successUrl or declineUrl when the payment is done. You never render the form β PayFacto handles all the card UI, PCI compliance, and 3D Secure.How It Works
Your server creates a link
POST to the SHP session endpoint with your transaction type and optional parameters. The response returns a linkUrl β the full URL of the PayFacto-hosted payment page.
Redirect the customer
Send the customer's browser to the linkUrl. This can be a server-side redirect, a client-side redirect, a button link, or a QR code.
Customer pays on the PayFacto-hosted page
The customer enters their card details on a PayFacto-hosted page. Your server never sees raw card data. 3D Secure runs automatically if your account is configured for it.
PayFacto redirects the customer back
After payment, PayFacto redirects the customer to your successUrl or declineUrl. The linkId is included as a query parameter so your server can retrieve the transaction result.
Your server retrieves the transaction result
Call GET /links/{{linkId}}/responses or verify the HMAC from the webhook payload to confirm the transaction outcome before fulfilling the order.
API Key
PayFacto provides you with an API key β a username and password pair. Base64-encode username:password and pass it as the Authorization: Basic ... header on every session request. Never put it in client-side JavaScript or a public repository.
HTTPS server
All PayFacto endpoints require HTTPS. Your server must be able to make outbound HTTPS requests to the SHP session endpoint.
UAT environment
Use the UAT base URL during development: https://uat.ca.shc.payfacto.cloud. Your PayFacto contact will provide the production URL when you are ready to go live.
successUrl and declineUrl
You must have two HTTPS URLs on your server β one to handle successful payments and one for failures. Pass them in the session request body as successUrl and declineUrl.
SHP uses two endpoints: one to create the session link (your server calls this), and one that is the hosted payment page itself (the customer's browser visits this).
UAT / Integration
Production
Call POST /secure-hosted-checkout/v1/links from your server. The only required field is transactionType. The response includes a linkUrl β this is the full URL of the hosted payment page you will redirect the customer to.
This call must be made from your server, not the browser. The Authorization header contains your API secret. Never expose it in client-side code.
Required field
Optional fields
link response
Once your server has the linkUrl, send the customer's browser to it. You can do this with a server-side HTTP redirect, a client-side JavaScript redirect, a link in an email, or by generating a QR code. See the Helper Endpoints section for QR code generation.
Session token expiry
Links expire after the time set in expires (default: 5 minutes from creation). Create a new session link for each checkout attempt β do not cache or reuse session links across customers or sessions.
Reusable links
Set uses to a value greater than 1 to create a payment link that can be used multiple times β useful for invoice emails or in-person QR codes at a point of sale. Each use creates a separate transaction.
Email delivery
Set sendEmail: true in the session request to have PayFacto email the linkUrl directly to the customer. The email address must be collected separately or passed as part of the session.
After the customer pays (or fails), PayFacto redirects them to your successUrl or declineUrl. The linkId is appended as a query parameter. Use it to retrieve the transaction result from PayFacto before fulfilling the order.
Never fulfil an order based on the browser redirect alone. The redirect only tells you the customer returned β it does not prove the payment succeeded. Always verify the result server-side using the linkId or HMAC webhook before releasing goods or services.
Every PayFacto response includes a metadata.HMAC field β a SHA-256 fingerprint of the response body, signed with your API secret. Recalculate it on your server to confirm the response came from PayFacto and was not tampered with in transit.
Always verify HMACs on your server, never in the browser. The check only proves anything if your API secret stays secret.
The HMAC is generated by running JSON.stringify(response.response) (the inner response object, not the full envelope) through HMAC-SHA256 keyed with your API secret. Compare the result against metadata.HMAC. If they differ, discard the response and do not fulfil the order.
These endpoints let you manage links after creation β look up their state, cancel them, retrieve results, or generate a QR code for in-person or invoice use.