PayFacto API - v1.0 - POST /v1/recur/CreateSession

PayFacto API - v1.0 - POST /v1/recur/CreateSession

PayFacto API - v1.0 - POST /v1/recur/CreateSession

Creates a hosted session for secure card registration. Returns a sessionUrl that the merchant redirects the cardholder to. Card details are entered on a PayFacto-hosted form β€” the merchant system never handles raw card data. On completion, PayFacto redirects the cardholder back to the merchant with a token appended to the ReturnUrl.

1

Prerequisites

πŸ”‘

API Key

Generate your API key from the Payments Manager: Administrator Client β†’ API Key β†’ Add New Key. Pass it as auth-api-key in every request.

πŸͺ

Company & Merchant Numbers

Your CompanyNumber (5-digit) and MerchantNumber (8-digit) are issued by PayFacto during onboarding. Both are required on every Create Session request.

🌐

Environment Base URL

Test: https://test.api.payfacto.cloud/v1   |   Production: Provided by the PayFacto Integration team upon certification.

πŸ“¦

Request Format β€” Base64-Encoded Payload

Requests use HTTP POST with an application/x-www-form-urlencoded body. Assemble all parameters as a cleartext query string, Base64-encode it, then send: auth-api-key={key}&payload={base64}. This endpoint does not require card data, terminal numbers, or transaction amounts.

πŸ›‘οΈ

Hosted Card Entry β€” PCI Scope Reduction

Card details are entered by the cardholder on a PayFacto-hosted secure form. The merchant system never handles raw card data (PAN, expiry, or CVV), significantly reducing PCI DSS scope. This approach is an alternative to direct card entry via /v1/recur/AddUser.

πŸ”„

Hosted Form Flow

After calling this endpoint, redirect the cardholder to the returned sessionUrl. When they complete the form, PayFacto redirects them to your ReturnUrl with a token query parameter appended. If they cancel, they are redirected to your CancelUrl. Store the token from the redirect for future recurring or token-based billing operations.

2

Request

POST https://test.api.payfacto.cloud/v1/recur/CreateSession
ℹ️

All parameters are passed inside the Base64-encoded payload form field. Raw body format: auth-api-key=<key>&payload=<base64>. This endpoint does not require card data, terminal numbers, or transaction amounts.

Required fields

FieldTypeDescription
CompanyNumberNumeric(5)Identifies the merchant on PayFacto's network. Provided by PayFacto during onboarding. Example: 12345
MerchantNumberNumeric(8)Identifies the merchant to PayFacto's network. Provided by the integration team. Example: 53400000
CustomerNumberAlphanumeric(8)Merchant-assigned customer identifier. Associates the session with a client record. Example: CLIENT12
LanguageCodeAlphanumeric(1)Language for the hosted card entry form and PayFacto responses. F = French, E = English.
OperatorIDAlphanumeric(8)Identifies the cashier, agent, or system that initiated the request. Example: USER0001
ReturnUrlAlphanumericThe URL PayFacto redirects the cardholder to after successful card registration. A token query parameter is appended by PayFacto to this URL on success. Must be a fully-qualified HTTPS URL. Example: https://yoursite.com/card-registered
CancelUrlAlphanumericThe URL PayFacto redirects the cardholder to if they cancel on the hosted form. Must be a fully-qualified HTTPS URL. Example: https://yoursite.com/card-cancelled
3

Request β€” Code Example

⚠️

The example below uses the test endpoint and a sandbox API key. Replace credentials and base URL before going live. After a successful response, redirect the cardholder to the sessionUrl returned in the response.

cURL
# Create Session -- POST /v1/recur/CreateSession
# Step 1: Build the cleartext payload

PAYLOAD="CompanyNumber=12345&MerchantNumber=53400000&CustomerNumber=CLIENT12&LanguageCode=E&OperatorID=USER0001&ReturnUrl=https://yoursite.com/card-registered&CancelUrl=https://yoursite.com/card-cancelled"

# Step 2: Base64-encode the payload
ENCODED=$(echo -n "$PAYLOAD" | base64)

# Step 3: Submit the request
curl -X POST "https://test.api.payfacto.cloud/v1/recur/CreateSession" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "auth-api-key=YOUR_TEST_API_KEY&payload=$ENCODED"
4

Response

Always returned

FieldTypeDescription
returnCodeAlphanumeric(4)Identifies the result of the session creation. 00 = session created successfully. All other values indicate a failure. Refer to Section 6 for endpoint-specific codes.
serverNumberAlphanumeric(4)Identifies the PayFacto Network server that processed the request.
timeStampAlphanumeric(17)Date and time the request was processed. Format: YYYYMMDD-HHMMSSCC. Example: 20240601-09000100

Conditionally returned

FieldTypeDescription
sessionUrlAlphanumericβ˜… Redirect the cardholder to this URL. Returned on successful session creation. The cardholder must be redirected to this URL to access the PayFacto-hosted card entry form. The URL is single-use and time-limited.
errorDescriptionAlphanumeric(50)Only returned when the session creation fails. Human-readable description of the failure reason.
ℹ️

Token delivery via redirect. The token for the registered cardholder is not returned in this API response. It is appended by PayFacto as a query parameter to your ReturnUrl after the cardholder completes the hosted form β€” for example: https://yoursite.com/card-registered?token=4111110000001111000000000000000001. Read and store this token from the incoming redirect request on your server.

5

Response β€” Code Example

JSON β€” 200 Success
{
"returnCode": "00",
"serverNumber": "0001",
"timeStamp": "20240601-09000100",
"sessionUrl": "https://hosted.payfacto.cloud/session/a1b2c3d4e5f6..."
}
JSON β€” Error
{
"returnCode": "9006",
"errorDescription": "INVALID COMPANY NUMBER",
"serverNumber": "0001",
"timeStamp": "20240601-09000200"
}
Incoming redirect to ReturnUrl (cardholder browser)
# After the cardholder completes the hosted form, PayFacto redirects their
# browser to your ReturnUrl with the token appended as a query parameter:

GET https://yoursite.com/card-registered?token=4111110000001111000000000000000001
6

Error / Return Codes

The following codes are most relevant to this endpoint. For the complete catalogue see the Return Code Index.

Return CodeMeaningWhen it occursRecommended Action
00Session createdA hosted card entry session was created successfully.Redirect the cardholder to the sessionUrl immediately. The URL is single-use and time-limited. Read the token query parameter from the incoming redirect to your ReturnUrl and store it.
9004"Null" value: company numberCompanyNumber is null or blank in the payload.Check your application. The field must correspond to the specification in the documentation.
9005 / 9006Invalid / rejected: company numberCompanyNumber does not match the required 5-digit length or is not configured in the payment solution.Make sure the application uses the correct company number provided by PayFacto. If it does, contact PayFacto customer service.
9007"Null" value: merchant numberMerchantNumber is null or blank in the payload.Check your application. The field must correspond to the specification in the documentation.
9008 / 9009Invalid / rejected: merchant numberMerchantNumber does not match the required 8-digit length or is not configured in the payment solution.Make sure the application uses the merchant number provided by PayFacto. If it does, contact PayFacto customer service.
9051Time outRequest processing timed out.Retry the request. If the problem persists, contact PayFacto customer service.
9049 / 9050Fatal errorA critical error occurred while processing the request.Retry the request. If the problem persists, contact PayFacto customer service.