Checkout API reference

The Checkout APIs provide a secure way to add online payments to your website or application by sending JSON over HTTPS.

One-time payments and subscriptions are carried out using the Payment API. Payouts from your customers are reported in the Nexi Checkout Portal. In addition, you can use the Reporting API to programmatically retrieve information about payouts. The Checkout JS SDK allows you to embed a custom checkout page on your website.

This is the complete API reference for the Checkout APIs.

Environments and base addresses

All communication between your site and Checkout is managed over HTTPS. The Checkout REST APIs are collected under the following base addresses:

Environment	Base address
Test	https://test.api.dibspayment.eu
Live	https://api.dibspayment.eu

Cryptographic protocol

The following is a list of supported TLS versions and ciphers suites that Nexi Checkout API endpoint supports. Both Checkout production and sandbox endpoints support the same TLS versions and cipher suites:

Version TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Requests and responses

The Checkout APIs follow the RESTful architectural style. A set of resources can be accessed using some of the endpoints provided by the APIs. To retrieve, add, or update resources, you use the associated HTTP methods for these actions:

Method	Description
GET	Retrieves a resource (idempotent, will never mutate a resource)
POST	Creates a new resource. A JSON object, provided by you, describes the resource.
PUT	Updates an existing resource. A JSON object, provided by you, describes the changes.

Parameters

You can pass parameters to the Checkout APIs using:

Header parameters. For example, the Authorization header specifying the private API key is always sent as an HTTP header.
Path parameters. For example, the numerical payment identifier paymentId in the path /v1/payment/{paymentId}.
Query parameters. For example, the fromDate parameter in the request /v1/payouts?fromDate=2020-09-10.
JSON objects. Some requests, typically POST and PUT, expect you to pass JSON objects to the Nexi Checkout APIs.

Maximum string length

The string type parameter of JSON posts sent to our API is limited to 128 characters. The only exception is Checkout.URL which allows up to 256 characters.

Authentication

All API requests are required to include a valid Authorization header. This header should contain your secret API key for the environment (Test or Live) you are currently using. For more information, please see the articles Access your integration keys and Use the test environment.

The secret API key should only be passed between your server and a Nexi Checkout endpoint. The secret API key should never be used from the client side of your site / app for security reasons.

Retries and idempotent keys

Most HTTP methods are idempotent, meaning that sending the same HTTP request multiple times to the server will not change the state of the server. In case of a network failure, it is always safe to retry an idempotent request. However, POST requests usually create new resources on the server side and cannot be retried safely by default. Using an idempotency key makes it safe for clients to retry POST requests that failed due to network failures.

POST methods and network failures

To understand the potential problem of POST requests and network failures, consider the following flow between an HTTP client and a Nets server when charging a customer:

A client sends a POST request to the server.
The request reaches the server and creates a new charge object on the server.
The server also charges the customer's payment card.
The client's network become unreachable and the response from the server never reaches the client.

In this state, the client doesn't know whether or not a charge object has been created. Also, the client did not receive a chargeId back from the server, so there is no way for the client to check whether the charge object has been created. The client could potentially send a new HTTP POST request, asking the server to create a new charge, but that would run the risk of charging the customer's payment card twice.

The solution to this problem is to have the client generate a unique idempotency key. The client adds this key to the initial HTTP POST request and on subsequent retries. The server can use the idempotency key to detect whether the client is sending a retry to avoid performing the same operation multiple times on the server. If a retry was detected, the server will respond with the same HTTP status code and response object (if any) as it did the first time.

It is important to note here that there must be created individual unique idempotency keys for each charge and refund actions. This means that for the use cases of a partial charge or partial refund on the same order will not be allowed unless it has two individual unique idempotency keys.

Using idempotency keys to enable retries

The POST methods in the Checkout APIs that support idempotency keys all accept a header called Idempotency-Key. Use this header parameter to pass an idempotency key to the server to enable safe retries and avoid the risk of creating multiple resources or charges by mistake. The value of the Idempotency-Key parameter should be a unique string with a maximum length of 63 characters.

We highly recommend that you add idempotency keys to all POST methods that accepts the Idempotency-Key header.

Using external identifiers to enable retries

Some methods in the Payment API support safe retries by using an external identifier instead of an idempotency key. These external identifiers are very similar to the Idempotency-Key header but are instead provided explicitly in the request body of the POST request. The two places where external identifiers are use are:

Bulk charge subscriptions using the property externalBulkChargeId.
Verify subscriptions using the property externalBulkVerificationId.

The value of the external identifier should be a unique string with a maximum length of 63 characters.

Data types and formats

The Checkout APIs uses the data types and data formats as defined in OpenAPI specification.

Date and time

All date and time strings should be formatted according to the definition of date-time in RFC3339, unless otherwise specified. For example, the string 2021-03-23T15:30:55.23Z represents 30 minutes and 55.23 seconds after the 15th hour of March 23rd, 2021 in UTC.

Currency and amount

Currency should always be specified using a 3-letter code (ISO-4217). The following table lists all currencies supported by Checkout:

Code	Currency
DKK	Danish krone
EUR	Euro
GBP	Pound sterling
NOK	Norwegian krone
SEK	Swedish krona
USD	United States dollar
PLN	Złoty
CHF	Swiss franc
CZK	Koruna

Amounts are specified in the lowest monetary unit for the given currency, without punctuation marks. For example: 100,00 NOK is specified as 10000 and 9.99 USD is specified as 999.

Entering the amount 100 corresponds to 1 unit of the currency entered, such as e.g. 1 NOK.

Country codes and phone prefixes

Country codes and phone prefixes are both used in the checkout. Country codes are used when limiting the set of countries available for shipping. Phone prefixes appear in the consumer data object and other locations.

The following table lists all countries supported by Nexi Checkout:

Country	ISO Code	Phone Prefix
Afghanistan	AFG	93
Albania	ALB	355
Algeria	DZA	213
Andorra	AND	376
Angola	AGO	244
Antigua & Barbuda	ATG	1
Argentina	ARG	54
Armenia	ARM	374
Australia	AUS	61
Austria	AUT	43
Azerbaijan	AZE	994
Bahamas	BHS	1
Bahrain	BHR	973
Bangladesh	BGD	880
Barbados	BRB	1
Belarus	BLR	375
Belgium	BEL	32
Belize	BLZ	501
Benin	BEN	229
Bhutan	BTN	975
Bolivia	BOL	591
Bosnia	BIH	387
Botswana	BWA	267
Brazil	BRA	55
Brunei	BRN	673
Bulgaria	BGR	359
Burkina Faso	BFA	226
Burundi	BDI	257
Cambodia	KHM	855
Cameroon	CMR	237
Canada	CAN	1
Cape Verde	CPV	238
Central African Republic	CAF	236
Chad	TCD	235
Chile	CHL	56
China	CHN	86
Colombia	COL	57
Comoros	COM	269
Congo - Brazzaville	COG	242
Congo - Kinshasa	COD	243
Costa Rica	CRI	506
Côte d’Ivoire	CIV	225
Croatia	HRV	385
Cuba	CUB	53
Cyprus	CYP	357
Czechia	CZE	420
Denmark	DNK	45
Djibouti	DJI	253
Dominica	DMA	1
Dominican Republic	DOM	1
Ecuador	ECU	593
Egypt	EGY	20
El Salvador	SLV	503
Equatorial Guinea	GNQ	240
Eritrea	ERI	291
Estonia	EST	372
Ethiopia	ETH	251
Fiji	FJI	679
Finland	FIN	358
France	FRA	33
Gabon	GAB	241
Gambia	GMB	220
Georgia	GEO	995
Germany	DEU	49
Ghana	GHA	233
Greece	GRC	30
Greenland	GRL	299
Grenada	GRD	1
Guatemala	GTM	502
Guinea-Bissau	GNB	245
Guinea	GIN	224
Guyana	GUY	592
Haiti	HTI	509
Honduras	HND	504
Hong Kong	HKG	852
Hungary	HUN	36
Iceland	ISL	354
India	IND	91
Indonesia	IDN	62
Iran	IRN	98
Iraq	IRQ	964
Ireland	IRL	353
Israel	ISR	972
Italy	ITA	39
Jamaica	JAM	1
Japan	JPN	81
Jordan	JOR	962
Kazakhstan	KAZ	7
Kenya	KEN	254
Kiribati	KIR	686
Kosovo	XKX	383
Kuwait	KWT	965
Kyrgyzstan	KGZ	996
Laos	LAO	856
Latvia	LVA	371
Lebanon	LBN	961
Lesotho	LSO	266
Liberia	LBR	231
Libya	LBY	218
Liechtenstein	LIE	423
Lithuania	LTU	370
Luxembourg	LUX	352
Macedonia	MKD	389
Madagascar	MDG	261
Malawi	MWI	265
Malaysia	MYS	60
Maldives	MDV	960
Mali	MLI	223
Malta	MLT	356
Marshall Islands	MHL	692
Mauritania	MRT	222
Mauritius	MUS	230
Mexico	MEX	52
Micronesia	FSM	691
Moldova	MDA	373
Monaco	MCO	377
Mongolia	MNG	976
Montenegro	MNE	382
Morocco	MAR	212
Mozambique	MOZ	258
Myanmar	MMR	95
Namibia	NAM	264
Nauru	NRU	674
Nepal	NPL	977
Netherlands	NLD	31
New Zealand	NZL	64
Nicaragua	NIC	505
Niger	NER	227
Nigeria	NGA	234
Norway	NOR	47
Oman	OMN	968
Pakistan	PAK	92
Palau	PLW	680
Panama	PAN	507
Papua New Guinea	PNG	675
Paraguay	PRY	595
Peru	PER	51
Philippines	PHL	63
Poland	POL	48
Portugal	PRT	351
Qatar	QAT	974
Romania	ROU	40
Russia	RUS	7
Rwanda	RWA	250
Samoa	WSM	685
San Marino	SMR	378
São Tomé & Príncipe	STP	239
Saudi Arabia	SAU	966
Senegal	SEN	221
Serbia	SRB	381
Seychelles	SYC	248
Sierra Leone	SLE	232
Singapore	SGP	65
Slovakia	SVK	421
Slovenia	SVN	386
Solomon Islands	SLB	677
Somalia	SOM	252
South Africa	ZAF	27
South Korea	KOR	82
South Sudan	SSD	211
Spain	ESP	34
Sri Lanka	LKA	94
St. Kitts & Nevis	KNA	1
St. Lucia	LCA	1
St. Vincent & Grenadines	VCT	1
Sudan	SDN	249
Suriname	SUR	597
Swaziland	SWZ	268
Sweden	SWE	46
Switzerland	CHE	41
Syria	SYR	963
Taiwan	TWN	886
Tajikistan	TJK	992
Tanzania	TZA	255
Thailand	THA	66
Timor-Leste	TLS	670
Togo	TGO	228
Tonga	TON	676
Trinidad & Tobago	TTO	1
Tunisia	TUN	216
Turkey	TUR	90
Turkmenistan	TKM	993
Tuvalu	TUV	688
Uganda	UGA	256
UK	GBR	44
Ukraine	UKR	380
United Arab Emirates	ARE	971
Uruguay	URY	598
US	USA	1
Uzbekistan	UZB	998
Vanuatu	VUT	678
Vatican City	VAT	39
Venezuela	VEN	58
Vietnam	VNM	84
Yemen	YEM	967
Zambia	ZMB	260
Zimbabwe	ZWE	263

Payment methods

You can retrieve the payment method and the payment type by using the method Retrieve payment from the Payment API. The following table lists all possible values:

Payment method	Payment type
AmEx	CARD
Arvato	INVOICE
Dankort	CARD
MasterCard	CARD
MobilePay	WALLET
Apple Pay	WALLET
PayPal	WALLET
RatePayInvoice	INVOICE
ExpressBank	INVOICE
RatePaySepa	A2A
Sofort	A2A
Swish	A2A
Trustly	A2A
Vipps	WALLET
Visa	CARD
Forbrugsforeningen	CARD
Klarna	WALLET

Localization

The following languages can be used on the checkout page:

Tag	Language
en-GB	English (default)
da-DK	Danish
nl-NL	Dutch
ee-EE	Estonian
fi-FI	Finnish
fr-FR	French
de-DE	German
it-IT	Italian
lv-LV	Latvian
lt-LT	Lithuanian
nb-NO	Norwegian
pl-PL	Polish
es-ES	Spanish
sk-SK	Slovak
sv-SE	Swedish

The tag combines an ISO 639-1 language code with an ISO 3166-1 country code.

Languages can be specified using the Checkout JS SDK for embedded web integrations or by appending a language parameter to the hosted checkout URL when using a hosted checkout integration.

Webhooks

Webhooks (or HTTP callbacks) allow you to subscribe to different events that affect a payment and to be notified directly when these events happen. When an event occurs in the Checkout, for example, a charge is made or a payment is refunded, this event can be sent along with the associated data.

Webhooks are the most robust and efficient way of keeping your backend in sync with Checkout. It is robust against various runtime failures (network failures and other temporary processing failures) and efficient since it avoids polling Checkout for state changes.

We highly recommend that you use webhooks when integrating Checkout on your site. See the complete Webhooks reference for more information about the events that can be subscribed to.

The following public IP ranges are used for sending webhooks:

Production 20.103.218.104/30
Sandbox 20.31.57.60/30

Checkout JS SDK - embedded checkout

The Checkout JS SDK is a JavaScript library that dynamically creates a checkout page embedded in an iframe on your site. Your site defines a container element (typically a <div>) in which the JS library generates an <iframe> element which embeds the checkout page. The library manages all communication between the frontend of your site and Checkout. Checkout.js should be loaded from the following URLs:

Environment	JavaScript URL
Test	https://test.checkout.dibspayment.eu/v1/checkout.js?v=1
Live	https://checkout.dibspayment.eu/v1/checkout.js?v=1

Error Codes

The following list shows the most important error codes and their meaning.

Code	Description
1000	Unknown
1001	OverCharge
1002	ZeroCharge
1003	NotReserved
1004	AlreadyReserved
1005	AmountDiffersFromOrderItems
1006	ConsumerNotAddedToPayment
1007	PartialCancelNotAllowed
1008	AlreadyCharged
1009	InvalidRefundAmount
1010	ReservationExpired
1011	ChargeNotFound
1012	RefundCancelled
1013	RefundExpired
1014	RefundFailed
1015	OrderItemsMissing
1016	OrderReferenceWasPreviouslySet
1017	ChangingCheckoutDomainNotAllowed
1018	PaymentMissingOrderReference
1019	AlreadyCancelled
1020	PaymentMethodChargeFailed
1021	ShippingCostHasNotBeenSpecified
1022	PaymentReserveMethodFailed
1023	PaymentAlreadyRefunded
1024	PartialChargeNotAllowed
1025	RefundCancelFailed
1026	ChargeTriedWithDifferentAmount
1027	RefundTriedWithDifferentAmount
1028	UpdateOrderAtAfterPayFailed
1029	HardDecline
1030	ExpiredSubscription
1031	InvalidSubscription
1032	NotGenuineSubscriptionTraceId

Acquirer response codes on failing reservations

The following list shows the most common acquirer response codes and their meaning.

Code	Description
1a	SCA
05	Do not honor
41	Lost card
43	Stolen card, pick-up
51	Not sufficient funds
59	Suspected fraud
99	Internal error

The following list shows all possible acquirer response codes and their meaning.

Code	Description
1	Refer to card issuer
2	Refer to card issuer’s special conditions
3	Invalid merchant or service provider
4	Pick-up, Capture card
5	Do not honor
6	Error
7	Pick-up card, special condition (other than lost/stolen card)
8	Honour with identification
9	Request in progress
10	Approved for partial amount
12	Invalid transaction
13	Invalid amount (currency conversion field overflow); or amount exceeds maximum for card program
14	Invalid card number (no such number)
15	No such issuer
16	Approved, update track 3
17	Customer cancellation
18	Customer dispute
19	Re-enter transaction
20	Invalid response
21	No action taken (unable to back out prior transaction)
22	Suspected malfunction
23	Unacceptable transaction fee
24	File update not supported by receiver
25	Unable to locate record on file
26	Duplicate file update record, old record replaced. Record not in active status
27	File update field edit error. Issuer File Update field edit error
28	File update field locked out. Record permanently deleted. VI:File is temporarily unavailable
29	File update not successful, contact acquirer. Delete request less than 540 days
30	Format error
31	Bank not supported by switch;MC:Issuer sign-off
32	Completed partially
33	Expired card
34	Suspected fraud;SO:Wrong check digit
35	Card acceptor contact acquirer
36	Restricted card
37	Card acceptor call acquirer security
38	Allowable PIN tries exceeded
39	No credit account
40	Requested function not supported;SO:Unknown processing code
41	Lost card
42	No universal account
43	Stolen card, pick-up
44	No investment account
50	Reserved for ISO use
51	Not sufficient funds
52	No chequing account
53	No savings account
54	Expired card
55	Incorrect PIN
56	No card record
57	Trans not permitted to issuer/cardholder. VI: field 18 does not contain a merchant type for the transaction
58	Trans not permitted to acquirer/terminal
59	Suspected fraud
60	Card acceptor contact acquirer
61	Exceeds withdrawal amount limit
62	Restricted card
63	Security violation
64	Original amount incorrect. Transaction does not fulfill AML requirement
65	MC:Strong Customer Authentication (SCA) Required / Exceeds withdrawal frequency limit
66	Card acceptor call acquirer’s security department
67	Hard capture
68	Response received to late
69	Reserved for ISO use
70	Contact Card Issuer
71	PIN Not Changed
74	Reserved for ISO use
75	Allowable PIN tries exceeded
77	Invalid/nonexistent From Account specified. VI: Previous message located for a repeat or reversal, but repeat or reversal data are inconsistent with original message;MC:MAC error
78	Invalid/nonexistent account specified(general) VI: Blocked, first used—Transaction from new cardholder, and card not properly unblocked
79	MC:Key Exchange Validation failed. VI:Transaction reversed
80	VI:Invalid date;MC:Duplicate add, action not performed; SO:Track 3 card not active
81	Domestic Debit Transaction Not Allowed (Regional use only). VI: Cryptographic error found in PIN or CVV;MC:Foreign network failure;SO:Fraud, card copied
82	MC:Time-out at IEM; SO:Wrong card format: VI:Negative Online CAM, dCVV, iCVV, or CVV results Or Offline PIN authentication interrupted
83	VI:Unable to verify PIN; MC: Transaction failed
84	Invalid Authorization Life Cycle
86	VI: Cannot verify PIN; MC: PIN validation not possible
87	Purchase Amount Only, No Cash Back Allowed
88	MC: Cryptographic failure; SO: PIN based card
89	MC: Unacceptable PIN—Transaction Declined—Retry; SO: Signature based card
90	Cutoff is in process
91	Issuer or switch is inoperative
92	Financial institution or intermediate network cannot be found for routing
93	Transaction cannot be completed. Violation of law
94	Duplicate transmission. Duplicate SAF request
95	Reconcile error
96	System malfunction
97	Reserved for national use
98	SO: Transaction already processed
99	Reserved for national use

The codes follow the standards of ISO 8583-1987. You can read more about it from here.

You can also check out re-attempts from here and the payment.reservation.failed webhook from here.