Implementing a payment provider
Learn how to build payment provider middleware that implements the Payment Provider Protocol endpoints for VTEX integrations.
This guide describes how to develop the middleware that interprets the calls between VTEX and your payment provider.
The Payment Provider Protocol consists of nine endpoints, divided into two sections: Payment Flow and Configuration Flow. The middleware must handle the requests and responses for all these endpoints.
Before you begin, review the Implementation prerequisites in the Payment Provider Protocol article.
Developing the middleware
Requirements
The middleware can be developed in any programming language. The following requirements apply:
- The endpoint must be served over HTTPS on port 443 with TLS 1.2 support. Endpoints served over HTTP are not accepted.
- The API must be publicly accessible. Restricted APIs are not accepted during the homologation process.
- The endpoint must use a subdomain or domain name. IP addresses are not accepted.
- The endpoint must respond in less than 5 seconds during homologation tests and less than 20 seconds for any other call.
Payment Flow
The following endpoints implement the operations for authorization, cancellation, refund, and settlement.
1. GET Manifest
This endpoint returns the provider's manifest, which contains metadata settings such as payment methods, split configuration, and custom fields.
_32{_32 "paymentMethods": [_32 {_32 "name": "Visa",_32 "allowsSplit": "onCapture"_32 },_32 {_32 "name": "Pix",_32 "allowsSplit": "disabled"_32 },_32 {_32 "name": "MasterCard",_32 "allowsSplit": "onCapture"_32 },_32 {_32 "name": "American Express",_32 "allowsSplit": "onCapture"_32 },_32 {_32 "name": "BankInvoice",_32 "allowsSplit": "onAuthorize"_32 },_32 {_32 "name": "Privatelabels",_32 "allowsSplit": "disabled"_32 },_32 {_32 "name": "Promissories",_32 "allowsSplit": "disabled"_32 }_32 ]_32 }
If you support any type of custom payment, use only the supported method type (
Cobranded,Privatelabels, orPromissories) in the"name"field. Do not include the specific name of the custom payment (for example, "Colombian Bank Promissory").
For more information, see the GET List Payment Provider Manifest endpoint documentation.
2. POST Create Payment
When a customer completes a purchase at checkout, the provider must create a payment associated with the order. Therefore, the provider must be ready to receive the request body containing the full cart information:
_75{_75 "reference": "32478982",_75 "orderId": "1047232106697",_75 "sellerId": "xpto",_75 "transactionId": "611966",_75 "paymentId": "5B127F1E0C944EF9ACE264FEC1FC0E91",_75 "paymentMethod": "cash",_75 "paymentMethodCustomCode": "{{paymentMethodCustomCode}}",_75 "merchantName": "mystore",_75 "value": "29,90",_75 "currency": "BRL",_75 "installments": "0",_75 "deviceFingerprint": "12ade389087fe",_75 "card": {_75 "holder": "{{cardHolder}}",_75 "number": "{{cardNumber}}",_75 "csc": "{{cardSecurityCode}}",_75 "expiration": {_75 "month": "{{cardExpirationMonth}}",_75 "year": "{{cardExpirationYear}}"_75 }_75 },_75 "miniCart": {_75 "shippingValue": 11.44,_75 "taxValue": 10.01,_75 "buyer": {_75 "id": "c1245228-1c68-11e6-94ac-0afa86a846a5",_75 "firstName": "John",_75 "lastName": "Doe",_75 "document": "01234567890",_75 "documentType": "CPF",_75 "email": "john.doe@example.com",_75 "phone": "+12125357200"_75 },_75 "shippingAddress": {_75 "country": "USA",_75 "street": "12 E 49th St",_75 "number": "10017",_75 "complement": "Tower 49 Gallery",_75 "neighborhood": "Central Midtown",_75 "postalCode": "10017",_75 "city": "New York",_75 "state": "NY"_75 },_75 "billingAddress": {_75 "country": "USA",_75 "street": "12 E 49th St",_75 "number": "10017",_75 "complement": "Tower 49 Gallery",_75 "neighborhood": "Central Midtown",_75 "postalCode": "10017",_75 "city": "New York",_75 "state": "NY"_75 },_75 "items": [_75 {_75 "id": "132981",_75 "name": "My First Product",_75 "price": 2134.90,_75 "quantity": 2,_75 "discount": 5.00_75 },_75 {_75 "id": "123242",_75 "name": "My Second Product",_75 "price": 21.98,_75 "quantity": 1,_75 "discount": 1.00_75 }_75 ]_75 },_75 "url": "https://admin.mystore.example.com/orders/v32478982",_75 "callbackUrl": "{{callbackUrl}}",_75 "returnUrl": "{{returnUrl}}"_75}
The callbackUrl is used for retry operations in the payment flow. If the provider uses redirect as a payment flow, the returnUrl must also be included so VTEX can redirect the buyer back to checkout after payment.
Both
callbackURLandreturnURLare generated by VTEX and included in the request payload sent to the provider.
The provider must return the following response:
_15_15{_15 "paymentId": "5B127F1E0C944EF9ACE264FEC1FC0E91",_15 "status": "undefined",_15 "authorizationId": "AUT-E4B9C36034-ASYNC",_15 "paymentUrl": "https://example.vtexpayments.com.br/api/pub/fake-payment-provider/payment-redirect/611966/payments/5B127F1E0C944EF9ACE264FEC1FC0E91",_15 "nsu": "NSU-171BE62CB7-ASYNC",_15 "tid": "TID-20E659E8E5-ASYNC",_15 "acquirer": "TestPay",_15 "code": "2000-ASYNC",_15 "message": null,_15 "delayToAutoSettle": 21600,_15 "delayToAutoSettleAfterAntifraud": 1800,_15 "delayToCancel": 21600_15}
The delayToAutoSettle and delayToAutoSettleAfterAntifraud parameters define how long the system waits before starting the settlement flow. The delayToCancel parameter works similarly, but triggers the cancellation flow after the timeout.
All three delay values are defined by the provider and must be specified in seconds.
The code and message parameters are optional fields where the provider can include additional information about the transaction. Both values persist through subsequent calls.
For a complete field reference, see the POST Create Payment endpoint documentation.
3. POST Cancel Payment
To cancel a payment created previously, the provider must accept a request containing two fields: paymentId (the identifier of the payment to be canceled) and requestId (the identifier that ensures idempotency).
Idempotency means the same cancellation request can be sent multiple times without changing the result. As described in the Operations section, the cancellation flow can be retried for up to one day until the provider responds.
_10{_10 "paymentId": "F5C1A4E20D3B4E07B7E871F5B5BC9F91",_10 "requestId": "1234"_10}
After completing the cancellation, the provider must return a response like this:
_10{_10 "paymentId": "F5C1A4E20D3B4E07B7E871F5B5BC9F91",_10 "message": "Successfully canceled",_10 "code": null,_10 "cancellationId": "1457BD07E6",_10 "requestId": "1234"_10}
For more details, see the Cancel Payment endpoint documentation.
4. POST Capture Payment
After a transaction is authorized successfully, the provider can capture the payment. VTEX supports partial settlements.
A payment can be settled in two scenarios:
- When the store invoices the order.
- After the period defined in
delayToAutoSettleordelayToAutoSettleAfterAntifraudtimes out.
The value field is required for the settlement operation.
VTEX sends the following request to settle a payment:
_10{_10 "paymentId": "5B127F1E0C944EF9ACE264FEC1FC0E91",_10 "transactionId": "611966",_10 "value": 20.0,_10 "requestId": "5678"_10}
The response value can match the full amount from the request or a smaller amount for a settlement capture:
_10{_10 "paymentId": "5B127F1E0C944EF9ACE264FEC1FC0E91",_10 "settleId": "CEE16492C6",_10 "value": 20.0,_10 "code": null,_10 "message": null,_10 "requestId": "5678"_10}
For more details, see the Capture Payment endpoint documentation.
5. POST Refund Payment
VTEX supports partial refunds. For example, if a cart contains two items and the store needs to return only one, the refund can cover the amount of that one item instead of the full order amount.
The provider must accept the following request:
_10{_10 "paymentId": "F5C1A4E20D3B4E07B7E871F5B5BC9F91",_10 "transactionId": "611966",_10 "settleId": "31018A3281",_10 "value": 10.0,_10 "requestId": "5678"_10}
Expected response:
_10{_10 "paymentId": "F5C1A4E20D3B4E07B7E871F5B5BC9F91",_10 "refundId": null,_10 "value": 0.0,_10 "code": "refund-manually",_10 "message": "Refund should be done manually",_10 "requestId": "5678"_10}
The provider can return a value smaller than the requested amount to perform a partial refund.
For more details, see the Refund Payment endpoint documentation.
6. POST Inbound Request (Beta)
The Inbound Request endpoint (Beta) enables a direct connection between the VTEX Gateway and the payment provider through a URL. It handles communication with the provider's backend through the gateway, sending the transaction context securely.
Request example:
_10{_10 "requestId": "LA4E20D3B4E07B7E871F5B5BC9F91",_10 "transactionId": "D3AA1FC8372E430E8236649DB5EBD08E",_10 "paymentId": "F5C1A4E20D3B4E07B7E871F5B5BC9F91",_10 "authorizationId": "{{authorizationId}}",_10 "tid": "{{tid}}",_10 "requestData": {_10 "body": "{{originalRequestBody}}"_10 }_10}
Expected response:
_10{_10 "requestId": "LA4E20D3B4E07B7E871F5B5BC9F91",_10 "paymentId": "F5C1A4E20D3B4E07B7E871F5B5BC9F91",_10 "responseData": {_10 "statusCode": 200,_10 "contentType": "application/json",_10 "content": "{\"myAttribute\":\"anyValue\"}"_10 }_10}
For more details, see the Inbound Request (Beta) endpoint documentation.
Configuration Flow
On VTEX, merchants enable connectors through the VTEX Admin. The setup process is similar for all partners. For instructions, see the Register payment and anti-fraud providers article on the Help Center.
The Configuration Flow implements an authentication mechanism that allows the provider to recognize and authorize the merchant's request. The endpoints below generate three credentials — appKey, appToken, and applicationId — that are stored by VTEX, allowing the merchant to enable the connector without manually copying credentials.
This flow is optional and doesn't affect the integration with VTEX. If you don't plan to implement it, skip to the Homologation section.
1. POST Create Authorization Token
The request body for this endpoint is:
_10{_10 "applicationId": "vtex",_10 "returnUrl": "https://admin.mystore.example.com/provider-return?authorizationCode="_10}
The
applicationIdvalue is always"vtex".
The provider must return an identification token that VTEX uses to redirect the merchant to the provider's application:
_10{_10 "applicationId": "vtex",_10 "token": "auth_token_39766d98535d43a491d03b8c3bea060f"_10}
For more details, see the Create Authorization Token endpoint documentation.
2. GET Provider Authentication
This endpoint allows the merchant to review the provider's terms and conditions.
Using the token from the previous response, VTEX redirects the merchant to the provider's login page. The response must include an authorizationCode associated with the returnUrl from the first step of the Configuration Flow.
_10{_10 "authorizationCode": "auth_code_5b7be276c8e04e95bb1e"_10}
By returning the
authorizationCode, the provider grants access to the "vtex" application.
For more details, see the Provider Authentication endpoint documentation.
3. GET Credentials
This endpoint returns the three credential values.
Expected response:
_10{_10 "applicationId": "vtex",_10 "appKey": "test_key_AE06E97A8C5B45DFA2DC665D6BE91E",_10 "appToken": "test_token_90FB36380D114B37BC0557AEEE40ED"_10}
The credentials are stored by VTEX and activated when the merchant enables the connector.
For more details, see the Get Credentials endpoint documentation.