by a payment attempt. If an Order times out, this will be null. |
| maxPaymentAttempts required | integer The maximum number of payment attempts allowed for the Order. |
| paymentType required | string The payment type Can be one of [CARD, ACH] |
object (AdditionalPaymentInformation) Additional Payment information associated with the payment method | |
required | object (MonetaryAmount) An amount in a specified currency |
| paymentReferenceNumber | string The reference number of the payment as generated by Yapstone. |
object (BillingAddress) The billing address of the customer. | |
| token | string The token generated for the payment. Only specified if the returnToken flag was set to true in the create order request. Only applicable for card payments. |
Array of objects (PaymentLineItem) Optional. This will be included if Yapstone returned a list of lineItems when making the payment | |
| errorCode | string Error Code returned by API. Only specified if there was an error with the payment. |
| errorDescription | string Error Description returned by API. Only specified if there was an error with the payment. |
{- "eventDate": "2024-01-25T14:40:32.201Z",
- "eventType": "PAYMENT_DECLINED",
- "orderId": "123e4567-e89b-12d3-a456-426614174000",
- "paymentId": "123e4567-e89b-12d3-a456-426614174000",
- "currentPaymentAttempt": 1,
- "maxPaymentAttempts": 3,
- "paymentType": "string",
- "additionalPaymentInformation": {
- "cardDetails": {
- "cardType": "credit",
- "cardNetwork": "visa",
- "cardExpiryMonth": 1,
- "cardExpiryYear": 2028,
- "cardLastDigits": 9999
}
}, - "paymentAmount": {
- "value": 150000,
- "currency": "USD"
}, - "paymentReferenceNumber": 123456789,
- "billingAddress": {
- "line1": "100 Main St",
- "city": "Seattle",
- "countyOrProvince": "WA",
- "zipOrPostcode": 94112,
- "country": "US"
}, - "token": "1111Rer345X32gY3",
- "paymentLineItems": [
- {
- "description": "Rent",
- "amount": 150000,
- "feeAmount": 1500
}
], - "errorCode": "E1022",
- "errorDescription": "Payment declined by bank"
}The merchant's backend service can call this endpoint to create an Order.
The Order acts as a session that has an expiry time.
The response will contain a URL that the merchant portal can use to redirect the customer (payee) to allow them to make a payment via the Yapstone Hosted Payments Page.
The merchant must pass their Yapstone credentials in a basic auth header.
| Idempotency-Key required | string The idempotency key is a unique identifier for the request that is provided by the merchant. It is included in the request header as Idempotency-Key. The key can be any string value and should be unique for each request. It is recommended to use a UUID. The platform will return an error if the same idempotency key is used. |
Order details
required | object (OrderDetails) Order details |
required | object (TransactionDetails) Transaction/Payment Details |
object (BillingAddress) Optional billing address. If specified, it will be validated when an order is created, and the request rejected if the validation fails. If specified and valid, it will be shown on the Hosted Payments page as Billing Address. The payer will be able to edit the billing address on the Hosted Payments page unless the BillingAddressIsEditable flag is set to false. Each country has specific validation rules that are applied to the address. As an example some countries require a postal code, some do not. | |
| billingAddressIsEditable | boolean (BillingAddressIsEditable) This is a flag used by the Hosted Payments page to determine whether to allow the user to edit the billing address. If false, the billing address must be supplied and can not be edited by the user. |
object (CustomerDetails) Customer Details | |
| paymentMethodsAccepted | Array of strings (PaymentMethodsAccepted) Items Enum: "VISA_CREDIT_CARD" "MASTERCARD_CREDIT_CARD" "DEBIT_CARD" "AMEX_CREDIT_CARD" "DISCOVER_CREDIT_CARD" "US_BANK_ACH" Which payment methods are to be accepted for the payment. If specified then the Hosted Payments Page will show only the specified payment methods, in the sequence specified. If not specified, or the list is empty, all available payment methods for the merchant/property will be made available on the payment page. Note: only those payment methods which are specified on the 'create order', and are 'true' for the merchant/property, will be made available on the payment page. |
| orderTimeoutMinutes | integer (OrderTimeoutMinutes) [ 5 .. 60 ] The number of minutes that the order will be valid for. If omitted, the order will be valid for 15 minutes. |
| maxPaymentAttempts | integer (OrderMaxPaymentAttempts) [ 1 .. 3 ] The number of times that a customer can attempt to make a payment for this Order. Defaults to 1 if not specified on 'create order'. Note: Once a successful (APPROVED) payment is made for an Order, no more payment attempts will be allowed for that Order. An Order can only have one APPROVED Payment attempt. |
object (RedirectsDetails) Redirect Urls for different payment outcomes The Hosted Payments Page will redirect the browser to the specified URL for the specified payment outcome. | |
object (WebhooksDetails) Webhooks Details | |
| tokenExpirationDate | string <date> The expiration date for the ZVA token. |
{- "orderDetails": {
- "orderType": "SHORT_TERM_PROPERTY_RENTAL",
- "shortTermPropertyRental": {
- "propertyCode": "T4YWQWMX51",
- "platform": "VRP",
- "reservationNumber": "232-fdsa",
- "arrivalDate": "2024-06-20",
- "departureDate": "2024-06-26",
- "roomRate": 150000,
- "roomTax": 150000,
- "unit": "Unit 1"
}
}, - "transactionDetails": {
- "channel": "ONLINE",
- "amount": {
- "value": 150000,
- "currency": "USD"
}, - "lineItems": [
- {
- "description": "Rent",
- "amount": 150000
}
], - "returnFeeInfo": false,
- "totalInstallments": 4,
- "installmentNumber": 3,
- "customerStatementReference": "CoolHols12345",
- "returnToken": true,
- "preAuthorization": false
}, - "billingAddress": {
- "line1": "100 Main St",
- "city": "Seattle",
- "countyOrProvince": "WA",
- "zipOrPostcode": 94112,
- "country": "US"
}, - "billingAddressIsEditable": false,
- "customer": {
- "email": "john.smith@example.com",
- "phone": 15200023345,
- "firstName": "John",
- "lastName": "Milton",
- "externalId": "GD45F980"
}, - "paymentMethodsAccepted": [
- "VISA_CREDIT_CARD",
- "MASTERCARD_CREDIT_CARD",
- "DEBIT_CARD",
- "AMEX_CREDIT_CARD",
- "DISCOVER_CREDIT_CARD",
- "US_BANK_ACH"
], - "orderTimeoutMinutes": 15,
- "maxPaymentAttempts": 2,
- "redirects": {
- "approved": {
- "showIntermediateStatusPage": true
}, - "declined": {
- "showIntermediateStatusPage": true
}, - "timeout": {
- "showIntermediateStatusPage": true
}, - "error": {
- "showIntermediateStatusPage": true
}, - "cancel": {
- "showIntermediateStatusPage": true
}
}, - "webhooks": {
- "signingKey": "01HMHCZWVWY12CG36D64CEPRCD"
}, - "tokenExpirationDate": "2024-06-20"
}{- "orderId": "c9f62625-a61d-4ae6-a6ff-183d8a99a523",
- "expiresAt": "2024-01-25T14:40:32.201Z",
}