Skip to content

    XPay CEE API reference

    The XPay APIs provide a secure way to add online payments to your website or application by sending JSON over HTTPS.

    This is the complete API reference for the XPay APIs.

    Environments and base addresses

    All communication between your site and NPG is managed over HTTPS. The XPay APIs are collected under the following base addresses:

    EnvironmentBase address

    Requests and responses

    The XPay APIs follow the RESTful architectural style. A set of resources can be accessed using some of the endpoints provided by the APIs. To retrieve, add, or update resources, you use the associated HTTP methods for these actions:

    GETRetrieves a resource (idempotent, will never mutate a resource)
    POSTCreates a new resource. A JSON object, provided by you, describes the resource.
    PUTUpdates an existing resource. A JSON object, provided by you, describes the changes.


    You can pass parameters to the XPay APIs using:

    • Header parameters. For example, the Correlation-Id header from the Create Order for Hosted Payment call.
    • Path parameters. For example, the orderId parameter in the path /orders/{orderId}.
    • JSON objects. Some requests, typically POST and PUT, expect you to pass JSON objects to the XPay APIs.


    The secret API key should only be passed between your server and an XPay endpoint. The secret API key should never be used from the client side of your site / app for security reasons.

    Retries and idempotent keys

    Most HTTP methods are idempotent, meaning that sending the same HTTP request multiple times to the server will not change the state of the server. In case of a network failure, it is always safe to retry an idempotent request. However, POST requests usually create new resources on the server side and cannot be retried safely by default. Using an idempotency key makes it safe for clients to retry POST requests that failed due to network failures.

    Notification Specs

    Payment notifications are sent at the end of the payment process by XPay gateway in server-to-server mode using POST method and JSON format. They have the following user agent:

    Apache-HttpClient/4.5.13 (Java/1.8.0_161)

    When an API of the below contains "notificationUrl" field, a notification will be sent at the end of the payment process:

    Below the IP addresses with which the Gateway present itself when notifications are sent:



    IP Addresses:


    Same IP addresses for both domains.

    Data types and formats

    XPay APIs uses the data types and data formats as defined in OpenAPI specification.

    Country codes and phone prefixes

    Country codes and phone prefixes are both used in the checkout. Country codes are used when limiting the set of countries available for shipping. Phone prefixes appear in the consumer data object and other locations.

    The following table lists all countries supported by XPay:

    CountryISO CodePhone Prefix
    Antigua & BarbudaATG1

    Was this helpful?

    What was your feeling about it?