Introduction

Authentication

API requests authentication is made via HTTP Basic Auth. You have to send your API key as the HTTP password, and the user field should be left empty. We provide each merchant with the list of API permissions for their account. In the documentation, you can see the permission necessary for a specific request next to a key icon. As in: Usage
The example below shows a request to get the list of cards for the merchant identified with an (example) API Key: mer_intg_FR2SUXtrnXgOL2KOHzcMQ9U96lJ3Wxjbr3nuvWD1UDNmyxLh.

In cURL:

Responses

The result of your request is indicated by an HTTP status code. Basically all 2xx codes indicate success, and all 4xx codes indicate failure.

HTTP status codes

200	Request was validated and performed with success / Transaction succeeded
400	Usually indicates bad/malformed request data
402	Related to payments - indicates failure
409	Indicates conflict - e.g. when you're trying to make multiple transactions on one card at the same time

Error responses

Each response with code 4xx has at least the errors field set, similar as below:

Error responses related to payments

When API request fails due to payment errors, we return a response with HTTP status 402. In the errors list you will find a general error indicating payment failure, e.g.: For requests involving card payments you can find more details about the payment failure by checking the decline_reason field on the returned transaction object.

Below are the most common decline reasons:

1001	Declined by issuing bank Transaction declined by card issuer. Advise the cardholder to contact their bank and check card settings.
1002	Insufficient funds Transaction declined by card issuer - insufficient funds or limit exceeded. Please, ask the cardholder to contact their bank and check card settings.
1003	Expired card
1004	Internal error An error has occured on the side of the Straal. Please, contact Straal for more information and support.
1005	Invalid amount Transaction declined by card issuer - insufficient funds or limit exceeded. Please, ask the cardholder to contact their bank and check card settings.
1006	Invalid card data Transaction declined by card issuer - invalid card details.
1007	Restricted cardTransaction declined by card issuer. Please, ask the cardholder to contact their bank and check card settings.
1008	Invalid transaction Transaction declined by card issuer. Please, ask the cardholder to contact their bank and check card settings.
1009	Withdrawal limit exceeded Transaction declined by card issuer. Please, ask the cardholder to contact their bank and check card settings.
1010	Card not supported Transaction declined by acquirer - card type not supported.
1011	Transaction not permitted to cardholder Transaction declined by card issuer. Please, ask the cardholder to contact their bank and check card settings.
1012	Merchant account error Your merchant account is misconfigured. Please, contact Straal.
1013	Security violation Transaction declined by card issuer. Please, ask the cardholder to contact their bank and check card settings.
1014	Gateway frequency limit exceeded Acquirer activity limit exceeded. Please, contact Straal.
1015	Acquirer error An error has occured on the side of the acquiring bank. Please, contact Straal.
1016	Antifraud decline Transaction declined by Straal's antifraud system.
1017	Risk blocked in external payment system Transaction declined by Acquirer's antifraud system.
1018	Authentication 3DS failed Client not successfully authorized during 3DS process.
1019	SCA Required Additional customer authentication required.
1101	Possible fraud Transaction declined by card issuer. WARNING! The card has been designated as lost or stolen. DO NOT MAKE ANY FURTHER CHARGING ATTEMPTS - THOSE MIGHT BE CONSIDERED AS FRAUDULENT.
2000	Transaction declined General transaction decline. Please contact support for more information.

Expanding objects

There are various relations between resources existing within Straal API. When retrieving an object using our API, you don't always need all associated objects. For performance and better readability reasons, our API implements the expand parameter, which can be used to retrieve few or all associated objects within one request. To expand multiple objects send a list delimited by ,.

Example request for getting dummy_object Example request for getting dummy_object with expanded objects

API changes

We will not make any breaking changes in the API. However, please note that adding new objects or attributes to existing objects is not considered a breaking change.

Testing resources

You can use the following test credit card numbers and IBANs in your integration environment. Any expiration date in the future will be valid. Any CVV code will be valid. Cardholder name has to be at least 3 characters long to be valid.

3DSecure V2 Scenarios - with threeds_v2 params

Google Pay cards are taken from Test card suite

Apple Pay cards are taken from Test card suite

4532496353677072	VISA - Card Not Enrolled - Error
4556997398420643	VISA - Network Error - Error
4929111260419572	VISA - Frictionless - Success
4556786751817853	VISA - Frictionless - Failure
4716436222435110	VISA - Challenge - Success
4539365457901717	VISA - Challenge - Failure
4637198235600777	VISA - Fallback - Success
4485735629519684	VISA - Fallback - Failure
4444444444444448	VISA - Frictionless with 3DS Method - Success
4716530227063560	VISA - Frictionless with 3DS Method - Success
4539073978065588	VISA - Frictionless with 3DS Method - Failure
4929912607956345	VISA - Challenge with 3DS Method - Success
4539876025578860	VISA - Challenge with 3DS Method - Failure
4929859585677619	VISA - Fallback with 3DS Method - Success
4539505500852488	VISA - Fallback with 3DS Method - Failure
5267621579383431	MasterCard - Card Not Enrolled - Error
5297582308509601	MasterCard - Network Error - Error
5476405082219267	MasterCard - Frictionless - Success
5526468184255647	MasterCard - Frictionless - Failure
5593877707082957	MasterCard - Challenge - Success
5515402631026288	MasterCard - Challenge - Failure
5498177754250805	MasterCard - Fallback - Success
5481087000166599	MasterCard - Fallback - Failure
5319964426348431	MasterCard - Frictionless with 3DS Method - Success
5238079599747448	MasterCard - Frictionless with 3DS Method - Failure
5113003559062879	MasterCard - Challenge with 3DS Method - Success
5327657876521164	MasterCard - Challenge with 3DS Method - Failure
5348712805985199	MasterCard - Fallback with 3DS Method - Success
5191129590856840	MasterCard - Fallback with 3DS Method - Failure
xxxxxxxxxxxx1111	Visa - Google Pay - Frictionless with 3DS Method - Success
xxxxxxxxxxxx4444	Mastercard - Google Pay - Frictionless with 3DS Method - Failure
xxxxxxxxxxxx2222	Visa - Google Pay - Challenge with 3DS Method - Success
xxxxxxxxxxxx0005	Amex - Google Pay - Challenge with 3DS Method - Failure
4051069302200121	Visa - Apple Pay - Frictionless with 3DS Method - Success
5204247750001471	Mastercard - Apple Pay - Frictionless with 3DS Method - Failure
4180620070230189	Visa - Apple Pay - Challenge with 3DS Method - Success
5204245250001488	Amex - Apple Pay - Challenge with 3DS Method - Failure

3DSecure V1 Scenarios

4532496353677072	VISA - Card Not Enrolled - Error
4556997398420643	VISA - Network Error - Error
4444444444444448	VISA - Successful 3DSecure authentication - Success
4485282121221816	VISA - Unsuccessful 3DSecure authentication - Failure
4716292201436623	VISA - 3D-Secure authentication completed, authorization failed - Failure
4485819621877561	VISA - network error 3D-Secure authentication failed to complete after redirect - Error
5267621579383431	MasterCard - Card Not Enrolled - Error
5297582308509601	MasterCard - Network Error - Error
5306605065027191	MasterCard - Successful 3DSecure authentication - Success
5437554227710785	MasterCard - Unsuccessful 3DSecure authentication - Failure
5112630232543924	MasterCard - 3D-Secure authentication completed, authorization failed - Failure
5590867286010498	MasterCard - network error 3D-Secure authentication failed to complete after redirect - Error

Scenarios without 3DSecure

4444444444444448	VISA - authorization result dependent on amount
5555444433331111	MasterCard - authorization result dependent on amount
378282246310005	American Express - authorization result dependent on amount
4462030000000000	VISA - subscriptions created with this card will be billed just once, moments after creation. Use it to test subscription notifications webhook. For the rest of test cards, subscriptions will be billed according to their plan. - Success
4716436222435110	VISA - Strong Customer Authentication card will return SCA required error - 3DS V2 is required
5593877707082957	MasterCard - Strong Customer Authentication card will return SCA required error - 3DS V2 is required

Controlling test operation results with amount

You can use specific operation amounts to cause certain results. Examples:

• Amounts 4051 and 4005, when used with card numbers listed above, will result in a failed credit card authorization. Any other amount will be processed successfully.
• Amount 4055 will cause a credit request to fail. Any other amount will be processed successfully.

Testing SDP Payments on integration account

On the integration account redirect_url mentioned in SDP process overview, will redirect to the sandbox version of the app that allows selection of banks. It offers sandbox versions of real bank interfaces as well as demo banks.

Sample scenarios

Currency: PLN Result: Success

1	Chose country Poland
2	Chose bank mBank
3	Confirm the payment with Accept button
4	On the sandbox bank page, chose AUTHORIZE option
5	Payment initiated successfully

Currency: PLN Result: Failure

1	Chose country Poland
2	Chose bank mBank
3	Confirm the payment with Accept button
4	On the sandbox bank page chose CANCEL option
5	Payment failure

Currency: EUR GBP Result: Success

1	Chose country United Kingdom
2	Chose bank Mock Redirect Bank
3	Confirm the payment with Accept button
4	Payment initiated successfully

Currency: EUR GBP Result: Failure

1	Chose country Hungary
2	Chose bank UniCredit Bank Hungary
3	Fill IBAN with test value (e.g. HU93116000060000000012345676)
4	Confirm the payment with Accept button
5	On Required credentials page chose Decline option
6	Payment failure

Warning! Sandbox app and demo banks are maintained by third parties over whom Straal has no control

Changelog

2024-03-XX

• Added Create a 3DS transaction with internal MPI engine
• Added Create a 3DS transaction with internal MPI engine using CryptKey
• Added threeds_redirection notification

2023-11-24

• Added APM payments related notifications
• Added APM payments section
• Added apm type to get the list of payment methods
• Added optional language parameter to pay-by-link payment object attributes and to initialize pay-by-link payments sample request
• Deprecated initialize a pay-by-link payment

2023-09-11

• Added sample checkout_attempt_finished notification for Google Pay and Apple Pay

2023-09-09

• Added sample request_finished notification for Google Pay and Apple Pay

2023-09-06

• Added Create a transaction with the Apple Pay 3D secure
• Added Create a 3DS transaction with the Apple Pay using CryptKey
• Added payment sample response in Get checkout object when using Apple Pay
• Added payment_mean_type parameter to Create a transaction for existing card with 3D secure
• Added payment_mean_type parameter to Create a transaction for existing card
• Updated Payment Means section with Apple Pay examples

2023-07-24

• Added Apple Pay card numbers to Testing resources

2023-07-12

• Added Create a transaction with the Google Pay 3D secure
• Added Create a 3DS transaction with the Google Pay using CryptKey
• Added Payment Means section
• Added payment sample response for Get checkout object when using Google Pay
• Updated payment sample response in Get checkout object when using Card

2023-06-27

• Added Google Pay card numbers to Testing resources

2023-02-23

• Added description of card tokenization and external MPI params with subscription flow
• Added transactions entry to subscription creation response

2021-12-23

• Removed all resources connected with Bank Accounts (SEPA Direct Debit transactions)

2021-09-01

• Added description of passing merchant risk params and billing address in server-to-server integration with CryptKey.

2021-05-17

• Added description of card billing address data.
• Added description of transaction merchant risk parameters.

2021-03-29

• Added description of Create a transaction with 3D secure
• Explained how to pre-authorize transactions.
• Added pre_auth to transaction object attributes

2020-12-17

• Added new card numbers to Testing resources

2020-12-01

• Added description of the new 3DS payments API flow using CryptKeys or server-to-server integration
• Deprecated the previous overview of a (two step) 3D secure transaction.

2020-11-06

• Added new card numbers to Testing resources

2020-10-19

• Added type parameter to transaction endpoints
• Deprecated initiated_by parameter in transaction endpoints

2020-09-14

• Updated Get a transaction and Get a list of transactions with optional authentication_3ds section

2020-08-25

• Removed backup routing create variant from transactions.
• attempts from transactions are now deprecated.
• Added with_3ds_params attribute and description to transactions.

2020-06-29

• Added documentation for credits

2020-06-16

• Added mpi_params to transactions attributes. Sample request moved under separate section Create a transaction with external MPI parameters

2020-05-05

• Added optional mpi_params structure to Create a transaction with a card request to enable 3D-Secure payments when the 3DS authentication was provided by an external MPI service.

2020-04-23

• Added external_reference attribute and description to transactions.

2020-04-20

• Added payer_iban and payer_name fields to straal_direct_payment_failed (empty values) and straal_direct_payment_initiated (actual data) notifications.

2020-03-16

• Added optional customer_name and iban arguments to Straal Direct Payment requests.

2020-03-11

• Added Mark card disabled endpoint to Cards section.

2019-11-21

• Added Things to keep in mind section to Straal Direct Payment description.

2019-11-08

• Added transaction to Straal Direct Payment creation and id to Straal Direct Payment notification.

2019-10-22

• Added draft section about Straal Direct Payments.

2019-09-16

• Added section on 3D-Secure payment process overview.

2019-07-16

• Added order_reference attribute description in transactions.

2019-07-01

• Deprecated endpoints:
  • create a transaction with a card and a customer
  • create a card with a customer
  • create a bank account with a customer
  • create a subscription with a card and a customer

2019-05-24

• Added order_reference attribute to transactions.

2019-05-22

• Added information about 3D-Secure authentication process.

2019-04-04

• Added a new checkout_attempt_finished notification to the Checkout Page section.

2019-02-18

• Added backup routing create variant to transactions.
• Added attempts to transactions.

2018-11-06

• Added method to transactions.

2018-10-10

• Added Voids section.
• Added voided and voids attributes to transactions.

2018-09-17

• Added Acquirer error to list of possible decline reasons.
• Updated description of Internal error since it no longer corresponds to acquirer errors.

2018-09-04

• Added Captures section.
• Added capture to transactions.

2018-08-31

• Added required initiated_by to Create a transaction and Create a transaction for a bank account sections.

2018-08-22

• Added state and state_flags to cards.

2018-04-24

• Added description of HTTP status 409 to HTTP response codes.
• Added start_date optional attribute to be set on subscriptions.

2018-04-19

• Added verification_transaction object to cards.

2018-04-04

• Extended response for Create a subscription with a card for a given customer and Create a subscription with a card and a customer endpoints:
  • return any transaction objects created during subscription creation attempt
  • return card and customer objects, if created, even on failed subscription creation attempt

2018-03-27

• Added Card transaction chargeback notification section.

2018-02-16

• Added Create a subscription with a card for a given customer section.

2018-02-15

• Extended cancellation_source values list.

2018-01-16

• Added cancellation_source object to subscriptions.

2018-01-12

• Added Create a transaction with a card using CryptKey section.
• Added Create a card using CryptKey section.
• Changed CryptKeys usage section.

2017-09-13

• Added decline_reason attribute to transactions.

2017-07-27

• Added reference attribute to transactions.

Resources

Transactions

A transaction object represents a real transaction performed on a credit card or a bank account. If the transaction succeeded, the authorized attribute is set to true.

Transaction object attributes

Additional information for declined transactions is provided in the decline_reason attribute.
Sample decline_reason:

Pre-authorization

To pre-authorize a transaction, set capture to false and pre_auth param to true. Pre-authorized transactions can be voided or captured.

Create a transaction

This method allows you to perform a transaction on a previously created card object.

type can take values oneclick or recurring.

Use this method for Google Pay and Apple Pay.

Sample request for a $9.99 transaction payment_mean_type is optional for card.

Sample response: IMPORTANT: a customer's bank can refuse to authorize a transaction without Strong Customer Authentication. In this case we recommend requesting a transaction for previously created card with 3D Secure. Sample Google Pay request for a $9.99 transaction Sample response: Sample Apple Pay request for a $9.99 transaction Sample response:

Create a transaction for existing card with 3D secure

This method allows you to perform a transaction with 3DS on a previously created card object. We recommend using this SCA-enabled flow if you need to handle customer-initiated payments (e.g. "one-click" transactions). Please contact our support to check that this method is recommended in your business case.

If the customer's card is enrolled in 3DS, this payment is asynchronous. Redirect your customer to the redirect_url returned under authentication_3ds object and wait for the request_finished notification to receive the final status of the payment.

To learn more about the 3D Secure payment process, refer to the description of a full card data payment with 3DS.

Use transaction for previously created card method instead without providing authentication_3ds object for Google Pay and Apple Pay. Even if authentication_3ds object is sent for Google Pay and Apple Pay transaction will proceed without 3ds.


type can only take value oneclick.

Sample request for a $9.99 transaction payment_mean_type is optional for card.

Sample response:

Create a transaction with external MPI parameters

It's also possible to provide an optional 3D-Secure MPI data structure if the 3DS authentication has been performed by external MPI system. Optional mpi_params could be included in any of the following card transaction requests:
Create a transaction,
Create a transaction with a card,

mpi_params object for 3DS protocol version 1. mpi_params object for 3DS protocol version 2. Sample request using create a transaction endpoint Sample request for a transaction with 3D-Secure Sample response

Create a card transaction with 3D Secure

You can perform a 3D Secure protected transaction by providing an authentication_3ds object containing customer result URLs (success_url and failure_url) in your request payload.
This one step flow is a simpler alternative to the process described in our previous (deprecated) overview of a two step 3D secure transaction.

If the card is enrolled in 3DS program, this API request will be asynchronous: on the authentication_3ds object in the response payload you will receive a URL to redirect your customer to. The resulting transaction will not yet be authorized.

During the transaction, the customer will be redirected to a page provided by the acquirer (redirect_url) to complete 3D-Secure process. After the customer completes interaction with the page, he will be redirected back to merchant's page.

After finishing the authentication process, your customer's card will be charged and they will be redirected to the success or failure URL provided in your request.
You will receive the final transaction result in a request_finished notification on your backend (see below). To receive notifications you need to set up the notification endpoint URL for your account in the Kompas panel.

If you are not PCI certified to process payment data or you haven't submitted PCI Self-Assessment Questionnaire type "D" (for more details please refer to Straal docs > PCI Compliance), use the CryptKey flow as described here.

Sample request for a $9.99 transaction with 3DS The above structure (transaction) is specified here.

You can set capture value to false in order to make a preauthorization with 3D Secure. Then you can void the transaction or do the capture.

Sample success (pending) response, the authentication_3ds object contents may be extended. Sample failure response, synchronous (e.g. due to the failed 3DS initialization):
Wait for the request_finished notification on your backend. This notification will contain the final state of this payment. You don't need to finalize the transaction as you would using the (deprecated) two step 3D secure transaction.

Please note that we send the request finished notification for all transaction-related requests (which means for majority of POST requests to our API). Filter out the relevant notifications by checking the permission field.

The request_finished notification for the 3DS transaction will have permission field set to v1.transactions.create_with_card and the response object will be the final state of the transaction object that you received in the API response before redirecting the customer.
A successful 3DS transaction will be authorized and the authentication_3ds will have status "succeeded". If you requested a captured transaction, which is the default, it should also be captured.


An example of the request_finished notification for a failed 3DS transaction (in this example, the 3DS authentication has succeeded but there were insufficient funds on the customer's account):

Create a card transaction with 3D Secure (Internal MPI Engine)

You can perform a 3D Secure protected transaction by providing an authentication_3ds object containing customer result URLs (success_url and failure_url) in your request payload.

If the card is enrolled in 3DS program, this API request will be asynchronous: on the authentication_3ds object in the response payload you will receive a URL to redirect your customer to. The resulting transaction will not yet be authorized.

At the beginning of transaction the customer will be redirected to a page responsible for browser profiling (profiling_url) to colect data about customer's browser.
In second step customer will be moved to his bank's website to complete 3DS process.
After successful 3DS customer will be redirected to the straal-checkout loading page. In the background we'll perform a transaction with received mpi-params.
After finishing the authentication process, your customer's card will be charged and they will be redirected to the success or failure URL provided in your request.

You will receive the final transaction result in a request_finished notification on your backend (see below). To receive notifications you need to set up the notification endpoint URL for your account in the Kompas panel.

If you are not PCI certified to process payment data or you haven't submitted PCI Self-Assessment Questionnaire type "D" (for more details please refer to Straal docs > PCI Compliance), use the CryptKey flow as described here.

Sample request for a $9.99 transaction with 3DS The above structure (transaction) is specified here.

You can set capture value to false in order to make a preauthorization with 3D Secure. Then you can void the transaction or do the capture.

Sample pending response, the authentication_3ds object contents may be extended. Sample failure response, synchronous (e.g. due to the failed 3DS initialization):
Wait for the request_finished notification on your backend. This notification will contain the final state of this payment.

Please note that we send the request finished notification for all transaction-related requests (which means for majority of POST requests to our API). Filter out the relevant notifications by checking the permission field.

The request_finished notification for the 3DS transaction will have permission field set to v1.transactions.create_with_card_3ds and the response object will be the final state of the transaction object that you received in the API response before redirecting the customer.
A successful 3DS transaction will be authorized and the authentication_3ds will have status "succeeded". If you requested a captured transaction, which is the default, it should also be captured.


An example of the request_finished notification for a failed 3DS transaction (in this example, the 3DS authentication has succeeded but there were insufficient funds on the customer's account):

Create a Google Pay transaction with 3D Secure

Sample request for a $9.99 transaction with 3DS The above structure (transaction) is specified here. Note that the data received from the digital wallet is sent in the card field. apiVersion, apiVersionMinor, email and paymentMethodData you receive from PaymentData that's returned by Google after a payer approves payment.

Sample success (pending) response Sample failure response, synchronous (e.g. due to the failed 3DS initialization):

Create a Apple Pay transaction with 3D Secure

Sample request for a $9.99 transaction with 3DS: The above structure (transaction) is specified here. Note that the data received from the digital wallet is sent in the card field. token and billingContact you receive from ApplePayPayment that's returned by Apple after a payer approves payment.

Sample success (pending) response: Sample failure response, synchronous (e.g. due to the failed 3DS initialization):

Create a 3DS transaction with a card using CryptKey

Learn below how to perform a card transaction with 3D Secure by sending sensitive data directly from a mobile application or website frontend code, so no card data hits your servers, which results in improved security and fewer PCI compliance requirements.

By performing the steps below you will register a card and perform a $9.99 transaction on it, protected by 3D Secure protocol.

1. Create CryptKey with v1.transactions.create_with_card permission

It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Transaction details have to be sent along with create CryptKey request. Similarly to server-to-server variant, you need to provide customer result URLs to your transaction data. Since this method is always executed within the customer context, you have to also include customer_id in the request payload. Sample request: The transaction data structure is specified here.

You can set capture value to false in order to make a preauthorization with 3D Secure. Then you can void the transaction or do the capture.

reference and extra_data are optional, authentication_3ds is required if you want to trigger 3DS authentication for customer.

Merchant risk params is optional, but can be required for some merchant types with particular acquirers.

Browser part of 3DS v2 parameters is optional in this request, but if not provided, Browser object should be included in encrypted payload as described in step 3.

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you could include the CryptKey value somewhere in your HTML code.

3. Encrypt the card data and send it directly to Straal API
The easiest way to do that is to use the Straal.js library.
A request containing card data should have the following format: Browser part of 3DS v2 parameters can be send in request body instead of adding it at the create CryptKey step. If no accept_header, ip and/or user_agent Browser params will be provided, they will be taken from appropriate headers of encrypted request.

Billing address is optional, but can be required for some merchant types with particular acquirers.

The response body will contain a request_id field which should be matched later on with the request_finished notification.
4. Redirect your customer to the provided URL

If the request is successful (status code 200), you will receive a Location header along with the response. Redirect your customer to this URL for him to complete the 3D-Secure verification process.

If you are using Straal.js, it will automatically redirect your customer. After the 3D-Secure verification is finished, your customer will be redirected back to one of the specified URLs (success_url or failure_url) depending on the outcome of the 3D-Secure verification.

5. Wait for the request_finished notification on your backend (>>>you need to set up the notification endpoint URL for your account in the Kompas panel). This notification will contain the final state of this payment. You don't need to finalize the transaction as you would using the (deprecated) two step 3D secure transaction. Please note that we send the request finished notification for all transaction-related requests (which means for majority of POST requests to our API). Filter out the relevant notifications by checking the permission field, which in this flow is v1.transactions.create_with_card.

The request_finished notification for the 3DS transaction will have permission field set to v1.transactions.create_with_card and the response object will be the final state of the transaction object that was created in the encrypted request from the front-end. In the data you will also find request_id of the front-end request as well as cryptkey ID that was used.
The request_finished notification for the 3DS transaction will have the following format. A successful 3DS transaction will be authorized and the authentication_3ds will have status "succeeded". If you requested a captured transaction, which is the default, it should also be captured.
An example of the request_finished notification for a failed 3DS transaction (in this example, the 3DS authentication has succeeded but there were insufficient funds on the customer's account):

Create a 3DS transaction with a card using CryptKey (Internal MPI Engine)

Learn below how to perform a card transaction with 3D Secure by sending sensitive data directly from a mobile application or website frontend code, so no card data hits your servers, which results in improved security and fewer PCI compliance requirements.

By performing the steps below you will register a card and perform a $9.99 transaction on it, protected by 3D Secure protocol using our internal MPI engine.

1. Create CryptKey with v1.transactions.create_with_card_3ds permission

It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Transaction details have to be sent along with create CryptKey request. Similarly to server-to-server variant, you need to provide customer result URLs to your transaction data. Since this method is always executed within the customer context, you have to also include customer_id in the request payload. Sample request: The transaction data structure is specified here.

You can set capture value to false in order to make a preauthorization with 3D Secure. Then you can void the transaction or do the capture.

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you could include the CryptKey value somewhere in your HTML code.

3. Encrypt the card data and send it directly to Straal API
The easiest way to do that is to use the Straal.js library.
A request containing card data should have the following format:
Billing address is optional, but can be required for some merchant types with particular acquirers.

The response body will contain a request_id field which should be matched later on with the threeds_redirection and request_finished notifications.
4. Redirect your customer to the provided URL

If the request is successful (status code 200), you will receive a threeds_redirection notification along with the response. Redirect your customer to the given redirect_url to proceed the 3D-Secure verification process. Check how does the threeds_redirection notification looks like.

If you are using Straal.js, it will automatically redirect your customer.After the 3D-Secure verification is finished, your customer will be redirected back to one of the specified URLs (success_url or failure_url) depending on the outcome of the 3D-Secure verification.

5. Wait for the request_finished notification on your backend (>>>you need to set up the notification endpoint URL for your account in the Kompas panel). This notification will contain the final state of this payment.
Please note that we send the request finished notification for all transaction-related requests (which means for majority of POST requests to our API). Filter out the relevant notifications by checking the permission field, which in this flow is v1.transactions.create_with_card_3ds.

The request_finished notification for the 3DS transaction will have permission field set to v1.transactions.create_with_card_3ds and the response object will be the final state of the transaction object that was created in the encrypted request from the front-end. In the data you will also find request_id of the front-end request as well as cryptkey ID that was used.
The request_finished notification for the 3DS transaction will have the following format. A successful 3DS transaction will be authorized and the authentication_3ds will have status "succeeded". If you requested a captured transaction, which is the default, it should also be captured.
An example of the request_finished notification for a failed 3DS transaction (in this example, the 3DS authentication has succeeded but there were insufficient funds on the customer's account):

Create a 3DS transaction with the Google Pay using CryptKey

Learn below how to perform a Google Pay transaction with 3D Secure by sending PaymentData from Google directly from website frontend code.

By performing the steps below you will register a Google Pay Tokenized Card and perform a $9.99 transaction on it, protected by 3D Secure protocol.

1. Create CryptKey with v1.transactions.create_with_card permission

It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Transaction details have to be sent along with create CryptKey request. Similarly to server-to-server variant, you need to provide customer result URLs to your transaction data. Since this method is always executed within the customer context, you have to also include customer_id in the request payload. Sample request: The transaction data structure is specified here.

You can set capture value to false in order to make a preauthorization with 3D Secure. Then you can void the transaction or do the capture.

reference and extra_data are optional, authentication_3ds is required.

Browser part of 3DS v2 parameters is optional in this request, but if not provided, Browser object should be included in encrypted payload as described in step 3.

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you could include the CryptKey value somewhere in your HTML code.

3. Encrypt Google Pay data received from Google and send it directly to Straal API
The easiest way to do that is to use the Straal.js library.
A request containing card data should have the following format: apiVersion, apiVersionMinor, email and paymentMethodData you receive from PaymentData that's returned by Google after a payer approves payment.

Browser part of 3DS v2 parameters can be send in request body instead of adding it at the create CryptKey step. If no accept_header, ip and/or user_agent Browser params will be provided, they will be taken from appropriate headers of encrypted request.

The response body will contain a request_id field which should be matched later on with the request_finished notification.
4. Redirect your customer to the provided URL

If the request is successful (status code 200), you will receive a Location header along with the response. Redirect your customer to this URL for him to complete the 3D-Secure verification process.

If you are using Straal.js, it will automatically redirect your customer. After the 3D-Secure verification is finished, your customer will be redirected back to one of the specified URLs (success_url or failure_url) depending on the outcome of the 3D-Secure verification.

5. Wait for the request_finished notification on your backend (>>>you need to set up the notification endpoint URL for your account in the Kompas panel). This notification will contain the final state of this payment. Please note that we send the request finished notification for all transaction-related requests (which means for majority of POST requests to our API). Filter out the relevant notifications by checking the permission field, which in this flow is v1.transactions.create_with_card.

The request_finished notification for the 3DS transaction will have permission field set to v1.transactions.create_with_card and the response object will be the final state of the transaction object that was created in the encrypted request from the front-end. In the data you will also find request_id of the front-end request as well as cryptkey ID that was used.
The request_finished notification for the 3DS transaction will have the following format. A successful 3DS transaction will be authorized and the authentication_3ds will have status "succeeded". If you requested a captured transaction, which is the default, it should also be captured.
An example of the request_finished notification for a failed 3DS transaction (in this example, the 3DS authentication has failed):

Create a 3DS transaction with the Apple Pay using CryptKey

Learn below how to perform an Apple Pay transaction with 3D Secure by sending ApplePayPayment from Apple directly from website frontend code.

By performing the steps below you will register an Apple Pay Tokenized Card and perform a $9.99 transaction on it, protected by 3D Secure protocol.

1. Create CryptKey with v1.transactions.create_with_card permission

It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Transaction details have to be sent along with create CryptKey request. Similarly to server-to-server variant, you need to provide customer result URLs to your transaction data. Since this method is always executed within the customer context, you have to also include customer_id in the request payload. Sample request: The transaction data structure is specified here.

You can set capture value to false in order to make a preauthorization with 3D Secure. Then you can void the transaction or do the capture.

reference and extra_data are optional, authentication_3ds is required.

Browser part of 3DS v2 parameters is optional in this request, but if not provided, Browser object should be included in encrypted payload as described in step 3.

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you could include the CryptKey value somewhere in your HTML code.

3. Encrypt Apple Pay data received from Apple and send it directly to Straal API
The easiest way to do that is to use the Straal.js library.
A request containing card data should have the following format: token and billingContact you receive from ApplePayPayment that's returned by Apple after a payer approves payment.

Browser part of 3DS v2 parameters can be sent in request body instead of adding it at the create CryptKey step. If no accept_header, ip and/or user_agent Browser params will be provided, they will be taken from appropriate headers of encrypted request.

The response body will contain a request_id field which should be matched later on with the request_finished notification.
4. Redirect your customer to the provided URL

If the request is successful (status code 200), you will receive a Location header along with the response. Redirect your customer to this URL for him to complete the 3D-Secure verification process.

If you are using Straal.js, it will automatically redirect your customer. After the 3D-Secure verification is finished, your customer will be redirected back to one of the specified URLs (success_url or failure_url) depending on the outcome of the 3D-Secure verification.

5. Wait for the request_finished notification on your backend (>>>you need to set up the notification endpoint URL for your account in the Kompas panel). This notification will contain the final state of this payment. Please note that we send the request finished notification for all transaction-related requests (which means for majority of POST requests to our API). Filter out the relevant notifications by checking the permission field, which in this flow is v1.transactions.create_with_card.

The request_finished notification for the 3DS transaction will have permission field set to v1.transactions.create_with_card and the response object will be the final state of the transaction object that was created in the encrypted request from the front-end. In the data you will also find request_id of the front-end request as well as cryptkey ID that was used.
The request_finished notification for the 3DS transaction will have the following format. A successful 3DS transaction will be authorized and the authentication_3ds will have status "succeeded". If you requested a captured transaction, which is the default, it should also be captured.
An example of the request_finished notification for a failed 3DS transaction (in this example, the 3DS authentication has failed):

3DS v2 request parameters

Below is the structure of threeds_v2 object. There are many parameters, but only a little number of them is required. The more information is provided, the bigger chances of having frictionless authorisation or detecting fraudulent transaction.
CardholderAccountInformation object - additional information about the Cardholder’s account provided by the 3DS Requestor.
The structure of Browser object:
MerchantRiskIndicator object - merchant’s assessment of the level of fraud risk for the specific authentication for both the cardholder and the authentication being conducted.

3DS v2 flows

1. The merchant submits a 3DSecure transaction (authentication_3ds object) to Straal API, including the 3DSecure v2 params (threeds_v2 object). If the card is not valid a response will be returned, indicating the error.
   
   
2. Card issuer responds to Straal with one of possible 3DSecure v2 flows: Frictionless, Challenge or Fallback. All flows are covered by Straal.
   
   
   • Frictionless - no challenge or additional methods are required by the card issuer, the authentication has been done positively, and the transaction will be completed without further action.
     
     
   • Challenge - the card issuer determines that the transaction requires additional cardholder authentication. The customer is redirected by Straal to an URL provided by the acquirer. After the required interaction is complete, the customer is redirected to the failure or success urls.
     
     
   • Fallback - the card issuer enforces fallback to 3DSecure v1 protocol. After the required interaction is complete, the customer is redirected to the failure or success urls.
     
     
   • 3DSecure method - is performed by Straal for you in a background. 3DSecure Method is required to gather additional information about customer via their browser. 3D Secure Method helps to identify when transaction is a low risk and can be processed without required customer interaction (frictionless)
     
     
3. A synchronous payment response is returned to the merchant, indicating the status of the payment. Also, an asynchronous notification to notification URL is enqueued (HTTP POST).

---

Create a transaction with a card

This method allows you to create a card and perform a transaction on it in one request.

type can take values oneshot, oneclick or recurring.

Sample request for a $9.99 transaction Sample response

Create a transaction with a card using CryptKey

The purpose of this method is to perform a transaction by sending sensitive data directly from a mobile application or website frontend code, so no card data will hit your servers, which results in improved security and fewer PCI compliance requirements.

By performing the steps below you will register a card and perform a $9.99 transaction on it.

1. Create CryptKey with v1.transactions.create_with_card permission

It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Transaction details have to be sent along with create CryptKey request. Since this method is always executed within the customer context, you have to also include customer_id in the request payload. Sample request: reference and extra_data are optional.

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you could include the CryptKey value somewhere in your HTML code.

3. Encrypt the card data and send it directly to Straal API
A request containing card data should have the following format:
Response body will contain only request_id which should be matched with request_finished notification. You can let your user know immediately if the payment succeeded by checking the HTTP response code.

Create a transaction with merchant risk params

You can also add parameters relating to the purpose of the transaction. This needs to be configured ahead of time, and is required for some merchant types with particular acquirers. Contact Straal support to determine which parameters are required for your use case. merchant_risk_params can be included in any card transaction request.
merchant_risk_params object: All dates should be formatted using the ISO-8601 (extended) format (i.e. YYYY-MM-DD). Other fields may have format specifications specific to the acquirer.
Example request using create a transaction endpoint Sample request: Sample response

Get a transaction

Returns details of an existing transaction.
If transaction was authorized with 3D-Secure, authentication_3ds details will be available. Sample response:

Get a list of transactions

Returns a list of transactions for the merchant's account.
If transaction was authorized with 3D-Secure, authentication_3ds details will be available. Sample response (limited to 2 objects):
GET /v1/transactions?per_page=2&page=1

Get a list of customer transactions

Returns a list of transactions for a specified customer ID. Sample response (limited to 2 objects):
GET /v1/customers/mhtaqdb4edvrf/transactions?per_page=2&page=1

Get transactions for a given card

Returns a list of transactions for a specified card ID. Sample response (limited to 2 objects):
GET /v1/cards/5nffaefhmlc6h/transactions?per_page=2&page=1

Get transactions for a given subscription

Returns a list of transactions for a specified subscription ID. Sample response (limited to 2 objects):
GET /v1/subscriptions/m5lwrskt18r4f/transactions?per_page=2&page=1

3D-Secure Authentications

These resources allow you to perform a transaction with 3D-Secure authentication.

3D-Secure authentication object attributes

Below is the structure of authentication_3ds object.

[DEPRECATED] 3D-Secure payment process overview

The 3DSecure payment process described below is now deprecated. Please refer to the overview of the new flow using CryptKeys or server-to-server integration (see our quick reference of PCI SAQ types to get help with choosing the best way of integration for your business).

1. Initialize the 3D-Secure process.
2. Customer is redirected to their issuing bank for the purpose of Strong Customer Authentication (SCA).
3. After the customer has authenticated themselves with their issuing bank they will be redirected to one of the URLs provided in step 1.
   • Redirection to success_url does not mean the transaction was processed successfully, only that the customer has successfully authenticated with his bank.
4. A request_finished notification will be sent to your backend, containing the details of the authentication attempt.
   • Up to this point, only the Strong Customer Authentication (SCA) step has been completed, no transaction has been made and no money has been transferred.
5. Finalize the transaction - this will create a transaction and charge the card.

[DEPRECATED] Initialize 3D-Secure process with a CryptKey

This method allows you to initialize the 3D-Secure process using a CryptKey.

1. Create a CryptKey with v1.customers.authentications_3ds.init_3ds permission
It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Transaction details have to be sent along with the create CryptKey request. Since this method is always executed within the customer context, you have to also include customer_id in the request payload.

Sample request: transaction.reference and transaction.extra_data are optional.

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you could include the CryptKey value somewhere in your HTML code.

3. Encrypt the card data and send it directly to Straal API
The easiest way to do that is to use the Straal.js library.
A request containing card data should have the following format: The response body will contain a request_id field which should be matched later on with the request_finished notification.
4. Redirect your customer to the provided URL

If the request is successful (status code 200), you will receive a Location header along with the response. Redirect your customer to this URL for him to complete the 3D-Secure verification process.

If you are using Straal.js, it will automatically redirect your customer. After the 3D-Secure verification is finished, your customer will be redirected back to one of the specified URLs (success_url or failure_url) depending on the outcome of the 3D-Secure verification.

5. Wait for the request_finished notification

After you receive the request_finished notification you can complete the transaction.

It should have the following format: The data.response key represents the 3D-Secure authentication object.

At this point, the 3D-Secure authentication has been finished, but the transaction has not been completed yet.

Save the value from the id field. You can use it later to query the API about the status of the 3D-Secure authentication or to finalize the transaction.

Get a 3D-Secure authorization

Returns details of an existing 3D-Secure authentication. Sample response:

[DEPRECATED] Finalize a 3D-Secure transaction

This method allows you to finalize a previously started 3D-Secure authentication process. The request body should be empty. Response body describes a Transaction object.

Sample response:

Captures

The capture object represents a capture operation performed on previously authorised transaction. You can capture transactions that were successfully authorized and haven't been captured yet. Capture operation can be performed up to 48 hours after the successful authorization.

Capture object attributes

Create a full capture

This method allows you to perform a capture on a previously authorised transaction. The capture method returns the transaction object that was being captured. If the capture succeeded, the captured attribute on the transaction object is set to true. Sample request for full capture with extra_data. Sample response:

Create a partial capture

To make a partial capture you have to use the same method as for a full capture. The request body needs to contain the amount that should be transferred from the cardholder account.
If the capture succeeded, the captured attribute on the transaction object is set to true. Sample request for a partial capture: Sample response:

Refunds

The refund object represents a real refund operation performed on a credit card.

Refund object attributes

Create a full refund

This method allows you to perform a refund on a previously created transaction. The refund method returns a transaction object that was being refunded. If the full refund succeeded, the refunded attribute on the transaction object is set to true. Sample request for full refund with extra_data. Sample response: It is also possible to make a full refund without extra_data by just sending a POST request with an empty body.

Create a partial refund

To make a partial refund you have to use the same method as for a full refund. The request body needs to contain the amount that should be credited.
It is possible to perform more than one partial refund per transaction, as long as their sum does not exceed the original transaction amount. If the sum of partial refunds is equal to the amount of the transaction, the transaction attribute refunded is set to true. Sample request for a partial refund: Sample response:

Cards

Card is an object which represents a credit card and its ID acts as a token which can be used to perform further transactions.

Card object attributes

Verification transaction object attributes

To ensure that the given credit card data is valid, we perform a verification_transaction when handling card object creation requests. By default, during card verification, we authorize and void a small amount from the given credit card. The default amount and currency are configured during the integration phase. To override default verification transaction amount settings, you have to send verification_transaction object in the create card request.

Tokenization object attributes

Billing address object attributes

You can add a billing address whenever providing card data. This needs to be configured ahead of time, and is required for some merchant types with particular acquirers. Contact Straal support to determine which address fields are required for your use case.

Create a card

Creates a card for a specified customer ID. Sample request: Sample response: Sample request with billing address: Sample response:

Create a card using CryptKey

The purpose of this method is to create a card directly from mobile application or website front end code, so no card data will hit your servers, which results in improved security and fewer PCI compliance requirements.

1. Create CryptKey with v1.cards.create permission

It has to be done from your application backend, and the request has to be authorized by an APIKey with the correct permission. Since this method is always executed within the customer context, you have to also include customer_id in the request payload. Sample request: extra_data parameter of card is optional so you don't have to include the card object at all.

You can optionally provide billing address for card. It will be used later even if client will provide billing address from front-end. Sample request:

2. Pass CryptKey into your frontend code

The preferred method to achieve this would be to send a request to your backend. But you have to include the CryptKey value somewhere in your HTML code.

3. Encrypt the card data and send it directly to Straal API
Example request payload containing card data: Response body will contain only request_id which should be matched with request_finished notification. You can let your user know immediately if payment succeeded by checking the HTTP response code.

Request payload accepts also billing address but if it was provided during creation CryptKey it will be ignored. Example request payload with billing address:

Tokenize a card

Merchant may want to use external 3DS server to create a transaction or subscription. To do so, you can start with tokenizing a card, to avoid storing card data during the 3DS process. Then mpi_params can be send when making transaction on previously tokenized card. subscription.

Card tokenization can be used both in Create a card and Create a card using CryptKey

Tokenize with Create a card

Creates a tokenized card for a customer. It can be performed by sending tokenization object with purpose: "init_payment" in the request body. Sample request: Sample response: Created card has awaiting_initial_transaction state. When initial transaction is completed, card state changes to active. If you don't complete the initial transaction, the card status will be changed to disabled 24 hours after card creation. Initial transaction can be completed by creating transaction or subscription

Tokenize with CryptKey

Card can be tokenized using CryptKey

Creating tokenized card can be provided by sending tokenization object with purpose: "init_payment" in the request body.

Sample request: After sending CryptKey request with additional purpose: "init_payment" parameter, CryptKey flow can be applied.

Get a card

Returns information of a specified card. Sample response:

Get the card list

Returns a list of cards for the merchant's account. Sample response (limited to 3 objects):
GET /v1/cards?per_page=3&page=1

Get customer's cards

Returns a list of cards assigned to a specified customer ID. Sample response (limited to 3 objects):
GET /v1/customers/znhibktfny95i/cards?per_page=3&page=1

Mark card disabled

Marks given card state as "disabled". It will not be possible to perform transactions using this card after the state change. This request has to include an initiated_by field, for which possible values are customer and merchant. Sample request: Sample response:

Payment Means

Payment mean is an object which represents a credit card associated with a digital wallet. Its ID acts as a token which can be used to perform further transactions.

Payment Mean object attributes

Get a Payment Mean

Returns information of a specified payment mean associated with a digital wallet. Sample response, after successful transaction for Google Pay payment: Sample response, after failed transaction for Google Pay payment: Sample response, after successful transaction for Apple Pay payment: Sample response, after failed transaction for Apple Pay payment:

Get customer's Payment Means

Returns a list of payment means assigned to a specified customer ID. Sample response (limited to 3 objects):
GET /v1/customers/znhibktfny95i/cards?per_page=3&page=1

Customers

Customer object represents your application/site user.

Customer objects

Create a customer

Sample request: Sample response:

Get a customer

Returns a customer for a specified ID. Sample response:

Get the customer list

Returns a list of customers for the merchant's account. Sample response (limited to 2 objects):
GET /v1/customers?per_page=2&page=1

Subscriptions

Subscription object allows you to automatically charge a user for a specified amount in a recurring manner. The amount depends on the plan associated with the subscription. Subscription requires a payment source, that is, a card or a bank account.

Subscription object attributes

Available cancellation_source codes

Create a subscription

Creates a subscription for a specified card ID. You can use this method multiple times to create additional subscriptions for one card. Sample request: Sample response:

Create a subscription with a card for a given customer

Creates a subscription for a specified customer ID. You can use this method multiple times to create additional subscriptions for one customer using different cards. The card created in this request automatically becomes active, which in practice means that all subscription transactions will be performed using this card.
Notes:
- card object is required while sending a request to this URL
- when using this method, the credit card needs to be authorized, so Verification Authorization will be made. - created card object is added to response when an error occurs during subscription creation. You can use this object in other views. Sample request: Sample response: Sample error response:

Create a subscription with external MPI parameters

It's also possible to provide an optional 3D-Secure MPI data structure if the 3DS authentication has been performed by external MPI system. Optional mpi_params could be included in any of the following card transaction requests:
Create a subscription
Create a subscription with a card for a given customer You can perform a 3D Secure using your own 3DS provider. Then you have to attach mpi_params to the card object in the request body.

Sample request for a $9.99 transaction with external 3DS params: Sample response:

Create a subscription with optional 3DS challenge

Creates a subscription for a specified card ID with 3DS challenge possible. You can use this method multiple times to create additional subscriptions for one customer using different cards. If 3DS challenge will be required then subscription will become active after successful 3DS challenge. All subscription transactions will be performed using this card.
Notes:
- when using this method, the credit card needs to be authorized, so Verification Authorization will be made. Sample request: Sample response with 3DS redirect: Sample response when 3DS is not required: Sample error response: Or:

Get a subscription

Returns details of an existing subscription. Sample response:

Get the subscription list

Returns a list of subscriptions for the merchant's account. Sample response (limited to 2 objects):
GET /v1/subscriptions?per_page=2&page=1

Get the subscription list for a given customer

Returns a list of subscriptions assigned to a specified customer ID. Sample response (limited to 3 objects):
GET /v1/customers/:id/subscriptions?per_page=3&page=1

Get the subscription list for a given card

Returns a list of subscriptions assigned to a specified card ID. Sample response (limited to 3 objects):
GET /v1/cards/:id/subscriptions?per_page=3&page=1

Get subscribe status

Prepared especially for subscriptions created with optional 3DS Challange. Allows to get information about current state of subscription creation. Use this endpoint when you didn't receive redirect_url or you're not sure subscription has been created.

Returns objects related with specific CSR. Sample response with redirect_url and successfully created subscription:: Sample response with redirect_url and without subscription (next step is to redirect Merchant to 3DS Challange): Sample response without redirect_url (send requests until you get response with redirect_url at least): Sample response with error (stop pooling for redirect_url, because subscription cannot be created):

Cancel a subscription

Cancels an existing subscription. Use with caution: you cannot reinstate a cancelled subscription. You will have to create a new one instead. Sample response:

Plans

Plan defines how often and what amount will be taken off the customer's account during subscription lifetime.

Plan object attributes

Create a plan

Sample request for creating $19.99 monthly plan with a 7-day trial period. Response:

Get a plan

Returns details of an existing plan. Sample response:

Get the list of plans

Returns a list of plans for the merchant's account. Sample response (limited to 2 objects):
GET /v1/plans?per_page=2&page=1

Checkout Page

Checkout Page is a commonly used and popular choice for accepting payments online. This method will minimize the amount of work that has to be done to integrate with Straal.

To initialize a new payment via the Checkout Page you have to initialize checkout page and redirect the user to the received checkout_url.

Straal will send notification to your backend about payment status - request_finished after a card transaction and pay_by_link_payment_succeeded or pay_by_link_payment_failed after pay-by-link payment.

In every notification, there is a checkout object nested inside the transaction object. You can match it to the checkout ID you received on checkout creation.

Checkout object attributes

Card transaction object attributes

Initialize checkout

Sample request: Sample response:

Get checkout object

Sample response for Card payment: Sample response for Google Pay payment: Sample response for Apple Pay payment:

CryptKeys

CryptKey is a special object that allows you to send encrypted data directly to our API endpoint without needing to authorize using API Key. This can be useful in various scenarios, such as making a request from mobile or web applications where you can't expose the API Key. CryptKey can be used to make only a single request and can be generated only with one permission which reflects specific API requests. Because the data is not sent through your back end, you have to keep in mind fewer PCI-compliance requirements.

CryptKey object attributes

Create a CryptKey

A request for creating CryptKey has to be authorized by an API Key. It means that you have to make it from your application backend. Sample request: Sample response (key attribute is shortened): Use af_attempt_reference value if you integrate an anti-fraud profiler on your frontend. In this case, pass this value to the frontend and use it as an argument of profiler's initialisation function.

Usage

Every request encrypted with CryptKey should be sent to special endpoint: Read more detailed usage examples:
- Create a transaction with a card using CryptKey
- Create a card using CryptKey
- Initialize a 3D-Secure authentication process using CryptKey

CSRs (Create Subscription Requests)

Create Subscription Request object stores data related to subscription creation: card or bank account, transactions, plan and, if the request succeeded, also subscription. We create CSR objects automatically for correctly formed POST requests to subscription endpoints.

CSR object attributes

Get a CSR

Returns details of a CSR. Sample response:

Get the CSR list

Returns the list of CSRs for the merchant's account. Sample response (limited to 2 objects):
GET /v1/csrs?per_page=2&page=1

APM payments

An Alternative Payment Method (APM) object represents an APM payment attempt made by a customer.

APM payment object attributes

Initialize an APM payment

This method allows you to initialize an APM payment for a previously created customer object. Sample request with optional attributes initializing APM payment. Sample response:

Pay-by-link payments

A pay-by-link payment object represents a pay-by-link payment attempt made by a customer.

Pay-by-link payment object attributes

[DEPRECATED] Initialize a Pay-by-link payment

Deprecated in favor of generic APM.

This method allows you to initialize a pay-by-link payment for a previously created customer object. Sample request initializing pay-by-link payment. Sample response:

Payment methods

Payment method is an object that represents methods that can be used to make an APM payment or a Pay-by-link payment.

Payment method object attributes

Get the list of payment methods

Returns a list of available payment methods. Using information obtained from that endpoint you can render payment method selection view to the end user. Sample response: It is possible to change or limit payment methods list using these GET parameters:

Voids

The void object represents a void operation performed on a previously authorised transaction. You can void transactions that were successfully authorized and haven't been voided yet.

Void object attributes

Create a void

This method allows you to perform a void on a previously authorised transaction. The void method returns the transaction object for which the void has been attempted. If the void succeeded, the voided attribute on the transaction object is set to true. Sample request for void with extra_data. Sample response:

Credits [BETA]

Credits (also known as OCTs, short for Original Credit Transfers) enable you to perform transfers from your merchant account to a previously debited customer's card.
This method is useful for paying out winnings, salaries and other scenarios where you need to transfer money to your users.
Credit object represents a credit transaction performed using our API. To perform a credit you will need to reference a previous successful (captured) transaction.

Credit object attributes

Issue a credit

This method allows you to perform a credit referencing a previously performed card transaction.

The transaction referenced by the credit operation must be a card transaction (and not e.g. SEPA), and must have been successfully authorized.
Sample request for a 9.99 credit Sample response:

Get details about specific credit

Sample response:

Get a list of credits

Returns a list of credits for the merchant's account. Sample response (limited to 2 objects):
GET /v1/credits?per_page=2&page=1

Get a list of credits based on a selected transaction

Returns a list of credits referencing a specified transaction ID. Sample response (limited to 2 objects):
GET /v1/transactions/98mjmc70xnjra/credits?per_page=2&page=1

Get customer's credits

Returns a list of credits for a specified customer ID. Sample response (limited to 2 objects):
GET /v1/customers/94caj820naxrm/credits?per_page=2&page=1

Straal Direct payments

A Straal Direct payment object represents a Straal Direct payment attempt made by a customer.

Straal Direct payment object attributes

Straal Direct payment process overview

1. Start a Straal Direct payment initiation process
2. Using received redirect_url, redirect your customer.
3. Customer chooses a bank from the form and proceeds with payment in their bank.
4. After the customer has completed payment and Straal has it confirmed, the customer is redirected to URL provided in step 1 (return_url)
5. A straal_direct_payment_initiated or straal_direct_payment_failed event will be sent to your backend, containing the details of the Straal Direct payment. Make sure you've configured notifications.

Keep in mind

• Initialized payment is valid for 20 minutes. After that time the payment link expires.

Start a Straal Direct payment initiation process

This method allows you to start a Straal Direct payment initiation process for a previously created customer object. Sample request starting a Straal Direct payment. customer_name is optional. Sample response: It is also possible to supply customer's expected IBAN, using an optional iban field: For the countries supported by this feature (currently: Germany), a special bank recognition logic will be then used. If the bank is supported by Straal Direct, the bank selection screen will be skipped in checkout flow. If the bank is not supported, the request will fail with error 22033: "Your bank is not supported".

Deprecated resources

These API methods are deprecated and should not be used in new integrations.

Create a transaction with a card and a customer

This method allows you to perform a transaction, create a card and a customer in one request. Sample request for a $9.99 transaction Sample response

Create a card with a customer

Sample request: Sample response:

Create a subscription with a card and a customer

This method allows creating a subscription and a customer using a single request by sending both required objects (card and customer). The card created in this request automatically becomes active, which in practice means that all subscription transactions will be performed using this card.
Notes:
- card and customer objects are required while sending a request to this URL
- when using this method, the credit card needs to be authorized, so Verification Authorization will be made.
- created card and customer objects are added to response when an error occurs during subscription creation. You can use these objects in other views. Sample request: Sample response: Sample error response:

Straal.js

Overview

Straal.js is a helper library to make it easier to make API requests directly from the merchant's website. It utilizes client-side encryption and sends data over HTTPS to perform secure transactions.

Download

You can download Straal.js from Straal GitHub

Usage

In order to perform a transaction request directly from your website you have to do the following:

1. Create a CryptKey on your application backend.
2. Pass the generated CryptKey to the frontend part of your site (via request or templating).
3. Pass CryptKey into Straal.js client code.

Notifications

Overview

Straal can notify your backend about certain events. For example, when we charge customer subscription, or after a transaction performed by your user from a mobile device. The notification is a regular HTTP request with JSON-formatted data.

Request finished

Event name: request_finished

If you are using Straal Checkout Page, we strongly recommend you handle the Checkout attempt finished notification instead.

When configured, this notification is sent each time when a transaction-related request is made. It contains the entire response body along with some extra information. Configuring this notification is highly recommended for clients sending encrypted requests directly from their website or a mobile device.
You can filter out the most relevant notifications by by checking the permission field in the data object.

Sample notification for card transaction: Sample notification for Google Pay transaction: Sample notification for Apple Pay transaction:

Checkout Page

These notifications are sent only for transactions made via Straal Checkout Page.

Checkout attempt finished

Event name: checkout_attempt_finished

This notification is sent when a single payment attempt via Straal Checkout Page is finished.

Sample notification for card transaction: Sample notification for Google Pay transaction: Sample notification for Apple Pay transaction:

Reconciliations

These notifications are sent only for SEPA Direct Debit transactions.

Authorized

Event name: authorized

This notification is sent when a SEPA Direct Debit transaction is settled.

Sample notification:

Authorize failed

Event name: authorize_failed

This notification is sent when a SEPA Direct Debit transaction is declined.

Sample notification:

Refund succeeded

Event name: refund_succeeded

This notification is sent when a SEPA Direct Debit transaction refund is settled.

Sample notification for a partial refund:
Sample notification for a full refund:

Refund failed

Event name: refund_failed

This notification is sent when a SEPA Direct Debit transaction refund is declined.

Sample notification:

Chargeback

Event name: sepa_transaction_chargeback

This notification is sent when a SEPA Direct Debit transaction is charged back.

Sample notification:

Transactions

Card transaction chargeback

Event name: card_transaction_chargeback

This notification is sent when a credit card transaction is charged back.

Sample notification:

Card transaction fraud

Event name: card_transaction_fraud

This notification is sent when a credit card transaction has been reported as fraud.

Sample notification:

3DS Redirection

Event name: threeds_redirection

This notification is sent when 3DS challenge has been initialized. It can arrive faster than synchronous response for transaction.
In data.authentication_3ds.redirect_data you have redirect_url to which the customer must be transferred in order to proceed with transaction.

Sample notification:

Subscriptions

Recurring payment succeeded

Event name: recurring_payment_succeeded

This notification is sent when a recurring payment (i.e. billing according to the subscription's plan) succeeds.

Sample notification:

Recurring payment failed

Event name: recurring_payment_failed

This notification is sent when a recurring payment fails.

Sample notification:

Subscription cancelled

Event name: subscription_cancelled

This notification is sent when a subscription is cancelled.

Sample notification:

3DS Subscription Redirection

Event name: threeds_subscription_redirection

This notification is sent when 3DS challenge must be performed. It can arrive faster than synchronous response for subscription.
In data.authentication_3ds.redirect_data you have redirect_url to which the customer must be transferred

Sample notification:

Subscription activated

Event name: subscription_activated

This notification is sent when subscription was just created and activated, usually send after successful 3DS challenge.

Sample notification:

APM payments

APM payment succeeded

Event name: apm_payment_succeeded

This notification is sent when an APM payment succeeds.

Sample notification:

APM payment failed

Event name: apm_payment_failed

This notification is sent when an APM payment fails.

Sample notification:

Pay-by-link payments

Pay-by-link payment succeeded

Event name: pay_by_link_payment_succeeded

This notification is sent when a pay-by-link payment succeeds.

Sample notification:

Pay-by-link payment failed

Event name: pay_by_link_payment_failed

This notification is sent when a pay-by-link payment fails.

Sample notification:

Straal Direct payments

Straal Direct payment initiated

Event name: straal_direct_payment_initiated

This notification is sent when the Straal Direct payment has been initiated. Please note: this means that the payment initiation has been successful, but it does not mean that the related bank transfer has been completed.

As access to this information varies between banks and countries, payer_iban and payer_name may be empty in some cases, even when payment initiation was successful.

Sample notification:

Straal Direct payment failed

Event name: straal_direct_payment_failed

This notification is sent when the Straal Direct payment fails.

Sample notification:

---