Académique Documents
Professionnel Documents
Culture Documents
version1.4
Index
1 Description ................................................................................................................. 5
1.1 Overview ............................................................................................................................................. 5
1.2 Audience.............................................................................................................................................. 5
1.3 Terminology......................................................................................................................................... 5
4 Security .................................................................................................................... 30
4.1 Information Security .......................................................................................................................... 30
4.2 Communication Security ................................................................................................................... 30
3
Proprietary and Confidential
Alipay Express Checkout API Specification
4
Proprietary and Confidential
Alipay Express Checkout API Specification
1 Description
This document provides you with the information that you will need to integrate Alipay Express
Checkout. It contains the best practices guidelines, and as such, should serve as a reference for
the implementation of Express Checkout in the respective market.
1.1 Overview
Alipay Express Checkout provides a seamless checkout experience for customers by
eradicating traditional online payment pain-points such as the need to enter card
information, experience page redirection, and/or perform additional 2FA method during
the payment process.
The Express Checkout experience is fulfilled through the establishment of individual
agreements that allow Payment Service Providers (PSP) to charge customers respective
payment cards during the payment process without any invention.
1.2 Audience
This document is intended for Payment Service Providers (PSP) and Bank partners who
would like to integrate Alipay Express Checkout.
1.3 Terminology
Term Definition
5
Proprietary and Confidential
Alipay Express Checkout API Specification
2 Solution Overview
To provide the seamless checkout experience, a customer has to grant permission to a Payment
Service Provider (PSP) to charge his or her payment card. This relationship is governed by a digital
contractual arrangement, herein referred to as the Express Checkout Agreement.
An Express Checkout Agreement can be created by having the customer validate his or her
personal information and payment card details with the respective bank partner. This is done to
establish the ownership of the payment card and verify the identity of the customer. A 2FA
procedure can also be introduced to further strengthen the verification process.
Once the agreement has been set up, future payments can be performed without customer
having to enter payment card information or provide any additional 2FA method. The PSP will
have to provide a valid agreement to the respective bank partner to perform a payment
transaction.
6
Proprietary and Confidential
Alipay Express Checkout API Specification
The creation of an Express Checkout Agreement begins with the customer requesting to
enable Express Checkout for a payment card. The PSP will then provide the necessary fields
to gather information to facilitate the verification process. This information includes, but
not limited to, customers first name, last name, identification document information,
payment card details and mobile phone number registered with the bank partner.
7
Proprietary and Confidential
Alipay Express Checkout API Specification
The PSP will then perform a validation check with the bank partner using this information
in order to authenticate the customer. The 2FA can also be performed at this juncture
either by the bank or PSP.
Once the verification has been completed, the PSP will assign a unique ID for the
agreement and communicate that to the bank partner to formally establish the agreement.
This resulting agreement ID will then be used as a primary reference ID for future Express
Checkout operations pertaining to the corresponding customer and payment card.
Note:
- The information used for validation can differ from market to market and should be
determined by PSP and bank partner based on local requirements.
- Each agreement will be assigned an expiry date that corresponds to the expiry date of
the payment card. In the absence of such an attribute, the expiry shall be set to a
predetermined fixed period, i.e. 20 years.
- Each agreement can only bind one payment card or bank account.
- Each payment card or bank account can be bound to at most one active agreement at
any one time.
8
Proprietary and Confidential
Alipay Express Checkout API Specification
An Express Checkout payment can be executed by having the PSP present a valid
agreement to the bank partner for processing. The bank partner will then provide the
result of the payment in real time to PSP to complete the Express Checkout payment.
For transactions that are determined to be high-risk, an additional verification process can
be initiated by the PSP. This can be in the form of OTP sent either by the PSP or bank
partner.
9
Proprietary and Confidential
Alipay Express Checkout API Specification
To perform a refund on an Express Checkout payment, both the transaction ID and the
corresponding agreement ID used in the original transaction has to be provided for
processing by the bank partner. The refund amount will go back to the payment source.
The bank partner will provide the result of the refund in real time to PSP to complete the
refund flow.
Note:
Multiple refunds can be performed on a single transaction. However, sufficient application
logic has to be in place to ensure that the cumulative refund amounts do not exceed the
original transaction amount.
10
Proprietary and Confidential
Alipay Express Checkout API Specification
The customer can, at any time, disable the Express Checkout functionality of a particular
payment card by cancelling its corresponding agreement. The PSP will also have the
flexibility to cancel an agreement for risk and fraud management. To cancel an existing
agreement, the PSP will provide the agreement ID for processing by the bank partner. The
bank partner will provide the result of the agreement cancellation in real time to PSP to
complete the cancellation flow.
11
Proprietary and Confidential
Alipay Express Checkout API Specification
3 API Specifications
The API definition will be of 2 types (request and response) and comprises of the following
components:
API Components
API Component Description
Header Header containing generic information about the API request
Body API request body
Signature Signature generated to ensure non-repudiation of API
contents.
Request Components
{
"request": {
"head": {},
"body": {}
},
"signature": "signature string"
}
Response Components
{
"response": {
"head": {},
"body": {}
},
"signature": "signature string"
}
12
Proprietary and Confidential
Alipay Express Checkout API Specification
Request Header
Field Data Type Mandatory Description
version char (8) Y API Version
function char (128) Y API function
reqTime datetime Y DateTime with timezone, which follows the
ISO-8601 standard.
Refer to: RFC 3339 Section 5.6
reqMsgId char (64) Y Each request will be assigned with a unique id
(uuid) by the API invoker. The reqMsgId is used to
identify a unique system request and does not
represent a unique business request.
Request Body
Request body will be determined by each different APIs business logic. There is no
common structure for request body of APIs.
Request Sample
{
"request": {
"head": {
"version": "1.0.0",
"function": "validateAgreement",
"reqTime": " 2016-12-02T01:04:23+0800",
"reqMsgId": "20161202010423PGWSGDD-0000003431"
},
"body": {
"key1": "value1",
"key2": "value2"
}
},
"signature": "signature string"
}
13
Proprietary and Confidential
Alipay Express Checkout API Specification
Response Header
Field Data Type Mandatory Description
version char (8) Y API Version
function char (128) Y API function
respTime datetime Y DateTime with timezone, which follows the
ISO-8601 standard.
Refer to: RFC 3339 Section 5.6
reqMsgId char (64) Y Unique reqMsgId from the request header.
14
Proprietary and Confidential
Alipay Express Checkout API Specification
Response Sample
{
"response": {
"head": {
"version": "1.0.0",
"function": "validateAgreement",
"respTime": "2016-12-02T01:04:24+0800",
"reqMsgId": "20161202010423PGWSGDD-0000003431"
},
"body": {
"resultInfo": {
"resultStatus":"F",
"resultCodeId":"00000002",
"resultCode":"PARAM_MISSING",
"resultMsg":"One or more mandatory parameters are missing."
},
"key1": "value1"
}
},
"signature": "signature string"
}
NOTE: For all the responses HTTP Code 200 should be returned to indicate that request
has been processed. For those requests that cannot be processed e.g. illegal format or
signature validation failure HTTP Code 400 should be returned. For other system errors
that prevent your program from generating the appropriate response, HTTP Code 500 is
suggested, however other HTTP codes are also acceptable e.g. 404.
15
Proprietary and Confidential
Alipay Express Checkout API Specification
The message body will be signed with SHA256 with RSA algorithm. Alipay and partner
banks need to exchange digital certificates RSA public key used to verify the signature,
when signing, using RSA digital certificate private key to sign the signature parameter
string, RSA key using 2048 and above. The signature value is then encoded with
BASE64 and filled into the signature parameter. During signature verification, use
public key of the RSA digital certificates issued.
Values should not be prefixed or post-fixed with fillers (Both ends of the string should
be trimmed from the space or whitespace character. Whitespace includes all four
characters that are: blanks (0x20), tab (0x09), carriage return (0x0d), line feed (0x0a).
Note on special characters: Digital signatures encoded by BASE64 may contain carriage
returns, so when the digital signature is added to the message, you should avoid using
Dom API operations. This is as the Dom API maybe unable to parse digital signature
special characters, causing the recipient to signature verification to fail For example,
Dom API carriage of digital signatures will be converted to .
16
Proprietary and Confidential
Alipay Express Checkout API Specification
17
Proprietary and Confidential
Alipay Express Checkout API Specification
18
Proprietary and Confidential
Alipay Express Checkout API Specification
19
Proprietary and Confidential
Alipay Express Checkout API Specification
},
"customerBankInfo": {
"bankCardType": 1,
"bankCardNo": 414746300546842,
"bankCardExpiry": 042018,
"cvv2": 121,
"bankAccountNo": 496090669,
"mobilePhone": 81903097376
},
"otpValue": "453864"
"agreementID": "ABCDIDJAXXX201612020104320000008"
}
20
Proprietary and Confidential
Alipay Express Checkout API Specification
21
Proprietary and Confidential
Alipay Express Checkout API Specification
22
Proprietary and Confidential
Alipay Express Checkout API Specification
23
Proprietary and Confidential
Alipay Express Checkout API Specification
24
Proprietary and Confidential
Alipay Express Checkout API Specification
25
Proprietary and Confidential
Alipay Express Checkout API Specification
26
Proprietary and Confidential
Alipay Express Checkout API Specification
27
Proprietary and Confidential
Alipay Express Checkout API Specification
28
Proprietary and Confidential
Alipay Express Checkout API Specification
Request Body
Field Data Type Mandatory Description
agreementID char (32) Y Unique ID of agreement
{
"agreementID": " ABCDIDJAXXX201612020104320000008"
}
Response Body
Field Data Type Mandatory Description
resultInfo data structure Y Result of agreement cancellation (S,
F,U). Include resultCodeId and
resultCode, refer to section 5.5 for complete
list.
agreementID char (32) Y Unique ID of agreement
agreementStatus char (1) Y Status of agreement
0 In-force
1 Suspended
2 Cancelled
3 Expired
memo char (256) N Memo, if any
{
"resultInfo": {
"resultStatus":"S",
"resultCodeId":"00000000",
"resultCode":"SUCCESS"
},
"agreementID": " ABCDIDJAXXX201612020104320000008",
"agreementStatus": 2
}
29
Proprietary and Confidential
Alipay Express Checkout API Specification
4 Security
As sensitive information is being captured and transmitted as part of the Express Checkout suite
of APIs, it is of utmost importance that this information be secured to ensure confidentiality.
The followings are some recommendations pertaining to information and communication
security. The ultimate onus lies on both the PSP and bank partners to agree upon and implement
the appropriate security measures.
5 Error Handling
The following lists some of the negative/abnormal scenarios that might occur in the entire
end-to-end of the Express Checkout flow and provides the recommended course of action for
each of the scenario.
30
Proprietary and Confidential
Alipay Express Checkout API Specification
31
Proprietary and Confidential
Alipay Express Checkout API Specification
32
Proprietary and Confidential
Alipay Express Checkout API Specification
6.2 Settlement
The Express Checkout product should ideally, and as much as possible, rely on the established
payment network with the respective bank partner (for example, card-on-us framework). As such,
there should be minimal or no change required to existing settlement processes.
33
Proprietary and Confidential
Alipay Express Checkout API Specification
34
Proprietary and Confidential