The PayFacto Payment API v1.0 communicates over HTTP POST. All requests use Base64-encoded form parameters; all responses are JSON. This page covers the request format, authentication, payload encoding, and the complete list of available endpoints.
Contents
All requests are HTTP POST with a application/x-www-form-urlencoded body containing two fields:
auth-api-key
Your API key. Passed as a plain string β not Base64-encoded. Generated from the Payments Manager (see API Key section below).
payload
All transaction parameters assembled as a cleartext query string, then Base64-encoded (see Payload & Encoding section below).
Final request body format:
Each merchant has a unique API key that authenticates all requests. To generate a key:
Keep your API key confidential. Never expose it in client-side code, browser requests, or public repositories. All API calls must be made server-to-server.
All transaction parameters are assembled into a single cleartext query string, then Base64-encoded before submission. The three steps are:
Build the cleartext parameter string
Assemble all required parameters as a URL-encoded query string:
Base64-encode the entire string
Submit the full request body
cURL example:
All responses are returned as JSON key-value pairs. Always check returnCode (or recurReturnCode for recurring endpoints) first β a value of 00 indicates success.
For the complete list of response fields and their meanings, see Response Parameters. For return code definitions, see Return Codes.
Test
Use this environment during development and certification. No real card charges are processed.
Production
Provided by the PayFacto Integration team upon successful certification of your solution. Contact PayFacto Support to begin the certification process.
The Redirect flow sends cardholders to a PayFacto-hosted payment page. Create a session server-side, redirect the browser, then retrieve the result once the cardholder returns.
PayFacto Objects (Secure Fields) allows card data to be collected directly in your page via iFrame-hosted input fields, keeping your front end out of PCI scope.
Interac Authorized Push (IAP) endpoints for real-time Interac payment flows.
The recurring billing module manages subscribers (users), subscriptions, and invoices. Recurring endpoints use recurReturnCode in responses instead of returnCode.
DataCandy endpoints manage gift and loyalty card transactions. Store transactionConfirmationNumber from every DataCandy response β it is required for commit and cancel operations.