In this section, you'll find everything you need to manage the various entry points your application will receive during and after an Axepta BNP Paribas Online payment.
You'll learn:
- Which URLs to transmit when creating a payment,
- The order in which they are called,
- How to interpret the returned information,
- How to verify the actual status of a transaction,
- How to manage webhooks
1. Provide URLs : return, cancel, webhook
When initializing the payment, you must provide a URLs object:
| Code Block | ||||
|---|---|---|---|---|
| ||||
urls{
"return":"https://myProcessingServer.net/myApi/success.php?transId=95330876-67ae-4949-a11c-b9a29257831b",
"cancel":"https://myProcessingServer.net/myApi/cancel.php?transId=95330876-67ae-4949-a11c-b9a29257831b",
"webhook":"https://myBackOfficeServer.net/webhook.php"
} |
| Info |
|---|
|
2. Return URL & Cancel URL
One of these two URLs (return or cancel) will be called at the end of transaction processing to:
- Redirect the customer to the merchant's site at the end of the transaction
- Inform the merchant of the transaction status: whether it was validated or not
- Return the unique transaction identifier payId generated by Axepta Online to the merchant's back office
When either of these URLs is called, Axepta BNP Paribas Online automatically adds the parameter: PayId=<paymentId generated by Axepta> - see Integration recommendation
- Documentation Axepta BNP Paribas - Axepta| Tip |
|---|
Add a unique identifier from your system to your URLs to link the response to your order. Example of URL called during customer payment validation:
Ajoutez un identifiant propre à votre système ans vos URLs afin de relier le retour à votre commande. Exemple d'url appelé lors de la validation du paiement par le client.
https://myProcessingServer.net/myApi/success.php?transId=95330876-67ae-4949-a11c-b9a29257831b&PayId=b6eae9b16e3343fa90da39d4ee7bf4ad |
Que faire lorsque vous recevez cet appel ?
What to Do When You Receive This Call?
When one of these URLs is called:
Retrieve the PayId parameter.
Call the API to get the actual transaction status
À l’appel de l’une de ces URLs :
- Récupérez le paramètre PayId. Appelez l’API pour obtenir l’état réel de la transaction
: GET /payments/getByPayId/{payId} - Retrieve payment details by Payment ID
- Mettez à jour votre commande en fonction du status et du responseCode.
- Update your order based on the status and responseCode.
Important Fields in the API Response
- Amount
Champs importants dans la réponse API
- Montant
- : value, capturedValue, refundedValue Identifiants
- Identifiers: payId, transId, xId, refNr Statut
- Status: status = AUTHORIZED, CAPTURED, FAILED, etc. Résultat
- Result:
- responseCode = "00000000"
si succès - if successful
- responseDescription = text message
textuel
Exemple de réponseExample Response
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
{
"amount":{
"value":126,
"currency":"EUR",
"capturedValue":0,
"refundedValue":0
},
"payId":"91a6299a704147bf934aabd79fd1dc5d",
"merchantId":"MY_MERCHANT_ID",
"transId":"Trans361039",
"xId":"b55e68b7e4644a90836ae31effe1fc60",
"refNr":"refNb77254",
"status":"AUTHORIZED",
"responseCode":"00000000",
"responseDescription":"Transaction successful",
"paymentMethods":{
"type":"CARD"
}
} |
3. Webhook
La notification Webhook est le seul moyen fiable d’être informé de la complétion d’une transaction. Il est impératif pour le site marchant de traiter les requêtes reçues sur l'Url Webhook.
Elle est envoyée même si le client :
- ferme son navigateur,
- perd la connexion,
- ne revient pas sur votre site.
Quand est-il envoyé ?
À chaque fin de traitement de paiement asynchrone.
Ce que vous devez faire
- Lire la payload JSON
- Identifier la transaction via payId ou transId
- Mettre à jour votre système
- Répondre un code 200 OK
| Tip |
|---|
Important : ne déclenchez jamais la finalisation de commande uniquement à partir du Return URL. Utilisez toujours le webhook comme source d’information fiable. |
The Webhook notification is the only reliable way to be informed of transaction completion. It is essential for the merchant site to process requests received at the Webhook URL.
This notification is sent even if the customer:
- Closes their browser,
- Loses connection,
- Doesn't return to your site.
When is it sent?
At the end of each asynchronous payment processing.
What you need to do
- Read the JSON payload
- Identify the transaction via payId or transId
- Update your system
- Respond with a 200 OK status code
| Tip |
|---|
Important: Never trigger order finalization based solely on the Return URL. Always use the webhook as the reliable source of information. |
Webhook Structure
Provided Fields
Structure du webhook
Champs fournis
- merchantId
- payId
- transId
- xId
- refNr
- status (AUTHORIZED, FAILED, etc.)
- responseCode / responseDescription
- amount
- paymentMethods
- creationDate (UTC)
- channel (ECOM, MOTO, Pay By Link…)
ExempleExample
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
{
"merchantId": "YOUR_MERCHANT_ID",
"payId": "91a6299a704147bf934aabd79fd1dc5d",
"transId": "Trans361039",
"xid": "b55e68b7e4644a90836ae31effe1fc60",
"refNr": "refNb77254",
"status": "AUTHORIZED",
"responseCode": "00000000",
"responseDescription": "Transaction successful",
"amount": {
"value": 126,
"currency": "EUR"
},
"paymentMethods": {
"type": "CARD"
},
"creationDate": "2025-10-30T11:27:57Z",
"channel": "ECOM"
}
|
Sécurité et Vérification
Security and Verification
To ensure the authenticity of webhook data, it is signed using Afin de garantir l'authenticité des données du webhook, elle sont signées avec un HMAC-SHA256.
La signature est portée par 3 header http dans le message webhookThe signature is included in three HTTP headers within the webhook message.
Signature headers
| X-Paygate-Signature-Version | Version du format de la signature (actuellement, of the signature format (currently, v1) |
| X-Paygate-Timestamp | Unix epoch timestamp (secondes depuis seconds since 1970-01-01T00:00:00Z, UTC) |
| X-Paygate-Signature | Signature dans le in the format |
Signature Generation (Axepta BNP-Paribas Online)
signed_payload = timestamp + "." + raw_json_body
signature = HMAC_SHA256(secret, signed_payload)
secret – - – HMAC key La
- The generated
Signatureis encoded 'hex' et le header est valorisé comme suit - and the header is set as follows:
signature générée est encodé X-Paygate-Signature: v1=<hex-hmac>Vérification de la signature (Commerçant)
Signature Verification (Merchant)
To verify the authenticity of the webhook message data:
Extract the data carried by the HTTP headers
Pour vérifier l'authenticité des données du message webhook:
- Extraire les données portées par les headers HTTP
:
X-Paygate-TimestampX-Paygate-Signature
- Prendre les données brutes de la payoad Json (les données binaire reçues) Calculer le HMAC avec les données extraites
Take the raw JSON payload data (the binary data received)
Calculate the HMAC with the extracted data
- signed_payload
- =
- timestamp
- +
- "."
- + raw_body
- raw_body expected_signature
- =
- HMAC_SHA256(secret,
- signed_payload) Comparer la signature calculée avec celle reçue en utilisant une méthode
- Compare the calculated signature with the received signature using a "constant-time" method.
- Valider le webhook si
- Les signatures sont identiques
- le Timestamp est compris dans les ±5 minutes par rapport à votre horloge locale.
Recommandations d’intégration
- Validate the webhook if:
- The signatures are identical
- The Timestamp is within ±5 minutes of your local clock.
Integration Recommendations
| Tip |
|---|
|
| Tip |
|