XPay Global API reference
The XPay APIs provide a secure way to add online payments to your website or application by sending JSON over HTTPS.
This is the complete API reference for the XPay APIs.
Environments and base addresses
All communication between your site and NPG is managed over HTTPS. The XPay APIs are collected under the following base addresses:
Requests and responses
The XPay APIs follow the RESTful architectural style. A set of resources can be accessed using some of the endpoints provided by the APIs. To retrieve, add, or update resources, you use the associated HTTP methods for these actions:
|GET||Retrieves a resource (idempotent, will never mutate a resource)|
|POST||Creates a new resource. A JSON object, provided by you, describes the resource.|
|PUT||Updates an existing resource. A JSON object, provided by you, describes the changes.|
You can pass parameters to the XPay APIs using:
- Header parameters. For example, the
Correlation-Idheader from the Create Order for Hosted Payment call.
- Path parameters. For example, the
orderIdparameter in the path
- JSON objects. Some requests, typically POST and PUT, expect you to pass JSON objects to the XPay APIs.
The secret API key should only be passed between your server and an XPay endpoint. The secret API key should never be used from the client side of your site / app for security reasons.
Retries and idempotent keys
Most HTTP methods are idempotent, meaning that sending the same HTTP request multiple times to the server will not change the state of the server. In case of a network failure, it is always safe to retry an idempotent request. However, POST requests usually create new resources on the server side and cannot be retried safely by default. Using an idempotency key makes it safe for clients to retry POST requests that failed due to network failures.
Payment notifications are sent at the end of the payment process by XPay gateway in server-to-server mode using
POST method and JSON format. They have the following user agent:
When an API of the below contains "notificationUrl" field, a notification will be sent at the end of the payment process:
- POST /orders/hpp (Hosted Payment Page)
- POST/orders/paybylink (Pay-By-Link)
- POST /orders/build (XPay Build)
Below the IP addresses with which the Gateway present itself when notifications are sent:
Same IP addresses for both domains.
Data types and formats
XPay APIs uses the data types and data formats as defined in OpenAPI specification.
Country codes and phone prefixes
Country codes and phone prefixes are both used in the checkout. Country codes are used when limiting the set of countries available for shipping. Phone prefixes appear in the consumer data object and other locations.
The following table lists all countries supported by XPay:
|Country||ISO Code||Phone Prefix|
|Antigua & Barbuda||ATG||1|