# Aggregate checkout counter payment API documentation

# 1. How to get API Key

The user logs in to the cash register -> Developer Center -> API Key -> Create API key. API Key has a separate configuration page and is bound to a fixed IP address ("0.0.0.0" means no IP interception filtering, any IP can be accessed), and different API Keys can be configured to meet different needs. Please do not disclose your Access Key and Secret Key to avoid asset loss. After the Secret Key is generated, it cannot be viewed again. Please save it in time. If you forget the Secret Key, please recycle the key pair in the backstage of the merchant and apply for a new key pair.

# 1.1 How to create API KEY

• Click Developer Center-API Key

• 1Choose whether to enable the debug mode (After debugging mode is enabled, you will have a standard prompt message and log view address for any errors )

• 2Select API Key permission

• 3Enter the whitelist address (0.0.0.0 means any IP address can be accessed)

Note: (When entering the whitelist domain name, you should pay attention to using "," to isolate multiple IPs.)

• 4 click create to generate API KEY

(After the API KEY is generated, you can copy, view, edit, and delete it in the My API KEY list below. Note that the Secret key only appears once when it is generated. Please save it properly. If you forget the Secret Key, Please recycle the key pair and apply for a new one.)

• Click Edit to close or open [Start Debugging] and modify the API Key permission and whitelist address. After the modification is complete, click Save

Note: Please wait patiently for 90 seconds for the API Key to take effect after creating or editing the API Key

# 2. How to use API Key

The current API Key is to add a parameter list in the header of the request

Parameter name	Parameter description	Type	Required
access_key	Api Key access key (eg: TPhoa7ZQ)	String	Yes
timestamp	Millisecond-level timestamp (13 digits, such as: 1679669488472)	String	Yes
nonce	UUID (36 bits such as: 02f7a04f-53cc-47d4-bb3f-fae69dab49ac) The five parts are 8 characters, 4 characters, 4 characters, 4 characters, and 12 characters, with "-" in the middle interval	String	yes
sign	Parameter signature (eg: GXx2wYUD6UVr+zcmeCSFFPzcBLA=)	String	Yes

# 3. Technology side parameter access process

# 4. How to sign the interface

# Signature Description

API requests are very likely to be tampered with during transmission over the internet. In order to ensure that the request has not been changed, all private interfaces except public interfaces (basic information, market data, etc.) must use your API Key is used for signature verification to verify whether parameters or parameter values have changed during transmission.

A legitimate request consists of the following parts:

access_key: API access key;
secret_key: The key used for signature encryption (only visible once when applying for an API Key in the background, please copy and save it in a safe place, and do not disclose it);
timestamp: The time (UTC time) when you made the request. Such as: 1632811287325 (13 digits). Including this value in a query request helps prevent third parties from intercepting your request;
nonce: random UUID string. Such as: 053a1b81-48a0-4bb1-96b2-60f6e509d911 (36 bits);
sign: The value calculated by the signature, which is used to ensure that the signature is valid and has not been tampered with;
All interfaces need to pass the above public parameters except secret_key in the http request header (header). The public parameters include (access_key, timestamp, nonce, sign) and other signature parameters are described in the API interface as allow.

# Signature steps

1. Define a Map dictionary type object, and put the parameters in the request into it in the form of key-value

2. Put access_key, timestamp, and nonce into the Map defined in the first step

3. Sort the attributes in the Map in ascending order (lexicographic order) according to the ASCII code and convert the Map to a string in the form of "key1=value1&key2=value2"

4. Encrypt the character string converted in the previous step with secret_key by HMAC_SHA1 and perform Base64 transcoding to obtain the value of the sign parameter. secret_key is the information in the apikey created on the cashier platform

5. Add the sign value and other required parameters to the request header, and send the request to the target interface

# Signature debugging tools

SignUtil: User login to cash register -> Developer Center -> API Documentation -> Signature Tool The Signature tool page is displayed (The access_key in the tool, please use a valid access_key and please set the IP whitelist that allows this access_key access to 0.0.0.0, we strongly recommend the used Access_key is discarded after debugging)

# 5. Interface list

# 5.1 Test interface connectivity

request method

Get

Request URL

/ping

response data

{"version":"1.0.1","timestamp":1688116827306}

Response parameter description

Param	Type	Desc
version	String	If this parameter is returned, all interfaces in this document can be requested normally
timestamp	int64	Unix timestamp

# 5.2 Create a new collection order

request method

post

Request URL

/api/v3/polymerize/createCollectingOrder

Request type

Header: { 'Content-Type': 'application/json;charset=utf-8'}

request header

Param	Desc	Sample
access_key	Acquisition from merchant background	pFqV75X3
timestamp	Unix timestamp 13 digits milliseconds	1679724896223
nonce	UUID V4	794c26b0-d33c-4394-b2bb-c485eca16d9e
sign	Calculated signature	kAXyh+eerqrefyaF8dyFB0M4FVo=

request parameters

{
    "externalOrderId":"3333212121213",
    "notifyUrl":"http://192.168.1.106:9999/callback",
    "remark":"wsxtest",
    "returnUrl":"http://192.168.1.106:9999/callback",
    "userIdentity":"2348937596",
    "dynamicAmountNotify":1
}

Description of request parameters

Param	Desc	Sample	Require
externalOrderId	Merchant order number max=64 (String)	389508808434869257	required
notifyUrl	notification URL (String, Url)	http://192.168.135:30002/abc	optional
remark	remark max=255 (String)	1312425	optional
returnUrl	return address (String)	http://192.168.135:30002/abc	optional
userIdentity	Retain the CPF information entered by the user in the subsequent cash register, and use a string ID as a mapping. If the passed string ID matches the corresponding CPF, use the stored CPF to directly submit the order . This parameter only needs to be enabled if It has already been saved and directly skips the CPF input. If it is not saved, the user needs to enter it manually (if this field is not passed, the system will generate CPF by default) (String)	2348937596	optional
dynamicAmountNotify	Is the dynamic amount callback enabled for fiat Mexican currency? The default value is 1	Choose 1 or 2 according to the actual situation	optional

response type

Header: { 'Content-Type': 'application/json;charset=utf-8'}

response data

{
    "code": "200",
    "success": true,
    "msg": "成功",
    "msgEn": "SUCCESS",
    "data": "https://cashier.hambit.io?data=eyJjYXNoaWVyRXhwaXJlVGltZUJ5TWludXRlIjo0MCwiZXh0ZXJuYWxPcmRlcklkIjoiMzMzMzIxMjEyMTIxMyIsIm5vdGlmeVVybCI6Imh0dHA6Ly8xOTIuMTY4LjEuMTA2Ojk5OTkvY2FsbGJhY2siLCJyZW1hcmsiOiJ3c3h0ZXN0IiwicmV0dXJuVXJsIjoiaHR0cDovLzE5Mi4xNjguMS4xMDY6OTk5OS9jYWxsYmFjayIsInVzZXJJZGVudGl0eSI6IjIzNDg5Mzc1OTYiLCJ2ZXJzaW9uIjoidjEiLCJpc0hpZGRlbk1lcmNoYW50TG9nbyI6dHJ1ZSwiaXNIaWRkZW5NZXJjaGFudE5hbWUiOnRydWUsImNsaWVudElkIjoiZ0hvUmN3MDMiLCJtZXJjaGFudElkIjoiMTc4NTk0NTgxMTk3NjE5NjA5NyIsInN1Y2Nlc3NSZWRpcmVjdFVybCI6Imh0dHA6Ly8xOTIuMTY4LjEuMTA2Ojk5OTkvY2FsbGJhY2siLCJjcmVhdGlvblRpbWUiOiIxNzI3MjQ3ODI1IiwiZHluYW1pY0Ftb3VudE5vdGlmeSI6MX0%3D"
}

Response parameter description

Param	Type	Desc
data	String	Aggregate cashier address

# 6. Callback information

# 6.1 How to call back interface check

# Signature verification instructions

API requests are likely to be tampered with during transmission over the internet. To ensure that callbacks have not been changed, you can set callback parameter signature authentication. The setting method is: log in to the cashier -> developer center -> callback address -> add.

# Signature verification steps

The overall process is roughly the same as the signature, except that the data used to verify the signature is different. The signature is to construct the data by itself, and the signature is to obtain the data (header, json)

Take out the sign value in the header;
Define a Map dictionary type object, put the json parameters in the request in the form of key-value
Take out the access_key, timestamp, and nonce in the header and put them into the Map defined in the previous step
Sort the keys in the Map according to the ASCII code from small to large (lexicographic order) and convert the Map into a string in the form of "key1=value1&key2=value2";
Use the secret_key to encrypt the character string converted in the previous step with HMAC_SHA1 and perform Base64 transcoding to obtain the signed value and the sign extracted from the header in the first step for string verification. If they match, the signature verification will pass, otherwise, the signature verification will fail. The secret_key here needs to match the access_key when placing an order.

# 6.2 Fiat payment callback

callback data

{
	"currencyType": "BRL",
	"orderActualAmount": "21.1",
	"orderId": "OCURRPAID202307270345431690429543531DOCKER020000000400000776",
	"orderFee": "0.1",
	"orderStatus": "Payment success",
	"payParam": "00020101021226580014BR.GOV.BCB.PIX01367469e5e5-ad5b-43d4-9cf0-07125c89dd8d520400005303986540521.105802BR5925LIQUIDO BRL PAGAMENTOS DI6014Belo Horizonte61083038040362290525dWH1ySiuFwduurQpP1wv7RTof6304BC7A",
	"externalOrderId": "828905760411449635",
	"tradeNote": "123",
	"payTypeName": "PIX",
	"orderAmount": "21.1",
	"orderTime": 1690429544000,
	"payType": 101,
	"orderStatusCode": 2,
	"markStatus": 0,
	"orderPayTime": 1690429623000
}

Callback data description

Param	Type	Desc
currencyType	String	Fiat currency type
orderActualAmount	String	The actual payment amount of the order
orderId	String	order ID
order fee	String	Order handling fee
orderStatus	String	orderStatusCode description
payParam	String	payment parameters
externalOrderId	String	Merchant order ID
tradeNote	String	Remark
payTypeName	String	payment type name
orderAmount	String	order amount
orderTime	int64	Order creation time
payType	int64	Payment Type 101-PIX 102-BANK 110-OXXO 111-CASH 103-PIX_DYNAMIC 109-BOLETO 118-GEN 104-VIRTUA 106-EWALLET 105-QRIS 123-UPI 124-IMPS 107-CHARGE 112-WALLET 113-BANK_SCAN_CODE 114-CARD_TO_CARD 115-MOMO 115-ZALO_PAY 117-VIETTEL_MONEY
orderStatusCode	int64	Order status code 1-pending payment 2- payment successful
markStatus	int64	mark status
orderPayTime	int64	order payment time
errorMsg	String	Error message
errorMsgEn	String	Error message en

At any time, the merchant can log in to the backstage of the merchant to manually trigger the callback (it is not recommended to initiate a manual callback if the order is not final), and the relevant information such as the order status in the callback information is the actual status (manualPlease pay attention to the order status when calling back. If the status of the manual callback order is not final, the platform will still initiate a notification when the order becomes final. Please pay attention to redundant processing at the business level)

# 6.3 Cryptocurrency payment callback

callback data

{
	"currencyType": "BRL",
	"orderActualAmount": "21.1",
	"orderId": "OCURRPAID202307270345431690429543531DOCKER020000000400000776",
	"orderFee": "0.1",
	"orderStatus": "Payment success",
	"payParam": "00020101021226580014BR.GOV.BCB.PIX01367469e5e5-ad5b-43d4-9cf0-07125c89dd8d520400005303986540521.105802BR5925LIQUIDO BRL PAGAMENTOS DI6014Belo Horizonte61083038040362290525dWH1ySiuFwduurQpP1wv7RTof6304BC7A",
	"externalOrderId": "828905760411449635",
	"tradeNote": "123",
	"payTypeName": "PIX",
	"orderAmount": "21.1",
	"orderTime": 1690429544000,
	"payType": 101,
	"orderStatusCode": 2,
	"markStatus": 0,
	"orderPayTime": 1690429623000
}

Callback data description

Param	Type	Desc
currencyType	String	Fiat currency type
orderActualAmount	String	The actual payment amount of the order
orderId	String	order ID
order fee	String	Order handling fee
orderStatus	String	orderStatusCode description
payParam	String	payment parameters
externalOrderId	String	Merchant order ID
tradeNote	String	Remark
payTypeName	String	payment type name
orderAmount	String	order amount
orderTime	int64	Order creation time
payType	int64	Payment Type 101-PIX
orderStatusCode	int64	Order status code 1-pending payment 2- payment successful
markStatus	int64	mark status
orderPayTime	int64	order payment time
errorMsg	String	Error message
errorMsgEn	String	Error message en

# 6.4 Callback response

Remarks: All callbacks include signature information. It is recommended that merchants do a callback signature verification. After receiving the callback information, the merchant will confirm the final status of the order. Please respond to the website

Regarding the following information (content-type: application/json), if there is no normal response from the server, it will be within 30 minutes, with a total of 2 every three minutes

Notice

{"code":200,"success":true}

# 6.5 Callback notification URL

*** Log in to the backstage of the merchant to configure the unified callback address (manually specify the callback UR address in the order, which has a higher priority than the uniformly configured callback address. For example, if the notifyUrl parameter is specified in the order, it will be used regardless of whether there is a unified configuration of the callback notification address. notifyUrl address in the order)***

Note that the http response status_code has the highest priority, as long as the response status_code=200 is received, the response data will be ignored

# 7. Public response code

filed	Type	Default value and comment
code	String	Success "200" For others, please refer to failure code
success	Bool	success true, failure false, and code to keep the meaning of synchronization
msg	String	The textual description returned by the first-level code
data	Object	Reference interface list chapter

# 8. Failure code

Code	Desc
200	Success
300	Parameter exception
301	IP Unauthorized
307	Signature error
500	System Error