Developers
Developer documentation
Build with Paysation's payment gateway API: payments, 3DS, recurring charges, refunds, void / settle, token migration and subscriptions.
Overview
General information required for every request to the Paysation Payment Gateway API.
Base URLs
| Environment | Base URL |
|---|---|
| Production | https://api.paysation.com |
Paysation does not use a separate staging URL. The API endpoint is the same for both test and live. See Test API.
Required headers
Every request must include the following HTTP headers:
| Header | Required | Value | Description |
|---|---|---|---|
| Content-Type | yes | application/json | Request body is always a JSON document encoded in UTF-8. |
| Authorization | yes | Bearer %API KEY% | Merchant API key issued by Paysation. Identifies and authenticates the caller. |
Example
POST /<endpoint> HTTP/1.1
Host: api.paysation.com
Content-Type: application/json
Authorization: Bearer %API KEY%
{
"...": "..."
}Response format
All responses are returned as JSON encoded in UTF-8. See all possible HTTP response codes in Response codes.
The HTTP status reflects the outcome of the call:
Error response example
Any response with status >= 400 contains a message field with a human-readable explanation:
1{
2 "message": "Invalid request payload"
3}Notes
Test API
This page describes how to simulate payment scenarios before going live.
Test environment overview
Paysation does not use a separate staging URL. The API endpoint is the same for both test and live:
https://api.paysation.comTo access the test environment, each client is provisioned with a dedicated set of test resources:
| Resource | Description |
|---|---|
| Test Account | A separate account isolated from the live account. All test transactions are processed through it. |
| Test Credentials | API key and secret scoped to the Test Account. Use these in place of live credentials when making test requests. |
| Test Merchant Admin | A dedicated admin interface where the client can view test transactions, test credentials, and configuration. |
Test credentials and live credentials are completely isolated — a request made with test credentials never affects live funds or live transaction history.
Test cards do not process real funds and work only when authenticated with test credentials.
General rules
Test cards
| Brand | Card number | 3Ds Scenario | Behaviour |
|---|---|---|---|
| Visa | 4111111111111111 | frictionless | Successful authorization |
| Visa | 4000000000000002 | frictionless | Authorization failed |
| Visa | 4742106766751112 | fingerpring | Successful authorization |
| Visa | 4000123187649263 | fingerpring | Authorization failed |
| Visa | 4008372336662369 | challenge | Fill any OTP code for successful authentication. Fill OTP code 101 for failed authorization |
| Visa | 4871040656543210 | NO-3DS | Card is not enrolled in 3DS. No fingerprint or challenge step is performed. Response returns threeDStatus: null, message Card is not 3D-enrolled. |
| Mastercard | 5101510151015101 | frictionless | Successful authorization |
| Mastercard | 5200000000000007 | frictionless | Authorization failed |
| Mastercard | 5359438730895896 | fingerpring | Successful authorization |
| Mastercard | 5127880173456453 | fingerpring | Authorization failed |
| Mastercard | 5109486948861999 | challenge | Fill any OTP code for successful authentication. Fill OTP code 101 for failed authorization |
| Mastercard | 5333476046218777 | NO-3DS | Card is not enrolled in 3DS. No fingerprint or challenge step is performed. Response returns threeDStatus: null, message Card is not 3D-enrolled. |
| Amex | 378282246310005 | — | Successful transaction |
| Amex | 371449635398431 | — | Failed transaction |
| Discover | 6011111111111117 | — | Successful transaction |
| Discover | 6011000000000004 | — | Failed transaction |
Decline scenario
| Scenario | Amount | Behaviour |
|---|---|---|
| General | = 1.01 | Decline with message General decline. |
| General | = 1.02 | Decline with message Suspected fraud. |
| General | = 1.03 | Decline with message Insufficient funds. |
Sale
Direct card charge without 3DS authentication. The merchant sends card data server-to-server; the gateway processes the payment and returns the final result.
To split authorization and capture, set capture to false in the request — funds are only authorized. The merchant then calls /settle to capture, or /void to release the hold.
Endpoint
<base-url>/paymentBase URLs and required headers (Content-Type, Authorization) are defined in Overview.
Request body
Top-level fields:
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| clientTransactionId | required | string | 3–64 chars, unique per call | Merchant-side reference for the transaction — order ID, invoice ID or transaction ID. Used as the idempotency key. |
| amount | required | decimal | > 0 | Charge amount (e.g. 49.99). |
| currency | required | string | ISO 4217, 3 chars | Currency code (e.g. USD, EUR). |
| description | optional | string | 1–256 chars | Name of the product or service being sold. Shown in reports and may be passed to the acquirer. |
| capture | optional | boolean | default true | If true, funds are captured immediately. If false, only an authorization is placed and capture must be performed in a separate step. |
| settleInterval | optional | integer | 1 – max scheme limit (hours) | Auto-settle delay in hours. Only valid when capture: false. See Void / Settle. |
| paymentMethod | required | object | see paymentMethod below | Payment instrument data. The single key inside the object implicitly defines the payment method type. |
| customer | required | object | see customer below | Customer and billing data. |
| external3ds | optional | object | see External 3DS | Pre-completed 3DS authentication data from a merchant-managed or third-party 3DS provider. When present, the gateway skips its own 3DS flow and submits the provided authentication values directly to the processor. |
| webhookUrl | optional | string | HTTPS URL | Endpoint to receive the asynchronous payment-result notification. |
paymentMethod
The object contains exactly one key, which identifies the payment method type. Supported keys: card / token / applePay / googlePay. This document describes the card method.
card
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| number | required | string | 13–19 digits | Full card PAN. |
| securityCode | required | string | 3–4 digits | Card security code (CVV / CVC). |
| expMonth | required | string | 01–12 | Card expiry month. |
| expYear | required | string | 2 digits (e.g. 29) | Card expiry year, last two digits. |
| cardHolderName | required | string | 2–64 chars | Cardholder name as printed on the card. |
customer
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| firstName | required | string | 2–32 chars | Customer first name. |
| lastName | required | string | 2–32 chars | Customer last name. |
| address | required | string | 2–64 chars | Street address. |
| city | required | string | 2–32 chars | City. |
| country | required | string | ISO 3166-1 alpha-2 | Country code (e.g. US). |
| zipcode | required | string | 2–10 chars | Postal / ZIP code. |
| state | required | string | 2–32 chars | State / region. |
| phone | optional | string | 7–15 digits | Customer phone number. |
| ipAddress | required | string | valid IPv4 / IPv6 | Customer IP address. |
| required | string | valid email | Customer email. |
Request example
1{
2 "clientTransactionId": "order_20260512_0091",
3 "amount": 49.99,
4 "currency": "USD",
5 "description": "Premium subscription — 1 month",
6 "paymentMethod": {
7 "card": {
8 "number": "4111111111111111",
9 "securityCode": "737",
10 "expMonth": "09",
11 "expYear": "28",
12 "cardHolderName": "John Doe"
13 }
14 },
15 "customer": {
16 "firstName": "John",
17 "lastName": "Doe",
18 "address": "742 Evergreen Terrace",
19 "city": "Springfield",
20 "country": "US",
21 "zipcode": "90210",
22 "state": "IL",
23 "phone": "14155552671",
24 "ipAddress": "203.0.113.42",
25 "email": "[email protected]"
26 },
27 "webhookUrl": "https://merchant.example.com/webhooks/payment"
28}Response
HTTP status codes and the error response shape are defined in Overview — Response format.
The response body contains the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| status | string | required | Payment status. See See possible transaction status |
| transactionId | string | required | Gateway transaction identifier. |
| clientTransactionId | string | required | Merchant-side reference echoed from the request. |
| schemeTransactionId | string | optional | Transaction ID assigned by the card scheme (Visa / Mastercard). Used for dispute resolution and reconciliation. Omitted when the transaction did not reach the scheme. |
| paymentToken | string | required | Stored payment instrument token for future charges. Omitted when no stored credential was produced. |
| code | string | required | Gateway result code. 00 on success. See Response codes. |
| message | string | required | Human-readable description of the result. |
| bankDeclineCode | string | optional | Raw decline code passed through from the card scheme unmodified. Present only when status is failed and the charge was submitted to the scheme. |
Example — success
1{
2 "status": "success",
3 "transactionId": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
4 "clientTransactionId": "order_20260512_0091",
5 "schemeTransactionId": "012345678901234",
6 "paymentToken": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
7 "code": "00",
8 "message": "Approved"
9}Payment failed:
1{
2 "status": "failed",
3 "transactionId": "3c2b1a4e-5d6f-7e8a-9b0c-1d2e3f4a5b6c",
4 "clientTransactionId": "order_20260512_0091",
5 "schemeTransactionId": "998877665544332",
6 "code": "11",
7 "message": "Insufficient funds",
8 "bankDeclineCode": "51"
9}3D Server-to-Server
Card charge with 3DS authentication. The merchant sends a card data server-to-server. The gateway returns a redirectUrl to which the customer must be redirected to complete 3DS. After authentication, the final status is delivered to:
1. The redirectUrl provided in the request (browser return). 2. The webhookUrl provided in the request (asynchronous server-to-server notification).
The request is identical to Sale with the following additions: 3ds, browserDetails and redirectUrl.
Endpoint
<base-url>/paymentBase URLs and required headers (Content-Type, Authorization) are defined in Overview.
Request body
Top-level fields:
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| clientTransactionId | required | string | 3–64 chars, unique per call | Merchant-side reference for the transaction — order ID, invoice ID or transaction ID. Used as the idempotency key. |
| amount | required | decimal | > 0 | Charge amount (e.g. 49.99). |
| currency | required | string | ISO 4217, 3 chars | Currency code (e.g. USD, EUR). |
| description | optional | string | 1–256 chars | Name of the product or service being sold. Shown in reports and may be passed to the acquirer. |
| 3ds | required | boolean | must be true | Marks the request as a 3DS-authenticated payment. |
| capture | optional | boolean | default true | If true, funds are captured immediately after successful 3DS authentication. If false, only an authorization is placed. |
| paymentMethod | required | object | same structure as Sale | Payment instrument data. |
| customer | required | object | same structure as Sale | Customer and billing data. |
| browserDetails | required | object | see browserDetails below | Customer browser data collected on the merchant page. Required by 3DS 2.x for risk assessment. |
| redirectUrl | required | string | HTTPS URL | Customer return URL. The browser is redirected here with the final status after 3DS completes. |
| webhookUrl | optional | string | HTTPS URL | Endpoint to receive the asynchronous payment-result notification. |
Nested objects (paymentMethod, customer) have the same fields and constraints as in Sale.
browserDetails
Collected on the merchant checkout page from the customer browser and passed to the gateway. Field semantics follow the EMV 3DS 2.x specification.
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| acceptHeader | required | string | max 2048 chars | Exact content of the HTTP Accept header sent by the customer browser. |
| javaEnabled | required | boolean | — | Value of navigator.javaEnabled(). |
| jsEnabled | required | boolean | — | true if JavaScript is enabled in the customer browser. |
| language | required | string | 1–8 chars, IETF BCP 47 (e.g. en-US) | Value of navigator.language. |
| colorDepth | required | integer | one of 1, 4, 8, 15, 16, 24, 32, 48 | Value of screen.colorDepth, in bits. |
| screenHeight | required | integer | > 0 | Value of screen.height, in pixels. |
| screenWidth | required | integer | > 0 | Value of screen.width, in pixels. |
| tzOffset | required | integer | minutes, range -840…720 | Value of new Date().getTimezoneOffset() — local time offset from UTC in minutes. |
| userAgent | required | string | max 2048 chars | Exact content of the HTTP User-Agent header sent by the customer browser. |
| challengeWindowSize | required | string | 01 (250×400) / 02 (390×400) / 03 (500×600) / 04 (600×400) / 05 (full screen) | Preferred size of the 3DS challenge window rendered to the customer. |
Request example
1{
2 "clientTransactionId": "order_20260512_0092",
3 "amount": 49.99,
4 "currency": "USD",
5 "description": "Premium subscription — 1 month",
6 "3ds": true,
7 "paymentMethod": {
8 "card": {
9 "number": "4111111111111111",
10 "securityCode": "737",
11 "expMonth": "09",
12 "expYear": "28",
13 "cardHolderName": "John Doe"
14 }
15 },
16 "customer": {
17 "firstName": "John",
18 "lastName": "Doe",
19 "address": "742 Evergreen Terrace",
20 "city": "Springfield",
21 "country": "US",
22 "zipcode": "90210",
23 "state": "IL",
24 "phone": "14155552671",
25 "ipAddress": "203.0.113.42",
26 "email": "[email protected]"
27 },
28 "browserDetails": {
29 "acceptHeader": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
30 "javaEnabled": false,
31 "jsEnabled": true,
32 "language": "en-US",
33 "colorDepth": 24,
34 "screenHeight": 1080,
35 "screenWidth": 1920,
36 "tzOffset": -120,
37 "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36",
38 "challengeWindowSize": "03"
39 },
40 "redirectUrl": "https://merchant.example.com/checkout/return",
41 "webhookUrl": "https://merchant.example.com/webhooks/payment"
42}Response
HTTP status codes and the error response shape are defined in Overview — Response format.
The response body contains the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| status | string | required | Payment status. See possible transaction status |
| transactionId | string | required | Gateway transaction identifier. |
| clientTransactionId | string | required | Merchant-side reference echoed from the request. |
| schemeTransactionId | string | required | Transaction ID assigned by the card scheme (Visa / Mastercard). Omitted when the transaction did not reach the scheme (e.g. 3DS failed). |
| paymentToken | string | required | Stored payment instrument token for future charges. Present on success only. |
| code | string | required | Gateway result code. 00 on success. See Response codes. |
| message | string | required | Human-readable description of the result. |
| bankDeclineCode | string | optional | Raw decline code from the card scheme. Present only when status is failed and the charge reached the scheme. |
| threeDS | object | required | 3DS authentication result. See threeDS fields below. |
threeDS fields
| Field | Type | Description |
|---|---|---|
| threeDStatus | string | EMVCo authentication result: Y (authenticated), A (attempted), C (challenge required), N (failed), U (unavailable), R (rejected). Omitted in the initial response before authentication completes. |
| threeDVersion | string | 3DS protocol version used (e.g. 2.2.0). |
| flow | string | fingerprint — ACS method iframe (initial response). frictionless — ACS authenticated without cardholder interaction. challenge — cardholder must complete ACS challenge. |
| authCode | string | Authorization code from the issuer. Present when threeDStatus is Y or A; omitted otherwise. |
| eci | string | Electronic Commerce Indicator. 05/02 = fully authenticated; 06/01 = attempted; 07/00 = no auth. Omitted when authentication failed. |
| cavv | string | Issuer cryptogram — proof of authentication. Omitted when authentication failed. |
| acsChallenge | string | Y — challenge was required by the issuer; N — frictionless was allowed. |
| liabilityShift | boolean | true — liability for fraud chargebacks shifts to the card issuer. false — the merchant bears the fraud risk. Derived from eci: 05/02 and 06/01 → true; 07/00 or absent → false. Present in the final response only. |
| redirectUrl | string | URL where the browser must be redirected. Present when flow is fingerprint or challenge. Absent in the final response. |
Example — initial response (fingerprint / challenge)
Returned immediately after the POST request when 3DS redirect is required. HTTP 202.
1{
2 "status": "pending",
3 "transactionId": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
4 "clientTransactionId": "order_20260512_0092",
5 "threeDS": {
6 "threeDVersion": "2.2.0",
7 "flow": "fingerprint",
8 "redirectUrl": "https://3ds.paysation.com/fingerprint/9b1deb4d"
9 },
10 "code": "00",
11 "message": "3DS authentication required"
12}Example — final result (frictionless, success)
Delivered via webhook and browser redirect. HTTP 201.
1{
2 "status": "success",
3 "transactionId": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
4 "clientTransactionId": "order_20260512_0092",
5 "schemeTransactionId": "012345678901234",
6 "paymentToken": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
7 "threeDS": {
8 "threeDStatus": "Y",
9 "threeDVersion": "2.2.0",
10 "flow": "frictionless",
11 "authCode": "AUTH123456",
12 "eci": "05",
13 "cavv": "AAABBRRRSSSggghhh777AABBRRS=",
14 "acsChallenge": "N",
15 "liabilityShift": true
16 },
17 "code": "00",
18 "message": "Approved"
19}After 3DS completion
Once the customer completes 3DS, the final payment result is delivered to both endpoints supplied in the request:
| Channel | Source | Purpose |
|---|---|---|
| redirectUrl (request) | Browser redirect | Return the customer to the merchant site with status. |
| webhookUrl (request) | Server-to-server call | Authoritative asynchronous notification. |
Recurring
How to charge a customer with a previously stored payment token — for subscription renewals, repeat purchases, and any payment against a stored credential.
Recurring does not have its own endpoint. It reuses Sale (POST /payment) with one difference: the paymentMethod object uses the token key instead of card. Card data (number, securityCode, expMonth, expYear, cardHolderName) is therefore not sent.
The caller must always indicate whether the charge is customer-initiated (cit) or merchant-initiated (mit) via recurringType — this value is required by the card networks (Visa Stored Credential Framework, Mastercard, EMV 3DS) for correct authorization and chargeback liability.
Endpoint
<base-url>/paymentSame as Sale. Base URLs and required headers (Content-Type, Authorization) are defined in Overview.
Request body
Top-level fields are the same as in Sale — clientTransactionId, amount, currency, description, capture, customer, webhookUrl. Only the paymentMethod object differs.
In a recurring charge, customer is optional (overrides the Sale requirement). The cardholder is normally not present — especially for mit — and the gateway already has the customer data from the original Sale that produced the token.
paymentMethod
For a recurring charge, paymentMethod contains the single key token (instead of card).
token
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| paymentToken | required | string | 40-char hash | Stored payment instrument token returned in the original Sale response as paymentToken. |
| recurringType | required | string | cit / mit | Indicates who initiates the charge. See recurringType values below. |
recurringType values
| Value | Meaning |
|---|---|
| cit | Customer-Initiated Transaction. The cardholder is actively present in the checkout flow (e.g. manual repeat purchase, account top-up initiated by the customer). |
| mit | Merchant-Initiated Transaction. The merchant initiates the charge against a stored credential without the cardholder present (e.g. scheduled subscription renewal). |
Request example
1{
2 "clientTransactionId": "order_20260514_0114",
3 "amount": 49.99,
4 "currency": "USD",
5 "paymentMethod": {
6 "token": {
7 "paymentToken": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
8 "recurringType": "mit"
9 }
10 }
11}Response
The response fields are identical to Sale — Response
The response body contains:
| Field | Type | Description |
|---|---|---|
| status | string | Payment status. See status values below. |
| transactionId | string | Gateway transaction identifier. |
| clientTransactionId | string | Merchant-side reference echoed from the request. |
| schemeTransactionId | string | Transaction ID assigned by the card scheme. Omitted when the transaction did not reach the scheme. |
| paymentToken | string | Refreshed token if the stored credential was updated. Omitted otherwise. |
| code | string | Gateway result code. 00 on success. See Response codes. |
| message | string | Human-readable description of the result. |
| bankDeclineCode | string | Raw decline code from the card scheme. Present only when status is failed and the charge reached the scheme. |
Example
1{
2 "status": "success",
3 "transactionId": "c2f4b8a1-9e3d-4f72-8c0b-5a1d2e6f0b91",
4 "clientTransactionId": "order_20260514_0114",
5 "schemeTransactionId": "012345678901234",
6 "paymentToken": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
7 "code": "00",
8 "message": "Approved"
9}Payment failed:
1{
2 "status": "failed",
3 "transactionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
4 "clientTransactionId": "order_20260514_0114",
5 "schemeTransactionId": "554433221100998",
6 "code": "11",
7 "message": "Insufficient funds",
8 "bankDeclineCode": "51"
9}Void / Settle
Follow-up operations on a previously authorized Sale. To enable this flow, the original Sale must be submitted with capture: false — funds are then only authorized (held), not captured.
The merchant uses the transactionId returned in the Sale response to:
Each call decides the final outcome of the authorization; only one of the two can be performed per transaction.
Base URLs and required headers (Content-Type, Authorization) are defined in Overview.
Authorization hold management
When submitting a Sale with capture: false, two behaviors are available depending on whether settleInterval is provided.
Manual settle
Omit settleInterval. The merchant decides when to settle by calling /settle, or cancels with /void.
If neither /settle nor /void is called before the card scheme hold limit expires, the gateway automatically sends a void to release the held funds.
Auto-settle
Pass settleInterval (in hours) in the original Sale request. The gateway will automatically submit the settle operation after the specified interval — no separate /settle call is needed.
| Field | Type | Constraints | Description |
|---|---|---|---|
| settleInterval | integer | 1 – max scheme limit (hours) | Number of hours after authorization before the gateway auto-settles. Cannot exceed the card scheme maximum (see table below). |
If the auto-settle fails, the authorization hold remains active and the gateway will retry.
The merchant can still send /void or /settle at any time before settleInterval elapses.
Card scheme hold limits settleInterval cannot exceed the card scheme maximum. If the value is higher, the gateway clamps it to the scheme limit. | Card scheme | Maximum hold period | | --- | --- | | Visa (CIT) | 240 hours (10 days) | | Visa (MIT) | 120 hours (5 days) | | Mastercard and other schemes | 168 hours (7 days) |
Settle
Capture funds from an existing authorized transaction. Settle requests are submitted to the processor in a batch — the gateway returns status: pending immediately and delivers the final result via webhook.
Partial settle
If amount in the request is less than the authorized amount, only that portion is captured. The remaining hold is automatically voided by the gateway immediately after the capture succeeds. Only one settle per authorization is possible — to capture the remainder, use a separate Sale.
Refunds are limited to the settledAmount returned in the settle response.
Endpoint
<base-url>/settleRequest body
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| clientTransactionId | required | string | 3–64 chars, unique per call | Merchant-side reference for the settle operation. Used as the idempotency key. |
| transactionId | required | string | valid UUID | Gateway transaction identifier returned in the original Sale response. |
| amount | optional | decimal | > 0, ≤ authorized amount | Capture amount. If omitted, the full authorized amount is captured. Supplying a lower value triggers a partial settle — the remaining hold is voided automatically. |
Response
HTTP 201 is returned for all processed requests. Check status and code in the response body for the actual outcome. HTTP status codes and the error response shape are defined in Overview — Response format.
The response body contains:
| Field | Type | Description |
|---|---|---|
| type | string | Operation type. Always settle. |
| status | string | Operation status. See status values below. |
| transactionId | string | Gateway transaction identifier (same value as in the request). |
| clientTransactionId | string | Merchant-side reference echoed from the request. |
| settledAmount | decimal | Actual amount captured. Present when status is success. |
| settledCurrency | string | Currency of the captured amount (ISO 4217). Present when status is success. |
| code | string | Gateway result code. |
| message | string | Human-readable description of the result. |
status values
| Value | HTTP | Meaning |
|---|---|---|
| pending | 201 | Settle submitted to the processor batch. Await webhook for the final result. |
| success | 201 | Funds captured. settledAmount reflects the actual captured value. |
| failed | 201 | Settle declined. The authorization hold remains active — a retry is possible. |
Void
Cancel an authorization created by a Sale with capture: false. No funds are transferred and the hold is released immediately.
Endpoint
<base-url>/voidRequest body
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| clientTransactionId | required | string | 3–64 chars, unique per call | Merchant-side reference for the void operation. Used as the idempotency key. |
| transactionId | required | string | valid UUID | Gateway transaction identifier returned in the original Sale response. |
Response
HTTP 201 is returned for all processed requests. Check status and code in the response body for the actual outcome. HTTP status codes and the error response shape are defined in Overview — Response format.
The response body contains:
| Field | Type | Description |
|---|---|---|
| type | string | Operation type. Always void. |
| status | string | Operation status. See status values below. |
| transactionId | string | Gateway transaction identifier (same value as in the request). |
| clientTransactionId | string | Merchant-side reference echoed from the request. |
| code | string | Gateway result code. |
| message | string | Human-readable description of the result. |
status values
| Value | HTTP | Meaning |
|---|---|---|
| success | 201 | Authorization cancelled. Funds released back to the cardholder. |
| failed | 201 | Void declined or not permitted (e.g. transaction already settled). |
Refund
Return funds to the cardholder for a previously settled transaction — full or partial.
Base URLs and required headers (Content-Type, Authorization) are defined in Overview.
Endpoint
<base-url>/refundPartial refund
If amount in the request is less than the settled amount, only that portion is returned to the cardholder. Multiple partial refunds against the same transaction are allowed until the full settled amount is exhausted. To check how much remains refundable, use the transaction details endpoint.
Request body
| Field | Required | Type | Constraints | Description |
|---|---|---|---|---|
| clientTransactionId | required | string | 3–64 chars, unique per call | Merchant-side reference for the refund operation. Used as the idempotency key. |
| transactionId | required | string | valid UUID | Gateway transaction identifier of the captured payment to refund. Returned by the original Sale. |
| amount | optional | decimal | > 0, ≤ remaining refundable amount | Amount to refund. If omitted, the full remaining amount is refunded. Supplying a lower value triggers a partial refund. |
| reason | optional | string | see accepted values below | Reason for the refund. If omitted, the gateway substitutes a processor-specific default. See Refund reason. |
Refund reason
Some processors and PSPs require a reason code on every refund request. The gateway handles this transparently: 1. Client provided reason — the gateway maps it to the processor-specific format and forwards it. 2. Client did not provide reason — the gateway substitutes a constant default value (OTHER or equivalent) that satisfies the processor's mandatory field requirement. The merchant does not need to be aware of which processors require it.
Accepted reason values
The following values are accepted in the reason field. They are normalized by the gateway and mapped to the correct format for each processor.
| Value | Meaning |
|---|---|
| customer_request | Cardholder requested the refund directly (e.g. order cancellation). |
| duplicate | The transaction was charged more than once for the same order. |
| fraud | The transaction was identified as fraudulent or the cardholder did not authorize it. |
| return | Cardholder returned goods or cancelled a service after delivery. |
| other | Any reason not covered above. |
If reason is omitted or the processor does not accept reason codes, the gateway uses the processor's required default constant internally — no error is returned to the merchant.
Request example
1{
2 "clientTransactionId": "refund_20260516_0021",
3 "transactionId": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
4 "amount": 19.99,
5 "reason": "customer_request"
6}Response
The response fields are identical to Sale — Response.
The response body contains:
| Field | Type | Required | Description |
|---|---|---|---|
| status | string | required | Operation status. See status values below. |
| transactionId | string | required | Gateway transaction identifier of the refund operation (new ID). |
| clientTransactionId | string | required | Merchant-side reference echoed from the request. |
| refundedAmount | decimal | required | Amount successfully refunded. Present when status is success. Omitted when refund failed |
| refundedCurrency | string | required | Currency of the refunded amount (ISO 4217). Present when status is success. Omitted when refund failed |
| code | string | required | Gateway result code. 00 on success. See Response codes. |
| message | string | required | Human-readable description of the result. |
Example
1{
2 "status": "success",
3 "transactionId": "a5f8c2e1-1234-4cde-9876-fedcba987654",
4 "clientTransactionId": "refund_20260516_0021",
5 "refundedAmount": 19.99,
6 "refundedCurrency": "USD",
7 "code": "00",
8 "message": "Refund approved"
9}Refund rejected:
1{
2 "status": "failed",
3 "transactionId": "b6a9d3f2-5678-4efg-1234-abcdef012345",
4 "clientTransactionId": "refund_20260516_0021",
5 "code": "51",
6 "message": "Refund not allowed: open dispute on this transaction"
7}Constraints
Response codes
Reference for all codes returned by the Paysation API. Four independent surfaces:
1. HTTP status codes
All responses are returned as JSON encoded in UTF-8.
| Status | Meaning | Response body |
|---|---|---|
| 201 | Processed | The request was processed. Check status and code in the response body for the actual outcome (success, declined, pending, etc.). |
| 202 | Action Required | 3DS step required. Redirect the customer to threeDS.redirectUrl to complete fingerprint or challenge. Await the final result via webhook. |
| 400 | Bad Request | { "code": "4x", "message": "..." } — Authorization header is missing or empty, or request validation failed (field missing, invalid value, or malformed JSON). See Request validation codes. |
| 401 | Unauthorized | { "message": "..." } — Authorization header is present but authentication failed (invalid key, revoked, wrong mode, or other credential error). Details are available in the audit log only. |
| 403 | Forbidden | { "message": "..." } — valid credentials but insufficient permissions. |
| 404 | Not Found | { "message": "..." } — endpoint or resource not found. |
| 422 | Unprocessable Entity | { "code": "5x", "message": "..." } — request is structurally valid but cannot be processed due to token or transaction state. See Token errors and Transaction state codes. |
| 429 | Too Many Requests | { "message": "..." } — rate limit exceeded. |
| 500 | Internal Server Error | { "code": "3x", "message": "..." } — technical or connection error on the gateway or processor side. See Technical and connection codes. |
201 means the request reached the gateway and was processed. The actual payment outcome is always in the response body — check status and code. 202 is returned only when the customer must complete a 3DS step (fingerprint or challenge). It is never returned for other async operations.
2. status values
| Value | Description | Action |
|---|---|---|
| success | Operation approved and completed. | — |
| pending | Gateway is awaiting a response from PSP, ACS, or batch processor. Final result delivered via webhook. | Await webhook or poll GET /transaction/{id}. |
| authorized | Funds reserved. No capture yet. | Call /settle or /void. |
| failed | Operation declined or failed. Covers issuer declines, technical errors, validation failures, and unresolvable ambiguous outcomes. | Read code and message. |
3. code and message values
All codes below are returned inside the JSON response body alongside code and message fields.
code: "00" indicates success and is returned alongside status: success.
The HTTP status that accompanies each code group is noted in each section header.
Success · HTTP 201
| Code | Message | Description |
|---|---|---|
| 00 | Approved | Operation completed successfully. |
General issuer declines
| Code | Message | Description |
|---|---|---|
| 01 | General decline | The card-issuing bank did not complete the transaction. No specific reason provided. |
| 02 | Do not honor | Generic issuer decline. Do not retry automatically. |
| 03 | Retry later | Temporary problem with the card or account. May be retried after a short wait. |
| 04 | Re-enter transaction | General decline; source of error unclear. Retry with the same parameters. |
Card validation
| Code | Message | Description |
|---|---|---|
| 05 | Invalid CVV2 code | The CVV/CVC code is incorrect. |
| 06 | CVV attempts exceeded | Too many incorrect CVV attempts. Card temporarily locked — cardholder must contact their bank. |
| 07 | Invalid card number | Card number fails validation or does not exist. Do not retry with the same number. |
| 08 | Expired card | Card expiration date is invalid or has passed. |
| 09 | Invalid currency | Currency not supported on the active MID. |
Transaction declines
| Code | Message | Description |
|---|---|---|
| 10 | Blocked first use | First online payment on a newly issued card. Cardholder must unblock it via their bank app. |
| 11 | Insufficient funds | Account balance is too low. |
| 12 | Card amount limit exceeded | Exceeds card-level amount limit (per-transaction or period). |
| 13 | Frequency limit exceeded | Too many transactions in a short period. |
| 14 | Refer to card issuer | Issuer decline without explanation — cardholder must call their bank. |
| 15 | Transaction not permitted to cardholder | This transaction type is not allowed for this card. |
| 16 | Card brand not supported | Card brand not supported on the active MID. |
| 17 | Issuer not available | Issuer temporarily unavailable. Retry after a short wait. |
| 18 | Transaction not allowed at terminal | Rejected by processor due to MID configuration. |
| 19 | Merchant velocity limit exceeded | Transaction velocity is outside processor limits (unrelated to card limits). |
| 20 | Account closed | Cardholder account permanently closed. |
| 21 | Invalid merchant | Transaction rejected due to merchant MCC or configuration. Contact support. |
| 22 | Revocation of all authorizations | Cardholder cancelled all recurring payments on this card. Do not retry. |
| 23 | Permanent block | Card is on issuer permanent block list. Do not retry. |
Fraud and anti-fraud
| Code | Message | Description |
|---|---|---|
| 24 | Lost or stolen card | Card reported lost or stolen. |
| 25 | Restricted card | Card restricted by issuer (BIN restriction, regional embargo, etc.). |
| 26 | Suspected fraud | Transaction flagged by the issuing bank as suspicious. |
| 27 | Blocked by anti-fraud system | Blocked by the gateway anti-fraud system. Contact support if you believe this is a false positive. |
3DS and authentication
| Code | Message | Description |
|---|---|---|
| 28 | Card authentication failed | Cardholder failed or abandoned 3DS (wrong OTP, biometric failure, or challenge timeout). |
| 29 | Card not 3DS enrolled | Card does not support 3DS. Fall back to 2D if policy allows. |
| 30 | Unexpected 3DS error | Technical error during 3DS not caused by the cardholder (ACS timeout, protocol error). |
| 31 | Additional authentication required | SCA / PSD2 requires 3DS. Retry using the 3DS flow. |
| 32 | 3DS rejected by issuer | ACS returned R — issuer explicitly rejected authentication and requests that authorization not be attempted. Do not retry. |
| 33 | 3DS session expired | Cardholder did not complete the 3DS redirect within the allowed time. Ask the cardholder to retry from the beginning. |
Merchant configuration
| Code | Message | Description |
|---|---|---|
| 39 | Merchant not configured correctly | Processing error due to incorrect merchant or MID configuration. Contact support. |
| 60 | Feature not enabled for this account: \<feature> | The requested payment method or flow is not enabled for this account. \<feature> specifies what is disabled: apple_pay, google_pay, recurring, mit, 3ds, void, refund, etc. Contact support to enable it. |
Request validation · HTTP 400
Returned when the request body is structurally invalid — a required field is missing, a field value does not pass format validation, or the body is not valid JSON.
| Code | Message (example) | Description |
|---|---|---|
| 40 | Missing required field: amount | A required request field is absent. message names the missing field. |
| 41 | Invalid value: \<field> \<reason> | A field contains an invalid value or format, or the request body is not valid JSON. message specifies the field and reason. Possible messages: Invalid value: currency must be ISO 4217, Invalid value: amount must be greater than 0, Invalid value: eci must be one of 05, 02, 06, 01, Invalid value: authenticationStatus must be Y or A, Invalid value: version must match format 2.x.x, Invalid value: country must be ISO 3166-1 alpha-2, Invalid value: expiry month must be between 01 and 12, Invalid JSON format. |
| 42 | Duplicate clientTransactionId | A transaction with this clientTransactionId already exists. Use a unique value per request. |
Token errors · HTTP 422
Returned when the token in the request is not usable. The request was valid but cannot be processed because the referenced token does not exist, has expired, or has already been consumed.
| Code | Message | Description |
|---|---|---|
| 56 | Invalid token | The provided paymentToken does not exist or does not belong to this account. |
| 57 | Token expired | The paymentToken has passed its expiry time and can no longer be used. A new token must be obtained via a fresh Sale. |
| 58 | Token already used | The paymentToken is single-use and has already been consumed. Request a new token. |
Transaction state · HTTP 422
Returned when the operation is structurally valid but the referenced transaction is in a state that does not permit the requested action.
| Code | Message (example) | Description |
|---|---|---|
| 50 | Transaction not found | No transaction found for the provided transactionId. |
| 51 | Operation not permitted: \<reason> | The requested operation is not allowed in the current transaction state. Possible \<reason> values: transaction already settled, transaction already voided, transaction already fully refunded, void not allowed after capture, authorization hold has expired, refund time limit exceeded, refund not allowed: open dispute on this transaction. |
| 52 | \<reason> | The requested amount exceeds what is available for the operation. Possible messages: Settle amount exceeds authorized amount, Refund amount exceeds settled amount, Refund amount exceeds remaining refundable amount. |
Technical and connection · HTTP 500
Returned when a server-side or processor-side failure occurred. The request was valid and reached the gateway, but processing could not be completed due to an infrastructure or connectivity issue. Safe to retry after a short wait.
| Code | Message | Description |
|---|---|---|
| 37 | Application error | Unexpected server-side error during processing. Retry after a short wait. |
| 38 | Connection error | Connection failure between the gateway and the processor. Retry after a short wait. |
4. bankDeclineCode
Raw decline code passed through from the card scheme (Visa, Mastercard, American Express, Discover). Present only when the charge was submitted to the scheme and the issuer returned a decline code.
The meaning of the same numeric code differs by scheme. Always consider the card brand when interpreting this field. Use code and message for normalized, scheme-agnostic decline reasons.
Visa
| Code | Description |
|---|---|
| 1 | Refer to card issuer |
| 2 | Refer to card issuer, special condition |
| 3 | Invalid merchant |
| 4 | Pick up card (no fraud) |
| 5 | Do not honor |
| 6 | Error |
| 7 | Pick up card, special condition (fraud account) |
| 10 | Partial approval |
| 11 | Approved (V.I.P) |
| 12 | Invalid transaction |
| 13 | Invalid amount or currency conversion field overflow |
| 14 | Invalid account number (no such number) |
| 15 | No such issuer |
| 19 | Re-enter transaction |
| 21 | No action taken |
| 25 | Unable to locate record in file |
| 28 | File temporarily not available for update or inquiry |
| 39 | No credit account |
| 41 | Lost card, pick up (fraud account) |
| 43 | Stolen card, pick up (fraud account) |
| 46 | Closed account |
| 51 | Not sufficient funds |
| 52 | No checking account |
| 53 | No savings account |
| 54 | Expired card or expiration date is missing |
| 55 | Incorrect PIN or PIN missing |
| 57 | Transaction not permitted to cardholder |
| 58 | Transaction not allowed at terminal |
| 59 | Suspected fraud |
| 61 | Exceeds approval amount limit |
| 62 | Restricted card (card invalid in this region or country) |
| 63 | Security violation (source is not correct issuer) |
| 64 | Transaction does not fulfill AML requirement |
| 65 | Exceeds withdrawal frequency limit |
| 70 | PIN data required |
| 74 | Different value than that used for PIN encryption errors |
| 75 | Allowable number of PIN entry tries exceeded |
| 76 | Unsolicited reversal |
| 78 | Blocked, first used — transaction from new cardholder, card not properly unblocked |
| 79 | Already reversed (by Switch) |
| 80 | No financial impact |
| 81 | Cryptographic error found in PIN |
| 82 | Negative CAM, dCVV, iCVV, or CVV results |
| 85 | No reason to decline a request for address verification, CVV2 verification, or a credit voucher or merchandise return |
| 86 | Cannot verify PIN |
| 89 | Ineligible to receive financial position information |
| 91 | Issuer or switch inoperative; STIP not applicable or not available |
| 92 | Financial institution or intermediate network facility cannot be found for routing |
| 93 | Transaction cannot be completed — violation of law |
| 1A | Additional customer authentication required |
| B1 | Surcharge amount not permitted on Visa cards or EBT food stamps (U.S. acquirers only) |
| B2 | Surcharge amount not supported by debit network issuer |
| N0 | Force STIP |
| N3 | Cash service not available |
| N4 | Cash request exceeds issuer or approved limit |
| N5 | Ineligible for resubmission |
| N7 | Decline for CVV2 failure |
| N8 | Transaction amount exceeds preauthorized approval amount |
| P5 | Denied PIN unblock — PIN change or unblock request declined by issuer |
| P6 | Denied PIN change — requested PIN unsafe |
| Q1 | Card authentication failed |
| R0 | Stop Payment Order |
| R2 | Transaction does not qualify for Visa PIN |
| R3 | Revocation of all authorizations order |
| Z3 | Unable to go online; offline-declined |
Mastercard
| Code | Description |
|---|---|
| 1 | Refer to card issuer |
| 3 | Invalid merchant |
| 4 | Capture card |
| 5 | Do not honor |
| 8 | Honor with ID |
| 10 | Partial Approval |
| 12 | Invalid transaction |
| 13 | Invalid amount |
| 14 | Invalid card number |
| 15 | Invalid issuer |
| 30 | Format error |
| 41 | Lost card |
| 43 | Stolen card |
| 46 | Closed account |
| 51 | Insufficient funds / over credit limit |
| 54 | Expired card |
| 55 | Invalid PIN |
| 57 | Transaction not permitted to issuer/cardholder |
| 58 | Transaction not permitted to acquirer/terminal |
| 61 | Exceeds withdrawal amount limit |
| 62 | Restricted card |
| 63 | Security violation |
| 65 | Exceeds withdrawal count limit |
| 70 | Contact Card Issuer |
| 71 | PIN Not Changed |
| 75 | Allowable number of PIN tries exceeded |
| 76 | Invalid/nonexistent “To Account” specified |
| 77 | Invalid/nonexistent “From Account” specified |
| 78 | Invalid/nonexistent account specified (general) |
| 79 | Life cycle (Mastercard use only) |
| 80 | System not available |
| 81 | Domestic Debit Transaction Not Allowed (Regional use only) |
| 82 | Policy (Mastercard use only) |
| 83 | Fraud/Security (Mastercard use only) |
| 84 | Invalid Authorization Life Cycle |
| 85 | Not declined |
| 86 | PIN Validation not possible |
| 87 | Purchase Amount Only, No Cash Back Allowed |
| 88 | Cryptographic failure |
| 89 | Unacceptable PIN — Transaction Declined — Retry |
| 90 | Cutoff is in progress |
| 91 | Authorization System or issuer system inoperative |
| 92 | Unable to route transaction |
| 94 | Duplication transaction detected |
| 96 | System error |
| 1Z | Authorization System or issuer system inoperative |
American Express
| Code | Description |
|---|---|
| 01 | Refer to card issuer |
| 03 | Invalid merchant |
| 04 | Deny — pick up card |
| 05 | Deny |
| 06 | Error |
| 10 | Partial approval |
| 13 | Invalid amount |
| 14 | Invalid account number |
| 25 | Unable to locate |
| 30 | Format error |
| 38 | PIN exceeded |
| 54 | Expired card |
| 55 | Invalid PIN |
| 56 | No card record |
| 57 | Transaction not permitted to issuer/cardholder |
| 58 | Not permitted to acquirer/terminal |
| 78 | Invalid account |
| 85 | Issuer has no reason to decline the transaction |
| 91 | Issuer not available |
| 96 | System error |
| 1A | Additional customer authentication required |
| DA | Required fleet prompts invalid or missing |
| E2 | AVS data required |
| E3 | CVV2 data required |
| E4 | Service not allowed |
| E5 | Service not allowed |
| E6 | Service not allowed |
| E7 | Terminal ID error |
| E9 | No reply from network |
| EA | Account length error |
| EB | Check digit error |
| EC | CID format error |
| ED | Authorization is too old for capture |
| EE | Card product blocked |
| EF | BRIC on PIN transaction not allowed |
| EH | Invalid card entry method |
| EI | Invalid card ID |
| EJ | No PIN block |
| EK | Pinless routing not allowed |
| EL | BRIC storage failed |
| EM | Debit swipe only |
| EN | BRIC response timeout |
| EO | CVV2 mismatch |
| EQ | Network gateway not available |
| ES | Transaction not allowed due to failure of internal validations |
| ET | EMV data is required for card entry method |
| EU | The network rejected the item |
| EV | Item already captured |
| EW | Failed regex validation |
| EX | Check number required |
| EY | Contactless MSD not allowed — dip card |
| N6 | Decline |
| N7 | Invalid card (CID) security code |
| NR | No valid debit network available to route |
| RR | Invalid data in request — contact support if issue cannot be determined |
| S4 | PIN block translation error |
| S5 | Unable to locate a matching original purchase transaction |
| S7 | Unable to locate a matching original purchase transaction |
| S9 | TLV tags invalid |
Discover
| Code | Description |
|---|---|
| 01 | Refer to card issuer |
| 03 | Invalid merchant |
| 04 | Capture card |
| 05 | Do not honor |
| 06 | Error |
| 07 | Pick-up card, special condition |
| 08 | Honor with ID |
| 10 | Approved partial |
| 12 | Invalid transaction |
| 13 | Invalid amount |
| 14 | Invalid account number |
| 15 | Invalid issuer |
| 19 | Re-enter transaction |
| 21 | No action taken |
| 30 | Format error |
| 31 | Bank not supported by switch |
| 33 | Expired card |
| 34 | Suspected fraud |
| 35 | Card acceptor contact acquirer |
| 36 | Restricted card |
| 37 | Call — security |
| 38 | Allowable PIN tries exceeded |
| 39 | No credit account |
| 40 | Requested function not supported |
| 41 | Lost card |
| 43 | Stolen card |
| 51 | Decline |
| 53 | No savings account |
| 54 | Expired card |
| 55 | Invalid PIN |
| 56 | No card record |
| 57 | Transaction not permitted to issuer/cardholder |
| 58 | Not permitted to acquirer/terminal |
| 59 | Suspected fraud |
| 60 | Card acceptor error |
| 61 | Exceeds withdrawal amount limit |
| 62 | Restricted card |
| 63 | Security violation |
| 64 | Original amount incorrect |
| 65 | Exceeds withdrawal count limit |
| 67 | Hard capture — call |
| 68 | Response received too late |
| 75 | Allowable number of PIN tries exceeded |
| 77 | Invalid/nonexistent account specified |
| 78 | Invalid/nonexistent account specified (general) |
| 85 | Issuer has no reason to decline the transaction |
| 87 | Network unavailable |
| 91 | Authorization system or issuer system inoperative |
| 92 | Unable to route transaction |
| 93 | Decline |
| 94 | Duplicate transmission detected |
| 96 | System error |
| 1A | Additional customer authentication required |
| DA | Required fleet prompts invalid or missing |
| E2 | AVS data required |
| E3 | CVV2 data required |
| E4 | Service not allowed |
| E5 | Service not allowed |
| E6 | Service not allowed |
| E7 | Terminal ID error |
| E9 | No reply from network |
| EA | Check digit error |
| EB | Check digit error |
| EC | CID format error |
| ED | Authorization is too old for capture |
| EE | Card product blocked |
| EF | BRIC on PIN transaction not allowed |
| EH | Invalid card entry method |
| EI | Invalid card ID |
| EJ | No PIN block |
| EK | Pinless routing not allowed |
| EL | BRIC storage failed |
| EM | Debit swipe only |
| EN | BRIC response timeout |
| EO | CVV2 mismatch |
| EQ | Network gateway not available |
| ES | Transaction not allowed due to failure of internal validations |
| ET | EMV data is required |
| EU | The network rejected the item |
| EV | Item already captured |
| EW | Failed regex validation |
| EX | Check number required |
| EY | Contactless MSD not allowed — dip card |
| N6 | Decline |
| N7 | CVV2/AVS failure |
| NR | No valid debit network available to route |
| RR | Invalid data in request — contact support if issue cannot be determined |
| S4 | PIN block translation error |
| S5 | Unable to locate a matching original purchase transaction |
| S7 | Unable to locate a matching original purchase transaction |
| S8 | Unable to locate a matching authorization |
| S9 | TLV tags invalid |