Versions Compared

Version Old Version 1 New Version 2
Changes made by

Afrashum Waseem (Unlicensed)

Afrashum Waseem (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Email: support@xpay.com

  • Live Chat: Available on the XPay portal

  • Developer Community: Forums & Slack channels

Here’s the FAQ addressing the client's query regarding Payment Intent API flow and integration on the app side:

...

XPay API - Payment Intent & App Integration FAQ

1. How does the payment flow work on the website versus the app?

  • On the website, the user enters card details, the script verifies the card, and then a Payment Intent API call is made. Upon successful payment, the response includes clientSecret and encryption keys.

  • On the app, the process is slightly different:

    1. The Payment Intent API call happens first.

    2. The response contains clientsecret and encryption keys.

    3. These parameters are then used for the confirmPayment SDK method to complete the payment.

2. When are clientSecret and encryption keys received?

These parameters are not received after the payment, but rather after the Payment Intent API call. They are used to confirm the payment in the next step.

3. Why is there a difference between website and app flows?

The website flow uses direct script verification before making the Payment Intent API call, whereas the app flow requires calling the Payment Intent API first to generate the required parameters for payment confirmation.

4. What should be done to integrate payments on the app?

Follow these steps:

  1. Call the Payment Intent API first.

  2. Extract clientSecret and encryption keys from the response.

  3. Use these parameters in the confirmPayment SDK method to complete the payment.

5. What happens if the confirmation step is skipped?

If the confirmPayment SDK method is not called using the received parameters, the payment will not be processed, and the transaction will remain incomplete.

6. Where can I find more details on integrating payments in the app?

Refer to the XPay API documentation for app-specific integration guidelines:
📌 Postman Collection: XPay API Documentation
📌 GitHub Repository: XPay SDK & Sample Code

XPay API - 2D Payment Exception FAQ

1. What is the issue with 2D payments on the Android app?

When attempting a 2D payment on the Android app, an exception is thrown because 2D Secure (2DS) payments are not supported. These transactions are automatically declined by the payment gateway.

2. What is a 2D payment?

A 2D payment is a transaction where card authentication does not require an additional security layer, such as OTP verification (One-Time Password) or biometric authentication. These payments are considered high risk and are usually blocked by gateways.

3. Why does the payment gateway decline 2D payments?

Most modern payment gateways follow 3D Secure (3DS) protocols, which add an extra layer of security to protect against fraud. Transactions without this security layer (i.e., 2D payments) are automatically rejected.

4. How can we resolve the 2D payment issue?

To ensure successful transactions, 3D Secure (3DS) authentication must be enabled. This means:

  • Use cards that support 3D Secure authentication.

  • Ensure that the gateway being used supports 3DS transactions.

  • Implement proper redirection or in-app handling for 3DS authentication (OTP verification, biometric, etc.).

5. How can I check if a card supports 3DS?

  • Contact the issuing bank to confirm if the card is 3DS enabled.

  • Attempt the payment using a different 3DS-supported card.

6. Can 2D payments be enabled manually?

No, 2D payments cannot be enabled, as they are blocked by the gateway for security reasons. All payments must follow 3D Secure (3DS) authentication standards.

7. Where can I find more information on supported payment methods?

For details on payment methods and security requirements, refer to:
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code

XPay API - 3D Secure (3DS) Authentication FAQ

1. What is 3D Secure (3DS) authentication?

3D Secure (3DS) is an additional security layer for online card payments that helps prevent fraud by authenticating the cardholder during a transaction.

2. What are the different versions of 3D Secure?

  • 3DS1: The earlier version, where OTP (One-Time Password) is required for authentication.

  • 3DS2: The latest version, which introduces two types of authentication:

    • Frictionless (No OTP required)

    • Challenge (OTP required)

3. What is the difference between Frictionless and Challenge authentication in 3DS2?

Type

Card Example

OTP Required?

Description

3DS1

5506900140100305

✅ Yes

OTP-based authentication, requires manual input.

3DS2 - Frictionless

5123456789012346

❌ No

Authentication happens in the background without user input.

3DS2 - Challenge

5123450000000008

✅ Yes

Requires OTP or biometric verification before processing.

4. How does Frictionless authentication work in 3DS2?

  • If a card supports Frictionless 3DS2, the bank automatically verifies the transaction without requiring an OTP.

  • This reduces customer friction and speeds up the checkout process.

5. When is Challenge authentication used in 3DS2?

  • If a card requires Challenge 3DS2, the bank mandates OTP verification before processing the transaction.

  • This happens for high-risk transactions, large amounts, or when additional verification is required.

6. Which authentication method is more secure?

  • Both Frictionless and Challenge authentication are secure, as they follow 3DS2 security standards.

  • Challenge authentication provides an extra layer of protection by ensuring that the actual cardholder is making the transaction.

7. What happens if a transaction does not support 3DS?

  • If a transaction is 2D Secure (2DS) (without 3D Secure), it will likely be declined by the gateway for security reasons.

  • Merchants should ensure that all cards used support 3DS authentication.

8. How can I test 3DS transactions?

You can use the following test cards for different scenarios:

  • 3DS1 Test Card: 5506900140100305 (OTP Required)

  • 3DS2 Frictionless Test Card: 5123456789012346 (No OTP)

  • 3DS2 Challenge Test Card: 5123450000000008 (OTP Required)

For more details, refer to:
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code

XPay API - Payment Intent (PI) and Client Secret FAQ

1. What is pi_client_secret in XPay API?

The pi_client_secret is a unique identifier required for confirming a payment. It is generated when a Payment Intent (PI) is created.

2. Is pi_client_secret the same as PI ID?

No, pi_client_secret is NOT the same as the Payment Intent (PI) ID. It is a separate parameter included in the API response when creating a Payment Intent.

3. Where can I find pi_client_secret?

It is present in the Create Payment Intent API response. You must store this value and use it for the payment confirmation process.

4. What is the difference between PI ID and pi_client_secret?

Parameter

Description

Payment Intent ID (PI ID)

A unique identifier for tracking the payment transaction.

pi_client_secret

A secret key required to confirm the payment securely.

5. Why is pi_client_secret necessary?

  • It ensures that only authorized entities can confirm a payment.

  • It helps maintain the security of the payment flow by preventing unauthorized access.

6. Do I need to store pi_client_secret?

Yes, you should store pi_client_secret temporarily until the payment is successfully confirmed.

7. Can I use the PI ID instead of pi_client_secret for payment confirmation?

No, the pi_client_secret is mandatory for confirming a payment. The PI ID alone is insufficient.

8. Where can I find more details about Payment Intent API?

For API documentation and integration examples, check:
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code

XPay API - "Payment Method is Already Attached" Error FAQ

1. What does the "Payment Method is Already Attached" error mean?

This error occurs when the same Payment Method (e.g., card details) is being used multiple times within the same Payment Intent (PI). The payment method is already linked to the PI and does not need to be reattached

2. Why am I getting this error?

You may be encountering this issue due to one of the following reasons:

  • The payment method was already attached to the Payment Intent (PI) in a previous request.

  • A duplicate API request is being made after the PI has already been confirmed or captured.

  • The Payment Intent has already been completed, and another attempt is being made using the same payment method.

3. How can I fix this issue?

Here are a few solutions:
Check if the Payment Intent (PI) has already been captured or confirmed before making another request.
Do not reattach the payment method if it has already been linked to the PI.
✅ Ensure that duplicate API calls are not being made in your integration.
✅ If payment has already been processed, create a new Payment Intent for a new transaction instead of reusing the same one.

4. How do I verify if a Payment Intent has already been captured?

You can check the status of the Payment Intent via the API before proceeding with another payment request. Look for the following statuses:

  • Succeeded: Payment has already been captured.

  • Processing: The payment is still being processed.

  • Requires Confirmation: The payment method is attached, but confirmation is pending.

5. Where can I find more details on Payment Intent handling?

📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code

XPay API - Handling success Key in confirmPayment Response

1. Why am I getting undefined for responseStatus, success, and data in confirmPayment?

If responseStatus, success, and data are undefined, it usually means:

  • There is an issue with the API request parameters (e.g., invalid clientSecret, customer, or encryptionKey).

  • The API call is failing silently or not returning the expected response format.

  • The confirmPayment function is not properly awaiting or handling the response.

2. How can I properly handle the success key?

Instead of directly destructuring success, handle the response using message and error keys:

Correct Approach:

Code Block
javascript

CopyEdit

const response = await xpay.confirmPayment("card", clientSecret, customer, encryptionKey); if (response) { const { message, error } = response; if (!error) { console.log("Payment successful:", message); } else { console.log("Payment failed:", message); } } else { console.log("No response received from confirmPayment API."); }

3. Why is error used instead of success?

In the confirmPayment response:

  • If error is false, it means the payment was successful.

  • If error is true, it means the payment failed.

  • success may not be explicitly returned, so handling error is the correct approach.

4. What should I check if the issue persists?

  • Ensure clientSecret, customer, and encryptionKey are correct and valid.

  • Check for network issues or API failures.

  • Log the entire response to debug missing keys:

    Code Block
    javascript

    CopyEdit

    console.log("Full API Response:", response);

5. Where can I find more details on API responses?

📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code

XPay API - Retrieving Complete Transaction Details

1. How can I retrieve complete transaction details, including card and payment details?

To fetch detailed transaction information, including card details and payment details, follow these methods:

A. Retrieve Payment Intent API (Get PI Details)

📌 API Name: Retrieve Payment Intent
🔗 Documentation: XPay API Docs

Request:

Code Block
http

CopyEdit

GET /v1/payment_intents/{paymentIntentId}

Required Parameters:

  • paymentIntentId (PI ID) → The Payment Intent ID for which details are needed

Limitations:

  • This API provides only basic payment intent details, not full transaction information.

  • It does not return complete card or payment details.

...

B. Webhook for Full Transaction Details

For complete transaction details, including card details, payment details, and the timeline of events, use the webhook.

📌 Webhook contains:
Transaction timeline (payment status updates)
Card details (masked card number, issuer, etc.)
Payment details (amount, currency, gateway response, etc.)

🔗 Webhook Guide: Available in the XPay API Docs

Steps to Use Webhook:

  1. Register a webhook endpoint in your system.

  2. Capture the transaction data sent by XPay on payment updates.

  3. Parse the webhook payload to retrieve full transaction details.

...

2. Why doesn’t the Retrieve Payment Intent API return full transaction details?

  • The Retrieve Payment Intent API focuses only on the Payment Intent (PI), not the complete transaction.

  • Detailed payment information (such as card details) is stored and sent only via webhook for security reasons.

...

3. Where can I see full transaction details like in XPay Admin Panel (/xpay/transactions/{transactionID})?

To retrieve details similar to what is available at https://xap-stage.xstak.com/xpay/transactions/{transactionID}, use the Webhook API, as it includes:

  • Transaction ID

  • Card details (masked card number)

  • Gateway response

  • Timeline of the transaction

📌 Alternative:

  • If you need a custom API to fetch transaction details directly, check with the XPay support team for additional API access.

...

4. How can I confirm that my webhook is working?

  1. Ensure your webhook URL is registered in the XPay system.

  2. Use a tool like Postman or RequestBin to inspect incoming webhook data.

  3. Check logs in your system to verify if XPay is sending webhook events.

🔗 Webhook Documentation: Available in the Postman API Collection

...

5. Summary: Best Approach to Get Full Transaction Details

Requirement

API to Use

Contains Complete Transaction Info?

Basic Payment Intent details

Retrieve Payment Intent API

❌ Limited details

Complete transaction details (card info, timeline, etc.)

Webhook API

✅ Yes

XPay API - ConfirmPayment SDK Method & API Calls

1. What API calls do I need to make for a complete payment process?

For a full transaction flow in XPay, you need to follow these steps:

Step

API Name

Purpose

API Endpoint (Postman Docs)

1️⃣ Create Payment Intent

Create Payment Intent API

Initializes a payment intent & returns pi_client_secret

View API

2️⃣ Confirm Payment (SDK Method, Not API)

confirmPayment SDK Method

Confirms payment using pi_client_secret

Handled via SDK (not API)

3️⃣ Capture Authorized Payment (If using authorization flow)

Capture an Authorized Amount API

Captures a pre-authorized payment

View API

4️⃣ Retrieve Payment Intent Details

Get PI Details API

Retrieves status & details of a payment intent

View API

...

2. Where is the ConfirmPayment API?

There is no separate API for confirmPayment. This is an SDK method that must be called after creating a payment intent.

📌 How to use ConfirmPayment in SDK?

Code Block
const { message, responseStatus, success, data } = await xpay.confirmPayment( "card", // Payment method clientSecret, // Received from Create Payment Intent API customer, // Customer details encryptionKey // Required encryption key );

Handling Success Response:

Code Block
const { message, error } = await xpay.confirmPayment(...); if (!error) { console.log("Payment successful"); } else { console.log("Payment failed"); }

🔗 SDK Documentation: Refer to Notion Guide

...

3. What is pi_client_secret, and where do I get it?

  • pi_client_secret is not the Payment Intent ID (PI ID).

  • It is returned in the Create Payment Intent API response and must be used in confirmPayment.

📌 Example Create Payment Intent Response:

Code Block
json
Code Block
{ "id": "pi_123456789", "client_secret": "pi_client_secret_abc123", "status": "requires_confirmation" }

  • Use client_secret in the confirmPayment SDK method.

...

4. When should I call the Capture an Authorized Amount API?

  • If your payment flow uses authorization before capturing funds, you must call this API after payment confirmation to finalize the transaction.

  • If you are using a direct payment flow, no need to call this API.

📌 Example Request to Capture Payment:

Code Block
http
Code Block
POST /v1/payment_intents/{paymentIntentId}/capture

🔗 View API Documentation

...

5. How do I get full transaction details after confirming payment?

  • Use Retrieve Payment Intent API to check payment status.

  • For complete details (card info, transaction timeline, etc.), use Webhook API.

🔗 Retrieve Payment Intent API: View API
🔗 Webhook API (Recommended for full details): View API

...

6. Summary: Complete Payment Flow

Step

Required Action

API/Method

1️⃣ Create Payment Intent

Initialize payment & get client_secret

Create Payment Intent API

2️⃣ Confirm Payment

Confirm using SDK

confirmPayment SDK Method

3️⃣ Capture (if applicable)

Capture an authorized payment

Capture an Authorized Amount API

4️⃣ Retrieve Transaction Details

Get payment details

Get PI Details API / Webhook