Get started
API Endpoint https://payment.vbankpay.business/api/v1/deposit
Please refer to the integration guide for the integration testing and live hostname of PaymentGateway above for the actual URL.
To use this API, you need an API merchant keys. Please contact us at support@vbankpay.business to get your own API merchant keys.
Deposit
# Here is a POST request example
{
"merchant_account":"123456789",
"merchant_order":"12345",
"product_desc":"Digital Product",
"first_name":"Juan",
"last_name":"Dela Cruz",
"address":"Barangay 105, Tondo",
"city":"Manila",
"zip_code":"1012",
"country":"PH",
"phone":"+639123456789",
"email":"delacruzjuan@sample.com",
"amount":10000,
"currency":"PHP",
"ip_address":"192.168.1.1",
"status_callback_url":"https://callback.sample.com/back/status.php",
"redirect_back_url":"https://www.sample.com/fe/redirect.php",
"control": "50eac75f3e4e6b0db92c7b1a585c2410a77cceb9"
}
To submit deposit request you need to make a POST API call to the following url :
https://payment.vbankpay.business/api/v1/deposit
# Successful Response example :
{
"url": "https://payment.vbankpay.business/portal/pay/transaction?control=e37b0c76fc1c2e3adaebe964e8a6115d"
}
QUERY PARAMETERS IN JSON BODY
| Field | Type | Description |
|---|---|---|
| merchant_account | String | Merchant account number, assigned by VbankPay. 12 bytes max. *[mandatory] |
| merchant_order | String | Unique order identifier, defined by Merchant. 12 bytes max. *[mandatory] |
| amount | Numeric | The order amount, in non floating format. (example: 100075 represents 1000.75 as amount. 10 bytes max. *[mandatory] |
| currency | String | Transaction currency, in ISO 4217 format. 3 bytes. *[mandatory] - supports PHP, INR, MYR, THB, IDR, VND, LAK and CNY currency. |
| product_desc | String | Brief product description of the order. 125 bytes max. *[mandatory] |
| first_name | String | End user first name. 50 bytes max. *[mandatory] |
| last_name | String | End user last name. 50 bytes max. *[mandatory] |
| address | String | End user billing address. 50 bytes max. *[mandatory] |
| city | String | End user billing address - City. 50 bytes max. *[mandatory] |
| zip_code | String | End user billing address - ZIP code. 10 bytes max. *[mandatory] |
| country | String | End user billing address – Country, in ISO-3316-1-alpha-2 format. 2 bytes. *[mandatory] |
| phone | String | End user phone number, including country code. 15 bytes max. *[mandatory] |
| String | End user email address. 50 bytes max. *[mandatory] | |
| ip_address | String | End user IP address. 15 bytes max. mandatory for fraud screening. *[mandatory] |
| status_callback_url | String | The callback URL to post the transaction final results after payment processing completed from bank side. 40 bytes max. [optional] |
| redirect_back_url | String | The redirection URL to redirect the end-user after payment completed. 40 bytes max. *[mandatory] |
| control | String | The checksum. 40 bytes. *[mandatory] |
Create Deposit Request Control Checksum
NOTE: Never expose your partner_control provided by us to anyone. Doing so will compromise the security of future transaction.
HAMC SHA-1 message digest is used in ensuring data integrity and message authenticity in communication. This message digest is calculated by concatenating the data in transaction request/response in the correct order, feed it into HMAC SHA-1 function using partner control as the key and supplies the HMAC SHA-1 result in control parameter in the transaction request.
To create the checksum, concatenate the value of the following parameters into one string variable in the following order:
(merchant_account + amount + currency + first_name + last_name + address + city + zip_code + country + phone + email + order_no + product_desc + redirect_back_url)
Below example to verify checksum:
merchant_account 123456789
amount 10000
currency PHP
first_name Juan
last_name Dela Cruz
address Barangay 105, Tondo
city Manila
zip_code 1012
country PH
phone +639123456789
email delacruzjuan@sample.com
merchant_order 12345
product_desc Digital Product
redirect_back_url https://www.sample.com/fe/redirect.php
The complete string for above example data becomes as follows:
12345678910000PHPJuanDela CruzBarangay 105, TondoManila1012PH+639123456789delacruzjuan@sample.com12345Digital Producthttps://www.sample.com/fe/redirect.php
For this example partner_control key is: D6909744CDF0C6BDC87603900E3EE881
Then hash the string using the HMAC SHA-1 hash function (Example below):
hash_hmac(‘SHA1’, ‘12345678910000PHPJuanDela CruzBarangay 105, TondoManila1012PH+639123456789delacruzjuan@sample.com12345Digital Producthttps://www.sample.com/fe/redirect.php’,
’D6909744CDF0C6BDC87603900E3EE881’)
Then supply this string and the partner control as the key to HMAC SHA-1 function. And supply the result to
control parameter, the last parameter you need to initiate the transaction. In our example, the control
parameter would become:
50eac75f3e4e6b0db92c7b1a585c2410a77cceb9
Deposit Callback Response
After processing request of transaction, our system redirect the customer back to merchant website using the parameter redirect_back_url. At the same time, we send the same transaction result via server-to-server communication if status_callback_url contains valid URL value. Most of the parameters simply echo from transaction message, with information about the bank used and the status of the attempted transaction. The table below explains the parameters that are delivered by HTTP POST request in JSON format.
# Callback response example :
{
"transaction_id":"987654321",
"merchant_order":"12345",
"amount":"10000",
"currency":"PHP",
"bank_transaction_id":"123456789",
"status":"A0",
"control":"4cac5b736c357ff073cc50ae2708f333e6066805",
"message": "Paid / Refunded / Successful requested."
}
CALLBACK RESPONSE PARAMETERS IN JSON BODY
| Field | Type | Description |
|---|---|---|
| transaction_id | String | Unique transaction identifier, defined by VbankPay system, 10 bytes max. |
| merchant_order | String | Unique order identifier, defined by Merchant, 12 bytes max. |
| amount | Numeric | The order amount, in non floating format. (example: 100075 represents 1000.75 as amount. 10 bytes max. |
| currency | String | Transaction currency, in ISO 4217 format. 3 bytes. - supports PHP, INR, MYR, THB, IDR, VND and CNY currency. |
| bank_transaction_id | String | Unique identifier of the bank that handles the transaction, 10 bytes max. |
| status | String | The status code of the order, 4 bytes max. |
| message | String | The status code of the order. Refer to Appendix D for the possible values, 125 bytes max. |
| control | String | The checksum. 40 bytes. |
Validate your Deposit Callback Response by matching Control Checksum
HAMC SHA-1 message digest is used in ensuring data integrity and message authenticity in communication. This message digest is calculated by concatenating the data in transaction result in the correct order and use the shared secret (partner_control) as the key, feed it into HMAC SHA-1 function and supply the HAMC SHA-1 function result in control parameter of the request.
To create the checksum from callback response, concatenate the value of the following parameters into one string variable in the following order:
(transaction_id + merchant_order + amount + currency + bank_transaction_id + status)
Below example to verify checksum:
transaction_id 987654321
merchant_order 12345
amount 10000
currency PHP
bank_transaction_id 123456789
status A0
The complete string for above example data becomes as follows:
9876543211234510000PHP123456789A0
For this example partner_control key is: D6909744CDF0C6BDC87603900E3EE881
Then hash the string using the HMAC SHA-1 hash function (Example below):
hash_hmac(‘SHA1’, ‘9876543211234510000PHP123456789A0’,
’D6909744CDF0C6BDC87603900E3EE881’)
Then supply this string and the partner control as the key to HAMC SHA-1 function. And supply the result to
control parameter, the last parameter you need to initiate the transaction. In our example, the control
parameter would become: