How can I retrieve my Public Key and HMAC Secret Key?
To retrieve your Public Key and HMAC Secret Key, follow these steps:
Log in to the portal.
Navigate to Settings from the dashboard.
Select Store Info:
Within the Settings menu, locate and click on the Store Info option.
Click on Key Details:
In the Store Info section, find and click on the Key Details tab or button.
Retrieve Keys and Secrets:
Under the Key Details section, you will find the following credentials:
Public Key
Secret Key
API HMAC Secret
Webhook HMAC Secret
Where can I find the Key Details section?
The Key Details section is available under Settings > Store Info. Click on Key Details to access your required keys.
What is the Public Key used for?
The Public Key is used for encryption and secure communication between your application and the portal.
What is the API HMAC Secret Key?
The API HMAC Secret Key is used to authenticate API requests, ensuring the integrity and security of the transmitted data.
What is the Webhook HMAC Secret Key?
The Webhook HMAC Secret Key is used to validate webhook notifications received from the system, confirming that they originate from an authorized source.
Can I regenerate my keys?
Yes, in some cases, you may have the option to regenerate keys from the Key Details section. However, be cautious, as regenerating keys may require updating your integrations accordingly. If you update the keys on the XPay portal you need to make sure to update on the app environment (where they integrating our SDK).
Who should have access to these keys?
These keys should be accessed only by authorized personnel, as they are critical for secure system integration and communication.
keyValue and encpKeyValue parameters in the confirmPayment() method?keyValue and encpKeyValue are dynamic values required to confirm a payment using the confirmPayment() method. These values are unique for each transaction and are necessary for securely processing payments.
keyValue and encpKeyValue?These values should be fetched dynamically through an API call. They are not static keys that can be retrieved from the dashboard.
The relevant API call to obtain keyValue and encpKeyValue is available in the XPay API documentation. Kindly refer to the API Docs: Postman API Documentation.
keyValue and encpKeyValue for reuse?No, these values are dynamically generated for each transaction and should be fetched in real time when confirming payment.
For a better understanding of the payment flow, you can refer to the XPay public demo repository: GitHub Repository.
keyValue and encpKeyValue are not correctly fetched?The payment confirmation process will fail if these values are not correctly retrieved. Ensure that the correct API call is made before invoking confirmPayment().
What is the X-signature in the API request?
The X-Signature is a SHA-256 HMAC signature used for verifying the authenticity of API requests for payment intents. It ensures that the request is coming from a trusted source and has not been tampered with.
How is the X-Signature generated?
The X-signature is generated using a combination of the HMAC secret key and SHA-256 hashing algorithm. The specific process involves hashing the request payload or required parameters using the secret key.
What server-side languages can be used to generate the X-Signature?
You can generate the X-Signature using any server-side language that supports HMAC with SHA-256. Examples include:
Node.js
Python
PHP
Java
Ruby
Sample X-Signature Generation in Node.js
Here is a sample implementation in Node.js:
const crypto = require('crypto');
function generateXSignature(secret, data) {
return crypto.createHmac('sha256', secret)
.update(data)
.digest('hex');
}
const secretKey = 'your_secret_key';
const requestData = 'your_request_payload';
const xSignature = generateXSignature(secretKey, requestData);
console.log('X-Signature:', xSignature); |
Where can I find a reference implementation?
A reference implementation for generating the X-Signature is available in the server.js file of the sample repository provided by the API documentation. https://github.com/XStakCommerce/xpay-element-public-demo/tree/stage
What should I do if I encounter errors?
If you receive errors while generating the X-Signature, check the following:
Ensure you are using the correct secret key.
Verify that the data being hashed matches the expected format.
Confirm that your hashing algorithm is HMAC with SHA-256.
Check for encoding issues (ensure consistent character encoding across systems).
Refer to the sample implementation in the provided repository.
Who should I contact for support?
If you continue to face issues, please reach out to the support team with details of your implementation, including:
The server-side language used
A sample of the data being hashed
Any error messages received
Account ID
Environment (Stage or Live)
SDK version
XPay PI ID
Complete request and response
For further assistance, refer to the API documentation or the sample repository for additional guidance.
When making an API request, the following error is returned:
{
"success": false,
"responseStatus": "BAD_REQUEST",
"message": "Invalid signature key in headers",
"error": {}
} |
Ensure that the signature is generated using the exact payload that is being sent in the API request.
Any modification to the payload after signature generation will result in an invalid signature.
The payload used for signing must be identical to the request payload.
If any field is missing or changed after signature creation, the signature will be invalid.
Use the correct API HMAC Secret for signing the request.
Example of an API HMAC Secret:
5c0ed92e74148c8919d06666001c5005352f0e651fe08d6ac91cb7188da7f34c |
Ensure no extra spaces or incorrect characters are included.
The signature should be included in the headers properly:
Authorization: HMAC-SHA256 Signature={your_generated_signature} |
Ensure that the hashing algorithm used is SHA256.
gateway_instance_idEnsure the gateway_instance_id is retrieved correctly from gateways settings.
If missing or incorrect, update it accordingly.
{
"amount": 10,
"currency": "PKR",
"payment_method_types": "card",
"customer": {
"name": "John Doe",
"email": "john.doe@example.com",
"phone": "+920123456789"
},
"shipping": {
"address1": "123 Street",
"city": "Lahore",
"country": "Pakistan",
"province": "Punjab",
"zip": "54000"
},
"metadata": {
"order_reference": "ORDER12345"
},
"gateway_instance_id": "your_gateway_instance_id"
} |
Verify Payload: The payload used for signing must be the same as the request payload.
Correct Secret Key: Use the exact API HMAC Secret.
Check Headers: Ensure the signature is correctly formatted.
Gateway Instance ID: Confirm it is correctly retrieved.
Signature Algorithm: Use HMAC-SHA256 for signing.
If the issue persists, double-check the implementation of the signing process and compare it with the API documentation.
To create a Payment Intent, send a request to the following API endpoint:
POST https://xstak-pay-stg.xstak.com/public/v1/payment/intent |
{
"amount": 10,
"currency": "PKR",
"payment_method_types": "card",
"customer": {
"name": "John",
"email": "john@gmail.com",
"phone": "+923095601232"
},
"shipping": {
"address1": "48 LOO Road",
"city": "Lahore",
"country": "Pakistan",
"province": "Punjab",
"zip": "54000"
},
"metadata": {
"order_reference": ""
},
"gateway_instance_id": "102040" // Retrieve from gateways in settings
} |
{
"success": true,
"responseStatus": "OK",
"message": "Request processed successfully.",
"data": {
"_id": "xpay_pi_<payment_intent_id>",
"pi_client_secret": "xpay_pi_<payment_intent_id>_cs_<client_secret>",
"created_at": "<timestamp>",
"amount": 10,
"currency": "PKR"
}
} |
Possible Causes:
Ensure you are passing the correct pi_client_secret and encrypted_key values received in the Payment Intent response.
Do not use a dummy gateway_instance_id. The system assigns a default test gateway automatically.
If you receive an error while omitting gateway_instance_id, verify if a default test gateway is enabled in your settings.
Use the following method in your Android application:
paymentElement.confirmPayment(
"Test User",
PI_SECRET_ID,
ENCRYPTED_KEY_ID,
this::paymentResponse
);
private Unit paymentResponse(String response) {
Log.e("Payment Response Data", response);
return Unit.INSTANCE;
} |
PI_SECRET_ID: The pi_client_secret received from the Payment Intent API.
ENCRYPTED_KEY_ID: The encrypted public key required for secure transactions.
private static final String PI_SECRET_ID = "xpay_pi_<id>_cs_<secret>"; private static final String ENCRYPTED_KEY_ID = "-----BEGIN PUBLIC KEY-----\n<your_public_key>\n-----END PUBLIC KEY-----\n"; |
For staging:
implementation ("com.github.XStakCommerce:XPay-Element-Android-Native-SDK:stage-1.0.0") |
Ensure your Gradle settings include the required repositories.
Double-check your API request format and required fields.
Ensure you're using the latest SDK version and dependencies.
Verify if the test gateway is correctly configured.
Contact support with the request payload, response, and error logs for further assistance.
The XPay Swift SDK is a payment integration solution for iOS applications that allows seamless transaction processing with XPay’s payment gateway.
You can install the SDK using Swift Package Manager (SPM) or manually by downloading the framework from the official repository.
The SDK supports iOS 13 and later.
To initialize the SDK, you need to:
Import XPaySDK into your project.
Configure API keys and environment settings.
Call the XPay.shared.initialize() method with the required parameters.
The SDK supports various payment methods, including credit/debit cards, mobile wallets, and bank transfers (depending on merchant configuration).
Use the XPay.shared.createPaymentRequest() method with the necessary transaction details, including:
Amount
Currency
Order ID
Customer details
The SDK provides callbacks to handle payment responses:
Success: Returns a transaction ID and status.
Failure: Returns an error code with a message.
Yes, the SDK supports subscription-based payments, allowing recurring billing setup for merchants.
Error handling is managed through predefined error codes and messages, which can be retrieved from the SDK response.
Yes, the SDK follows industry-standard encryption and security protocols, including PCI DSS compliance, to ensure safe transactions.
Yes, the SDK provides customization options to modify UI elements according to your app’s design.
You can refer to the official documentation or contact XPay support for any integration-related queries.
We have recently introduced the following key features:
Subscription/Recurring Payments – Allows automatic billing for subscriptions.
Payment Routing – Routes payments across multiple gateways for better success rates.
Automatic Retries – Retries failed transactions on alternative gateways automatically.
The SDK enables merchants to set up automated recurring payments for customers. Once configured, payments are processed at scheduled intervals without requiring manual input.
Yes, merchants can provide options for customers to modify, pause, or cancel subscriptions through their app’s settings.
Payment routing ensures optimal gateway selection for each transaction based on predefined rules such as:
Payment method availability
Transaction success rate
Gateway downtime or performance metrics
This improves transaction success rates and reduces failures.
If a payment fails on one gateway, the SDK automatically retries it on an alternative payment gateway (if configured) to increase the likelihood of a successful transaction.
Yes, merchants can define custom rules and priorities for routing payments based on their business needs.
Automatic retries are applicable based on the payment method and merchant settings, ensuring a seamless retry process without requiring user intervention.
By intelligently routing payments and automatically retrying failures, the SDK significantly reduces failed transactions, ensuring a smoother checkout experience.
Merchants need to configure these features via their XPay account settings to activate them for their business.
We’d be happy to walk you through these features in detail. Please let us know a suitable time for a call with our team to discuss the implementation and benefits further.
The XPay SDKs for Android (Kotlin) and iOS (Swift) provide seamless payment integration for mobile applications using XPay’s payment gateway.
You can access the complete documentation, including SDK links and sample integrations, here:
🔗 XPay Developer API Docs
iOS SDK – Supports iOS 13 and later (Swift)
Android SDK – Supports Android 5.0 (Lollipop) and later (Kotlin)
Both SDKs support:
Credit/Debit Cards
Mobile Wallets
Bank Transfers
Subscription Payments (New Feature)
Swift SDK: Install via Swift Package Manager (SPM) or manually.
Kotlin SDK: Install via Gradle using the provided repository link in the docs.
The documentation provides step-by-step integration guides and sample implementations to simplify the process.
The SDKs include:
✅ Subscription/Recurring Payments – Automate recurring transactions.
✅ Payment Routing – Intelligent routing across multiple gateways.
✅ Automatic Retries – Retry failed payments on alternate gateways.
✅ Customizable UI – Modify payment UI elements to match your app’s design.
The SDKs provide callbacks for:
Success: Returns transaction details.
Failure: Returns an error code and message for debugging.
Both SDKs follow PCI DSS compliance and end-to-end encryption to ensure secure transactions.
If you have any questions, please refer to the documentation or reach out to the XPay support team for assistance.
No, backend integration only requires REST API calls. There is no SDK needed for the backend.
For web applications, you should use the XPay JavaScript SDK, which provides an end-to-end integration for handling payments.
The GitHub repository contains a fully integrated JavaScript SDK example, which you can refer to for implementation. The link is available in the XPay Developer API Docs:
🔗 XPay Developer API Docs
Yes, the JavaScript SDK includes pre-built UI components to streamline the payment process.
No, PHP or any backend system only needs to interact with XPay via REST APIs for payment processing.
The JavaScript SDK handles:
✅ Payment processing
✅ Subscription payments
✅ Payment routing & retries
✅ Secure tokenization
Yes, the JavaScript SDK allows UI and functional customizations to match your business needs.
A detailed step-by-step guide is available in the Notion document provided by XPay. Please refer to it for complete instructions.
Yes, you can check the demo app for Android Native, which provides practical insights into the integration process.
Mobile: Android (Kotlin), iOS (Swift)
Web: JavaScript SDK
Backend: REST API (No SDK required)
The document includes:
✅ SDK setup and installation
✅ API integration details
✅ Payment processing steps
✅ Subscription & recurring payments
✅ Error handling & troubleshooting
Here’s a detailed FAQ tailored for API users based on the content in the provided links. This FAQ addresses common queries related to integrating with XPay through its REST API:
The XPay API is a set of RESTful API endpoints designed to integrate payment processing into your website or application. It allows you to manage transactions, create payment links, process payments, and retrieve payment statuses.
To start using the XPay API:
Obtain API Credentials: You'll need your Account ID, Email, and Password to authenticate API requests.
Access the API Base URL: The API Base URL for staging is https://xstak-pay-stg.xstak.com.
Consult Documentation: Refer to the Postman collection and the API documentation for step-by-step integration instructions.
Test in Staging Environment: Use the staging environment to test your integration before going live.
To integrate with the XPay API, you need:
Account ID: Unique identifier provided after account creation.
Email and Password: Credentials used for API authentication.
These details will allow you to make secure API requests and interact with the system.
The XPay API uses standard authentication mechanisms such as API key-based authentication to authenticate all requests.
Authentication Method: Use your Account ID and Password in the request header to authenticate API calls.
Refer to the API documentation for the exact headers and authentication method to use.
To create a payment link through the XPay API:
Call the Payment Links API: Use the appropriate endpoint to generate a new payment link.
Provide Payment Details: You’ll need to pass parameters such as the payment amount, description, and any other necessary details.
Receive Payment Link: After successfully creating the link, the API will return the payment URL, which you can share with the customer.
Refer to the API documentation for detailed instructions on making the correct API call.
To process payments, you will:
Create a Payment Request: Submit the transaction details to the XPay API.
Wait for Response: The API will return a response with the payment status (success, failure, etc.).
Handle Responses: Based on the response, you can display appropriate messages to users or trigger further actions like order processing.
You can refer to the Postman collection for sample requests and responses.
The base URL for making API requests in the staging environment is:
Staging Base URL: https://xstak-pay-stg.xstak.com
Ensure all API calls are made to this base URL during testing.
To check the payment status:
Use the Payment Status API Endpoint: You can pass a transaction ID or payment reference to retrieve the payment status.
API Response: The response will include details such as whether the payment was successful, pending, or failed.
Refer to the API documentation for the exact API call and required parameters.
The XPay API allows for refund requests to be processed.
Refund API Endpoint: Use the specific endpoint to initiate a refund based on the transaction details.
Parameters: Pass the transaction ID and the refund amount.
Refund Confirmation: The API will return a response confirming the success or failure of the refund process.
XPay provides a staging environment for testing your integration before going live.
Staging API Base URL: https://xstak-pay-stg.xstak.com
XAP Staging URL: https://xap-stage.xstak.com
Test Transactions: Use the staging environment to simulate real-world transactions and validate your integration.
Yes, you can integrate the XPay API with your existing platform:
Use the Payment Links API to generate links for payments.
Use the Transaction APIs to process payments and manage payment statuses.
Refer to the API documentation for the endpoints and methods that will work with your platform.
Yes, the XPay API is designed for backend integration:
REST API: You will interact with XPay through REST API calls to process payments, create payment links, and manage transactions.
No SDK Required: Unlike frontend integration, backend processing does not require an SDK, only API calls.
For mobile app integration (iOS/Android), use the appropriate SDK:
The JavaScript SDK can be used for web applications, while the mobile SDKs (Swift for iOS and Kotlin for Android) are used for native mobile apps.
For backend integration, use the XPay REST API to handle payment processing.
Yes, you can customize the payment form by modifying the design and layout to fit your website's theme. However, for payment processing, the form needs to meet security standards set by XPay.
Refer to the integration documentation to ensure you're meeting the security requirements while customizing the form.
You can access the XPay API documentation and sample integrations in the following resources:
Postman Collection: XPay API Collection on Postman
GitHub Repository: XPay Sample Integration on GitHub
Yes, XPay provides a sample integration to help you understand how the API works. You can access the sample integration in the GitHub repository, which contains working code for processing payments and handling transactions.
If you encounter issues during integration, the first step is to:
Check the API documentation for common integration mistakes.
Validate your API credentials to ensure they are correctly configured.
Test in the staging environment to ensure the issue isn’t related to your live account.
Here is a comprehensive FAQ covering all possible client queries related to XPay API integration:
XPay is a payment gateway that enables businesses to accept online payments through various methods, including credit/debit cards, mobile wallets, and bank transfers. It provides a REST API for integrating payment processing into websites and applications.
XPay API is designed for:
E-commerce platforms
Subscription-based services
Mobile apps
Custom business applications
Developers building checkout solutions
Seamless integration into websites, mobile apps, and backend systems.
Secure transactions with industry-standard encryption.
Multiple payment methods supported.
Real-time transaction monitoring.
Easy API setup and extensive documentation.
Sign up for an XPay account.
Obtain API credentials (Account ID, Email, and Password).
Access the staging environment for testing.
Review the API documentation and sample integrations.
Implement API calls for payments, refunds, and status checks.
Perform end-to-end testing.
Go live with production credentials.
Staging API URL: https://xstak-pay-stg.xstak.com
Production API URL: Provided after successful testing and approval.
XPay uses API key-based authentication. Your Account ID and Password must be included in the request headers to authenticate API calls.
Create a payment request using the API.
Send transaction details (amount, currency, customer info, etc.).
Redirect the customer to the payment page (if applicable).
Receive a payment response (success, failure, or pending).
Yes, XPay supports multiple currencies and international transactions, subject to merchant account settings.
Credit/Debit Cards (Visa, Mastercard, etc.)
Mobile Wallets
Bank Transfers
UPI Payments (if enabled)
Other local payment methods
If a payment fails, the API response will include a failure reason, such as:
Insufficient funds
Card declined
Invalid payment details
Network issues
Merchants can prompt users to retry the payment or use an alternative method.
Call the Create Payment Link API endpoint.
Pass required parameters like amount, currency, and description.
Receive a unique payment link in response.
Share the link with customers via email, SMS, or chat.
Yes, merchants can customize:
Branding (logo, colors, themes)
Payment methods displayed
Transaction messages and success pages
Refer to the developer guide for customization options.
Use the redirect URL parameter in your API request to specify where the customer should be sent after payment success/failure.
Call the Refund API with the original transaction ID.
Specify the amount to refund (full or partial).
Receive a response confirming the refund status.
Refunds usually take 5-7 business days, depending on the payment method and bank policies.
Yes, payments in a pending state can be canceled using the Cancel Payment API.
Chargebacks are handled by the bank. Merchants will be notified via API and required to provide transaction proof.
Yes, XPay follows PCI DSS compliance to ensure secure transactions.
Use HTTPS for all API requests.
Secure API keys and credentials.
Implement token-based authentication if required.
Monitor API logs for suspicious activities.
Yes, card tokenization is supported to allow secure one-click payments without storing sensitive card details.
Call the Payment Status API with the transaction ID to retrieve the latest payment status.
Yes, XPay provides API endpoints to fetch transaction history and reports in CSV or JSON format.
Merchants can use Webhooks to receive real-time notifications for:
Payment success
Payment failure
Refund processed
Chargeback initiated
Check the error code and message in the API response. Common errors include:
401 Unauthorized: Invalid API credentials
400 Bad Request: Missing or incorrect parameters
500 Internal Server Error: Server-side issue (retry later)
API logs are available in the developer dashboard for tracking request/response details.
Ensure you have a stable internet connection and check for network latency. Increase the API timeout limit if necessary.
Review the Postman collection for sample API requests.
Refer to the GitHub repository for working examples.
Contact XPay support for assistance.
Complete testing in the staging environment.
Submit a request for live credentials.
Update API base URL to the production endpoint.
Perform a live test transaction.
Merchants must provide:
A verified business account.
Compliance with security and fraud prevention guidelines.
A successful test transaction history.
You can access the API documentation here:
📌 Postman Collection: XPay API Documentation
📌 GitHub Repository: XPay Sample Integration
For integration assistance, reach out to XPay developer support via:
Email: support@xpay.com
Live Chat: Available on the XPay portal
Developer Community: Forums & Slack channels
Here’s the FAQ addressing the client's query regarding Payment Intent API flow and integration on the app side:
On the website, the user enters card details, the script verifies the card, and then a Payment Intent API call is made. Upon successful payment, the response includes clientSecret and encryption keys.
On the app, the process is slightly different:
The Payment Intent API call happens first.
The response contains clientsecret and encryption keys.
These parameters are then used for the confirmPayment SDK method to complete the payment.
These parameters are not received after the payment, but rather after the Payment Intent API call. They are used to confirm the payment in the next step.
The website flow uses direct script verification before making the Payment Intent API call, whereas the app flow requires calling the Payment Intent API first to generate the required parameters for payment confirmation.
Follow these steps:
Call the Payment Intent API first.
Extract clientSecret and encryption keys from the response.
Use these parameters in the confirmPayment SDK method to complete the payment.
If the confirmPayment SDK method is not called using the received parameters, the payment will not be processed, and the transaction will remain incomplete.
Refer to the XPay API documentation for app-specific integration guidelines:
📌 Postman Collection: XPay API Documentation
📌 GitHub Repository: XPay SDK & Sample Code
When attempting a 2D payment on the Android app, an exception is thrown because 2D Secure (2DS) payments are not supported. These transactions are automatically declined by the payment gateway.
A 2D payment is a transaction where card authentication does not require an additional security layer, such as OTP verification (One-Time Password) or biometric authentication. These payments are considered high risk and are usually blocked by gateways.
Most modern payment gateways follow 3D Secure (3DS) protocols, which add an extra layer of security to protect against fraud. Transactions without this security layer (i.e., 2D payments) are automatically rejected.
To ensure successful transactions, 3D Secure (3DS) authentication must be enabled. This means:
Use cards that support 3D Secure authentication.
Ensure that the gateway being used supports 3DS transactions.
Implement proper redirection or in-app handling for 3DS authentication (OTP verification, biometric, etc.).
Contact the issuing bank to confirm if the card is 3DS enabled.
Attempt the payment using a different 3DS-supported card.
No, 2D payments cannot be enabled, as they are blocked by the gateway for security reasons. All payments must follow 3D Secure (3DS) authentication standards.
For details on payment methods and security requirements, refer to:
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code
3D Secure (3DS) is an additional security layer for online card payments that helps prevent fraud by authenticating the cardholder during a transaction.
3DS1: The earlier version, where OTP (One-Time Password) is required for authentication.
3DS2: The latest version, which introduces two types of authentication:
Frictionless (No OTP required)
Challenge (OTP required)
Type | Card Example | OTP Required? | Description |
|---|---|---|---|
3DS1 |
| ✅ Yes | OTP-based authentication, requires manual input. |
3DS2 - Frictionless |
| ❌ No | Authentication happens in the background without user input. |
3DS2 - Challenge |
| ✅ Yes | Requires OTP or biometric verification before processing. |
If a card supports Frictionless 3DS2, the bank automatically verifies the transaction without requiring an OTP.
This reduces customer friction and speeds up the checkout process.
If a card requires Challenge 3DS2, the bank mandates OTP verification before processing the transaction.
This happens for high-risk transactions, large amounts, or when additional verification is required.
Both Frictionless and Challenge authentication are secure, as they follow 3DS2 security standards.
Challenge authentication provides an extra layer of protection by ensuring that the actual cardholder is making the transaction.
If a transaction is 2D Secure (2DS) (without 3D Secure), it will likely be declined by the gateway for security reasons.
Merchants should ensure that all cards used support 3DS authentication.
You can use the following test cards for different scenarios:
3DS1 Test Card: 5506900140100305 (OTP Required)
3DS2 Frictionless Test Card: 5123456789012346 (No OTP)
3DS2 Challenge Test Card: 5123450000000008 (OTP Required)
For more details, refer to:
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code
pi_client_secret in XPay API?The pi_client_secret is a unique identifier required for confirming a payment. It is generated when a Payment Intent (PI) is created.
pi_client_secret the same as PI ID?No, pi_client_secret is NOT the same as the Payment Intent (PI) ID. It is a separate parameter included in the API response when creating a Payment Intent.
pi_client_secret?It is present in the Create Payment Intent API response. You must store this value and use it for the payment confirmation process.
pi_client_secret?Parameter | Description |
|---|---|
Payment Intent ID (PI ID) | A unique identifier for tracking the payment transaction. |
pi_client_secret | A secret key required to confirm the payment securely. |
pi_client_secret necessary?It ensures that only authorized entities can confirm a payment.
It helps maintain the security of the payment flow by preventing unauthorized access.
pi_client_secret?Yes, you should store pi_client_secret temporarily until the payment is successfully confirmed.
pi_client_secret for payment confirmation?No, the pi_client_secret is mandatory for confirming a payment. The PI ID alone is insufficient.
For API documentation and integration examples, check:
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code
This error occurs when the same Payment Method (e.g., card details) is being used multiple times within the same Payment Intent (PI). The payment method is already linked to the PI and does not need to be reattached
You may be encountering this issue due to one of the following reasons:
The payment method was already attached to the Payment Intent (PI) in a previous request.
A duplicate API request is being made after the PI has already been confirmed or captured.
The Payment Intent has already been completed, and another attempt is being made using the same payment method.
Here are a few solutions:
✅ Check if the Payment Intent (PI) has already been captured or confirmed before making another request.
✅ Do not reattach the payment method if it has already been linked to the PI.
✅ Ensure that duplicate API calls are not being made in your integration.
✅ If payment has already been processed, create a new Payment Intent for a new transaction instead of reusing the same one.
You can check the status of the Payment Intent via the API before proceeding with another payment request. Look for the following statuses:
Succeeded: Payment has already been captured.
Processing: The payment is still being processed.
Requires Confirmation: The payment method is attached, but confirmation is pending.
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code
success Key in confirmPayment Responseundefined for responseStatus, success, and data in confirmPayment?If responseStatus, success, and data are undefined, it usually means:
There is an issue with the API request parameters (e.g., invalid clientSecret, customer, or encryptionKey).
The API call is failing silently or not returning the expected response format.
The confirmPayment function is not properly awaiting or handling the response.
success key?Instead of directly destructuring success, handle the response using message and error keys:
javascript |
CopyEdit
const response = await xpay.confirmPayment("card", clientSecret, customer, encryptionKey); if (response) { const { message, error } = response; if (!error) { console.log("Payment successful:", message); } else { console.log("Payment failed:", message); } } else { console.log("No response received from confirmPayment API."); }
error used instead of success?In the confirmPayment response:
If error is false, it means the payment was successful.
If error is true, it means the payment failed.
success may not be explicitly returned, so handling error is the correct approach.
Ensure clientSecret, customer, and encryptionKey are correct and valid.
Check for network issues or API failures.
Log the entire response to debug missing keys:
javascript |
CopyEdit
console.log("Full API Response:", response);
📌 XPay API Documentation: XPay API Docs
📌 GitHub Repository: XPay SDK & Sample Code
To fetch detailed transaction information, including card details and payment details, follow these methods:
Get PI Details)📌 API Name: Retrieve Payment Intent
🔗 Documentation: XPay API Docs
Request:
http |
CopyEdit
GET /v1/payment_intents/{paymentIntentId}
Required Parameters:
paymentIntentId (PI ID) → The Payment Intent ID for which details are needed
Limitations:
This API provides only basic payment intent details, not full transaction information.
It does not return complete card or payment details.
For complete transaction details, including card details, payment details, and the timeline of events, use the webhook.
📌 Webhook contains:
✔ Transaction timeline (payment status updates)
✔ Card details (masked card number, issuer, etc.)
✔ Payment details (amount, currency, gateway response, etc.)
🔗 Webhook Guide: Available in the XPay API Docs
Steps to Use Webhook:
Register a webhook endpoint in your system.
Capture the transaction data sent by XPay on payment updates.
Parse the webhook payload to retrieve full transaction details.
Retrieve Payment Intent API return full transaction details?The Retrieve Payment Intent API focuses only on the Payment Intent (PI), not the complete transaction.
Detailed payment information (such as card details) is stored and sent only via webhook for security reasons.
/xpay/transactions/{transactionID})?To retrieve details similar to what is available at https://xap-stage.xstak.com/xpay/transactions/{transactionID}, use the Webhook API, as it includes:
Transaction ID
Card details (masked card number)
Gateway response
Timeline of the transaction
📌 Alternative:
If you need a custom API to fetch transaction details directly, check with the XPay support team for additional API access.
Ensure your webhook URL is registered in the XPay system.
Use a tool like Postman or RequestBin to inspect incoming webhook data.
Check logs in your system to verify if XPay is sending webhook events.
🔗 Webhook Documentation: Available in the Postman API Collection
Requirement | API to Use | Contains Complete Transaction Info? |
|---|---|---|
Basic Payment Intent details |
| ❌ Limited details |
Complete transaction details (card info, timeline, etc.) | Webhook API | ✅ Yes |
For a full transaction flow in XPay, you need to follow these steps:
Step | API Name | Purpose | API Endpoint (Postman Docs) |
|---|---|---|---|
1️⃣ Create Payment Intent |
| Initializes a payment intent & returns | |
2️⃣ Confirm Payment (SDK Method, Not API) |
| Confirms payment using | Handled via SDK (not API) |
3️⃣ Capture Authorized Payment (If using authorization flow) |
| Captures a pre-authorized payment | |
4️⃣ Retrieve Payment Intent Details |
| Retrieves status & details of a payment intent |
There is no separate API for confirmPayment. This is an SDK method that must be called after creating a payment intent.
📌 How to use ConfirmPayment in SDK?
const { message, responseStatus, success, data } = await xpay.confirmPayment( "card", // Payment method clientSecret, // Received from Create Payment Intent API customer, // Customer details encryptionKey // Required encryption key ); |
Handling Success Response:
const { message, error } = await xpay.confirmPayment(...); if (!error) { console.log("Payment successful"); } else { console.log("Payment failed"); } |
🔗 SDK Documentation: Refer to Notion Guide
pi_client_secret, and where do I get it?pi_client_secret is not the Payment Intent ID (PI ID).
It is returned in the Create Payment Intent API response and must be used in confirmPayment.
📌 Example Create Payment Intent Response:
json |
{ "id": "pi_123456789", "client_secret": "pi_client_secret_abc123", "status": "requires_confirmation" } |
Use client_secret in the confirmPayment SDK method.
Capture an Authorized Amount API?If your payment flow uses authorization before capturing funds, you must call this API after payment confirmation to finalize the transaction.
If you are using a direct payment flow, no need to call this API.
📌 Example Request to Capture Payment:
http |
POST /v1/payment_intents/{paymentIntentId}/capture |
Use Retrieve Payment Intent API to check payment status.
For complete details (card info, transaction timeline, etc.), use Webhook API.
🔗 Retrieve Payment Intent API: View API
🔗 Webhook API (Recommended for full details): View API
Step | Required Action | API/Method |
|---|---|---|
1️⃣ Create Payment Intent | Initialize payment & get |
|
2️⃣ Confirm Payment | Confirm using SDK |
|
3️⃣ Capture (if applicable) | Capture an authorized payment |
|
4️⃣ Retrieve Transaction Details | Get payment details |
|