Hosted mode
This article describes how to integrate card payment methods through the hosted mode. The hosted mode protects you from the requirements of PCI-DSS compliance by ensuring that sensitive buyer payment data does not pass through or get stored on your servers. This eliminates security risks and data breach concerns. Additionally, you do not need to undergo separate PCI compliance certification, reducing operational and technical costs while improving deployment efficiency for your payment system.
In the hosted mode, APO generates and provides you with a user-friendly payment information collection page. During the payment process, buyers are securely redirected to this page to input their payment details. Once the information is submitted, APO processes it securely and converts it into an encrypted card token (cardToken). This card token acts as a secure reference to the payment card information and can be used in subsequent payment processes. With the hosted mode, you avoid direct contact with buyers' payment data while delivering a seamless and reliable payment experience that ensures both security and compliance.
User experience
The following figures show the user experience in the first-time and saved card payments.
First-time payments
Web user experience
Saved card payments
Web user experience
Payment flow
For card payments with the hosted mode, the payment flow is composed of the following steps.
- The buyer enters the page to select a payment method.
- Create a payment request.
After the buyer selects a payment method and submits the order, the merchant server-side calls the pay API based on the payment information to create a payment request. - Redirect to the payment URL.
The merchant client-side redirects to the URL returned by the payment request to complete the payment. - Obtain the authorized payment result.
The merchant server-side receives the payment result notification returned by the payment method and processes based on the result. - Capture and obtain the capture result.
You must intiate capture after the authorized payment is successful. You can obtain the capture result using one of the following methods:
- Asynchronous notification: Specify paymentNotifyUrl in the pay API to set the address for receiving asynchronous notifications. When the payment request is successful or expires, APO uses the notifyCapture API to send asynchronous notifications to you.
- Synchronous inquiry: Call the inquiryPayment API to check the payment request status.
Note: If you activated the same payment method with multiple acquirers, you can configure payment routing rules on APO Dashboard. If no payment routing rules are set, APO will use random routing rules.
Integration prerequisites
Integrate the APO server-side SDK package, install the server-side library and initialize a request instance. For more details, refer to Server-side SDKs.
Integration steps
Most card payments follow the general payment flow and integration process provided by APO. Start your integration by taking the following steps.
- Display the payment methods
- Authorize a payment
- (Optional) Redirect to the payment continuation URL
- Obtain the authorized payment result
- Capture and obtain the capture result
Note: For South Korean cards, issuer-authentication and non-authentication payment types exist. Non-authentication payments of South Korean cards follow the general card payment process. However, issuer-authentication payments of South Korean cards involve additional actions.
Step 1: Display payment methods
First-time payments
Add the logos and names of the payment methods you plan to integrate. This allows buyers to easily choose their preferred method of payment. You can contact APO Technical Support to source the logos and names.
The following figure shows the page effect after adding a payment method:
Step 2: Authorize a payment
When the buyer selects a payment method, you need to collect the key order information, such as the buyer's payment method information, order information, device information, and payment amount. Call the pay API, and submit an authorization request for payment.
1. Call the pay API
The following sample code shows how to call the pay API:
public static void payByCard() {
AlipayPayRequest alipayPayRequest = new AlipayPayRequest();
alipayPayRequest.setProductCode(ProductCodeType.CASHIER_PAYMENT);
// replace with your paymentRequestId
String paymentRequestId = UUID.randomUUID().toString();
alipayPayRequest.setPaymentRequestId(paymentRequestId);
// set amount
Amount amount = Amount.builder().currency("SGD").value("4200").build();
alipayPayRequest.setPaymentAmount(amount);
// set payment methods
PaymentMethod paymentMethod = PaymentMethod.builder().paymentMethodType("CARD").build();
alipayPayRequest.setPaymentMethod(paymentMethod);
// card info
Map<String, Object> paymentMethodMetaData = new HashMap<String, Object>();
paymentMethodMetaData.put("tokenizeMode", ASKFORCONSENT);
paymentMethod.setPaymentMethodMetaData(paymentMethodMetaData);
// replace with your orderId
String orderId = UUID.randomUUID().toString();
// set buyer info
Buyer buyer = Buyer.builder().referenceBuyerId("yourBuyerId").build();
// set order info
Order order = Order.builder().referenceOrderId(orderId)
.orderDescription("antom testing order").orderAmount(amount).buyer(buyer).build();
alipayPayRequest.setOrder(order);
// set env info
Env env = Env.builder().terminalType(TerminalType.WEB).clientIp("1.2.3.4").build();
alipayPayRequest.setEnv(env);
// set auth capture payment mode
PaymentFactor paymentFactor = PaymentFactor.builder().isAuthorization(true).build();
alipayPayRequest.setPaymentFactor(paymentFactor);
// replace with your notify url
alipayPayRequest.setPaymentNotifyUrl("https://www.yourNotifyUrl.com");
// replace with your redirect url
alipayPayRequest.setPaymentRedirectUrl("https://www.yourMerchantWeb.com");
// do payment
AlipayPayResponse alipayPayResponse = null;
try {
alipayPayResponse = CLIENT.execute(alipayPayRequest);
} catch (AlipayApiException e) {
String errorMsg = e.getMessage();
// handle error condition
}
}2. Create a payment request
Initiating a payment request involves the following key parameters:
Parameter name | Whether required during first-time payments | Whether required during saved card payments | Description |
productCode | Yes | Yes | The value of this field in this scenario is fixed as CASHIER_PAYMENT. |
paymentRequestId | Yes | Yes | The request ID of the authorized payment, which must be unique each time. |
paymentAmount.value | Yes | Yes | The payment amount. |
paymentAmount.currency | Yes | Yes | The currency of the payment amount. |
settlementStrategy.settlementCurrency | No | No | The currency of the settlement strategy for the payment request. |
paymentMethodMetaData | No | No | The additional information that certain payment methods required. |
paymentMethodMetaData.tokenizeMode | No | No | Card information storage mode. When you need to store buyer's card information, specify this parameter.
|
paymentMethod.paymentMethodType | Yes | Yes | The payment method that is used to collect the payment by the merchant or acquirer. The value is fixed as |
paymentMethod.paymentMethodId | No | Yes | The ID of payment methods provided to the buyer by the merchant or acquirer. The cardToken value returned from the initial payment must be passed in during subsequent payments.
|
paymentFactor.isAuthorization | Yes | Yes | The payment mode. This parameter must be set as |
paymentFactor.captureMode | No | No | The capture mode. If this parameter is not specified, the default value is |
productCode | Yes | Yes | The product code. In this scenario, the value is fixed as |
paymentExpiryTime | No | No | The payment expiration time. |
paymentRedirectUrl | Yes | Yes | The merchant page URL that the buyer is redirected to after the payment is completed. This URL must be an HTTPS address and should render content corresponding to the payment result. |
paymentNotifyUrl | No | No | The URL that is used to receive the payment result notification. This URL must be an HTTPS address and if the address is configured on APO Dashboard, this parameter can be omitted. |
env.terminalType | Yes | Yes | The terminal type from which the buyer initiates the payment. Valid values are:
|
env.clientIp | Yes | Yes | The buyer's current IP. |
| order.orderAmount | Yes | Yes | The order amount of the merchant side. |
| order.referenceOrderId | Yes | Yes | The order ID of the merchant side. |
| order.orderDescription | Yes | Yes | The order description of the merchant side. |
order.buyer | Yes | Yes | The buyer information of the merchant side. At least one of the following information must be provided:
|
paymentMethod.paymentMethodMetaData.is3DSAuthentication | No | No | Indicates that whether the transaction authentication type is 3D Secure. Valid values are:
|
For more information about all parameters, refer to the pay API.
The following shows the sample code of a payment request:
{
"env": {
"clientIp": "112.80.248.78",
"deviceId": "eYOIkvFpZzztgO0Yu6USdprBQZCWxDhiUAHCiK8K/cH9mT6wMaMO****",
"deviceLanguage": "zh_CN",
"terminalType": "WEB"
},
"order": {
"buyer": {
"buyerEmail": "alipay@alipay.com",
"buyerName": {
"firstName": "Dehua",
"fullName": "Dehua Skr Liu",
"lastName": "Liu",
"middleName": "Skr"
},
"buyerPhoneNo": "1234567****",
"referenceBuyerId": "test1234****"
},
"orderAmount": {
"currency": "HKD",
"value": "30000"
},
"orderDescription": "Cappuccino #grande (Mika's coffee shop)",
"referenceOrderId": "ORDER_2022111414171****"
},
"paymentAmount": {
"currency": "HKD",
"value": "30000"
},
"paymentFactor": {
"isAuthorization": true
},
"paymentMethod": {
"paymentMethodType": "CARD"
},
"paymentNotifyUrl": "https://www.alipay.com/notify",
"paymentRedirectUrl": "https://www.alipay.com",
"paymentRequestId": "13eIlShXoOg0S9jd3pMWzg3iOBwoXCv1YuEUy****",
"productCode": "CASHIER_PAYMENT",
"settlementStrategy": {
"settlementCurrency": "EUR"
}
}The following shows the sample codes of a response for partial scenarios:
{
"authExpiryTime": "2025-02-27T15:15:57+08:00",
"normalUrl": "https://ac.alipay.com/page/sandbox/stone-infostaging.html?paymentId=20250220194010800190188000014991264&code=golcashier99ed8d93-efcf-4fe7-b9a1-4bb1152d6ad4sandbox&golSandbox=true&pspName=CARD&county=SG",
"paymentActionForm": "{\"method\":\"GET\",\"paymentActionFormType\":\"RedirectActionForm\",\"redirectUrl\":\"https://ac.alipay.com/page/sandbox/stone-infostaging.html?paymentId=20250220194010800190188000014991264&code=golcashier99ed8d93-efcf-4fe7-b9a1-4bb1152d6ad4sandbox&golSandbox=true&pspName=CARD&county=SG\"}",
"paymentAmount": {
"currency": "HKD",
"value": "30000"
},
"paymentCreateTime": "2025-02-20T15:15:57+08:00",
"paymentId": "2025022019401080019018800001499****",
"paymentRequestId": "13eIlShnRH5mKYtqFa2kvfht2IXdx1XoOg0S9jd3pMWzg3iOBwoXCv1YuEUy****",
"redirectActionForm": {
"method": "GET",
"redirectUrl": "https://ac.alipay.com/page/sandbox/stone-infostaging.html?paymentId=20250220194010800190188000014991264&code=golcashier99ed8d93-efcf-4fe7-b9a1-4bb1152d6ad4sandbox&golSandbox=true&pspName=CARD&county=SG"
},
"result": {
"resultCode": "PAYMENT_IN_PROCESS",
"resultMessage": "Payment is processing.",
"resultStatus": "U"
}
}The table shows the possible values that the result.resultStatus parameter in the response message may return. Please handle the result according to the guidances:
| result.resultStatus | Message | Further actions |
| Indicates that the authorized payment is successful. | You may proceed with initiating capture. |
| Indicates the authorized payment failed. | Please close the current transaction or replace paymentRequestId to place the order again. |
| Indicates that the authorized payment is being processed. |
|
Note: If you did not receive a response message, it might be due to a network timeout. You can call the inquiryPayment API to retrieve the payment result, or wait for the asynchronous payment result notifications.
Step 3: (Optional) Redirect to the payment continuation URL
After the merchant server obtains normalUrl and passes it to the frontend, it will redirect from the merchant frontend to the APO normalUrl.
After obtaining normalUrl, you need to redirect the page to the APO normalUrl in the browser, or open it in a new tab.
if (serverResponse.normalUrl != null) {
window.open(serverResponse.normalUrl, '_blank');
}Step 4: Obtain the authorized payment result
1. Set the webhook URL to receive notifications
You can choose one of following methods to set the webhook URL to receive notifications:
- If each of your order has a unique notification URL, we recommend to set the webhook URL in each individual request. You can pass the asynchronous notification receiving URL for the specific order through the paymentNotifyUrl parameter in the pay API.
- If all your orders share a unified notification URL, you can set the webhook URL on APO Dashboard through Developer > Notification Address.
Note:
- If you set the webhook URL both in the API and APO Dashboard, the one set in the pay API takes precedence.
- If the buyer fails to verify their identity after being redirected to the 3D URL, APO will only send an asynchronous notification after the order is closed. The default payment expiration time depends on the acquirer.
The following is the notification request sample code:
{
"acquirerReferenceNo":"pay_6tmvamfcxp5ujbbfjeopyz****",
"result":{
"resultStatus":"S",
"resultCode":"SUCCESS",
"resultMessage":"success."
},
"notifyType":"PAYMENT_RESULT",
"paymentId":"2025031719401089010011160025568****",
"paymentRequestId":"G15320250317102252****",
"paymentResultInfo":{
"lastFour":"1358",
"funding":"CREDIT",
"issuerName":"ORIENT CORPORATION",
"expiryMonth":"**",
"threeDSResult":{
"cavv":"",
"xid":"649335d6-1858-4532-8a6e-0579e1b7****",
"threeDSType":"INTERNAL",
"eci":"05",
"threeDSVersion":"2.2.0"
},
"expiryYear":"**",
"cardNo":"************1358",
"cardBin":"4280**",
"holdName":"NIHEI SHUNSUKE",
"issuingCountry":"JP",
"avsResultRaw":"I",
"fingerprint":"a28f7dd0713e2f1d4e9ccae8853f5c0abca5154a03a6559cd985eb409857****",
"networkTransactionId":"46507608833****",
"cardBrand":"VISA",
"cvvResultRaw":""
},
"paymentTime":"2025-03-16T19:27:17-07:00",
"acquirerInfo":{
"referenceRequestId":"202503171903130000060027882****",
"acquirerTransactionId":"pay_6tmvamfcxp5ujbbfjeopyz****",
"acquirerMerchantId":"pc_6cpbmm5qderubjraxrygje****",
"acquirerName":"CHECKOUT"
},
"paymentAmount":{
"currency":"JPY",
"value":"120"
},
"paymentCreateTime":"2025-03-16T19:26:42-07:00"
}
The table shows the possible values that the result.resultStatus parameter in the request message may return. Please handle the result according to the guidances:
result.resultStatus | Message | Further actions |
| Indicates that the authorized payment is successful. | You can proceed with initiating capture, and ensure to save paymentId for capture and future refunds. |
| Indicates the authorized payment failed. | Please close the current transaction or replace paymentRequestId to place the order again.
|
Common Questions
Q: When will the notification be sent?
A: The sending time depends on whether the payment is completed: if the payment is completed, APO will send an asynchronous notification immediately after receiving notification from the acquirers.
Q: Will the asynchronous notification be re-sent?
A: Yes, the asynchronous notification will be re-sent automatically within 24 hours for the following cases:
- If you didn't receive the asynchronous notification due to network reasons.
- If you receive an asynchronous notification from APO, but you didn't make a response to the notification in the Sample code format.
The notification can be re-sent up to 8 times or until a correct response is received to terminate delivery. The sending intervals are as follows: 0 minutes, 2 minutes, 10 minutes, 10 minutes, 1 hour, 2 hours, 6 hours, and 15 hours.
Q: What are the key parameters in the notification that I need to use?
A: Pay attention to the following key parameters:
- result: indicates the payment result of the order.
- paymentRequestId: indicates the payment request number you generated for consult, cancel, and reconciliation.
- paymentId: indicates the payment order number generated by APO, used for refund and reconciliation.
- paymentAmount: indicates the payment amount. Pass this parameter if payment amount verification is required.
- acquirerInfo: indicates the information about the acquirers.
Q: Do I need to save the information on acquirers?
A: It is recommended to save the information on acquirers (acquirerInfo), refer to Order number management for specific reasons.
2. Verify asynchronous notifications
If you receive an asynchronous notification from APO, you are required to return the response in the Sample code format, but you do not need to countersign the response.
You need to verify the signature of the payment notification sent by APO.
import javax.servlet.http.HttpServletRequest;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import com.alipay.global.api.model.Result;
import com.alipay.global.api.model.ResultStatusType;
import com.alipay.global.api.response.AlipayResponse;
import com.alipay.global.api.tools.WebhookTool;
@RestController
public class PaymentNotifyHandleBySDK {
/**
* alipay public key, used to verify signature
*/
private static final String SERVER_PUBLIC_KEY = "";
/**
* payment result notify processor
* using <a href="https://spring.io">Spring Framework</a>
*
* @param request HttpServletRequest
* @param notifyBody notify body
* @return
*/
@PostMapping("/payNotify")
public Object payNotifyHandler(HttpServletRequest request, @RequestBody String notifyBody) {
// retrieve the required parameters from http request.
String requestUri = request.getRequestURI();
String requestMethod = request.getMethod();
// retrieve the required parameters from request header.
String requestTime = request.getHeader("request-time");
String clientId = request.getHeader("client-id");
String signature = request.getHeader("signature");
Result result;
AlipayResponse response = new AlipayResponse();
try {
// verify the signature of notification
boolean verifyResult = WebhookTool.checkSignature(requestUri, requestMethod, clientId, requestTime, signature, notifyBody, SERVER_PUBLIC_KEY);
if (!verifyResult) {
throw new RuntimeException("Invalid notify signature");
}
// deserialize the notification body
// update the order status with notify result
// respond the server that the notification is received
result = new Result("SUCCESS", "success", ResultStatusType.S);
} catch (Exception e) {
String errorMsg = e.getMessage();
// handle error condition
result = new Result("ERROR", errorMsg, ResultStatusType.F);
}
response.setResult(result);
return ResponseEntity.ok().body(response);
}
}You do not need to countersign the response of the result notification. However, you must respond to each notification request in the following fixed format, regardless of whether the payment is successful or not.
{
"result": {
"resultCode": "SUCCESS",
"resultStatus": "S",
"resultMessage": "success"
}
}Step 5: Capture and obtain the capture result
You can configure the paymentFactor.captureMode parameter in the pay API to opt for automatic capture or manual capture. You can obtain the capture result through an asynchronous notification or inquire about the capture result by calling the inquiryPayment API. For more information, see Capture.
It is recommended to save the information of the acquirers (acquirerInfo), refer to Order number management for specific reasons. The following code shows an example of a capture result response when inquiring about the capture result:
{
"paymentResultCode":"SUCCESS",
"paymentRequestId":"G15320250317102252****",
"paymentResultInfo":{
"lastFour":"1358",
"funding":"CREDIT",
"issuerName":"ORIENT CORPORATION",
"expiryMonth":"**",
"threeDSResult":{
"cavv":"",
"xid":"649335d6-1858-4532-8a6e-0579e1b7****",
"threeDSType":"INTERNAL",
"eci":"05",
"threeDSVersion":"2.2.0"
},
"expiryYear":"**",
"cardNo":"************1358",
"cardBin":"428067",
"holdName":"NIHEI SHUNSUKE",
"issuingCountry":"JP",
"avsResultRaw":"I",
"fingerprint":"a28f7dd0713e2f1d4e9ccae8853f5c0abca5154a03a6559cd985eb409857****",
"networkTransactionId":"46507608833****",
"cardBrand":"VISA",
"cvvResultRaw":""
},
"transactions":[
{
"transactionType":"CAPTURE",
"transactionStatus":"SUCCESS",
"transactionRequestId":"G15320250317102252****",
"transactionAmount":{
"currency":"JPY",
"value":"120"
},
"transactionTime":"2025-03-16T19:27:17-07:00",
"acquirerInfo":{
"referenceRequestId":"202503171903130100060027884****",
"acquirerTransactionId":"act_yv3fchmu3bre3l3tui5y35****",
"acquirerMerchantId":"pc_6cpbmm5qderubjraxrygje****",
"acquirerName":"CHECKOUT"
},
"transactionId":"2025031719401089010011160025567****",
"transactionResult":{
"resultStatus":"S",
"resultCode":"SUCCESS",
"resultMessage":"success"
}
}
],
"paymentAmount":{
"currency":"JPY",
"value":"120"
},
"acquirerReferenceNo":"pay_6tmvamfcxp5ujbbfjeopyz****",
"result":{
"resultStatus":"S",
"resultCode":"SUCCESS",
"resultMessage":"success."
},
"paymentId":"2025031719401089010011160025568****",
"paymentResultMessage":"success.",
"paymentTime":"2025-03-16T19:27:17-07:00",
"acquirerInfo":{
"referenceRequestId":"202503171903130000060027882****",
"acquirerTransactionId":"pay_6tmvamfcxp5ujbbfjeopyz****",
"acquirerMerchantId":"pc_6cpbmm5qderubjraxrygje****",
"acquirerName":"CHECKOUT"
},
"paymentStatus":"SUCCESS",
"paymentCreateTime":"2025-03-16T19:26:42-07:00"
}After payment
Inquire about the authorized payment result
In addition to obtaining the buyer's payment result through the asynchronous notification, you can retrieve the corresponding payment result through the payments inquiry service. You can call the inquiryPayment API and use the paymentRequestId value of the payment to check the payment status.
The following code shows how to call the inquiryPayment API:
public static void inquiryPayment() {
AlipayPayQueryRequest alipayPayQueryRequest = new AlipayPayQueryRequest();
// replace with your paymentRequestId
alipayPayQueryRequest.setPaymentRequestId("yourPaymentRequestId");
AlipayPayQueryResponse alipayPayQueryResponse = null;
try {
alipayPayQueryResponse = CLIENT.execute(alipayPayQueryRequest);
} catch (AlipayApiException e) {
String errorMsg = e.getMessage();
// handle error condition
}
}The following code shows an example of a request:
{
"paymentRequestId": "REQUEST_2024100821261****"
}It is recommended to save the information on acquirers (acquirerInfo), refer to Order number management for specific reasons. The following code shows an example of a response:
{
"paymentResultCode": "SUCCESS",
"paymentRequestId": "G15320250317102252****",
"paymentResultInfo": {
"lastFour": "1358",
"funding": "CREDIT",
"issuerName": "ORIENT CORPORATION",
"expiryMonth": "**",
"threeDSResult": {
"cavv": "",
"xid": "649335d6-1858-4532-8a6e-0579e1b7****",
"threeDSType": "INTERNAL",
"eci": "05",
"threeDSVersion": "2.2.0"
},
"expiryYear": "**",
"cardNo": "************1358",
"cardBin": "428067",
"holdName": "NIHEI SHUNSUKE",
"issuingCountry": "JP",
"avsResultRaw": "I",
"fingerprint": "a28f7dd0713e2f1d4e9ccae8853f5c0abca5154a03a6559cd985eb409857****",
"networkTransactionId": "46507608833****",
"cardBrand": "VISA",
"cvvResultRaw": ""
},
"paymentAmount": {
"currency": "JPY",
"value": "120"
},
"acquirerReferenceNo": "pay_6tmvamfcxp5ujbbfjeopyz****",
"result": {
"resultStatus": "S",
"resultCode": "SUCCESS",
"resultMessage": "success."
},
"paymentId": "2025031719401089010011160025568****",
"paymentResultMessage": "success.",
"paymentTime": "2025-03-16T19:27:17-07:00",
"acquirerInfo": {
"referenceRequestId": "202503171903130000060027882****",
"acquirerTransactionId": "pay_6tmvamfcxp5ujbbfjeopyz****",
"acquirerMerchantId": "pc_6cpbmm5qderubjraxrygje****",
"acquirerName": "CHECKOUT"
},
"paymentStatus": "SUCCESS",
"paymentCreateTime": "2025-03-16T19:26:42-07:00"
}The table shows the possible values of paymentStatus returned in the response. Please handle the result according to the guidances:
paymentStatus | Message | Further actions |
| Indicates that the authorized payment is successful. | You may proceed with initiating capture. |
| Indicates that the authorized payment failed. | Please close the current transaction or replace paymentRequestId to place the order again. |
| Indicates that the authorized payment is being processed. | You can continue to inquire about the payment result or inquire after the payment expiration time. |
Common Questions
Q: How often should I call the inquiryPayment API?
A: Please continuously call the inquiryPayment API at 2-second intervals, and make the inquiry after placing the order via the pay API until the final payment result is obtained or the payment result asynchronous notification is received.
Q: What are the key parameters in the inquiry that I need to use?
A: Pay attention to the following key parameters:
- paymentStatus: You need to determine the payment result based on paymentStatus.
- paymentAmount: indicates the payment amount.
Cancel
If you need to cancel a transaction, you can use the cancel API. For more information, see Cancel.
Refund
To learn about APO refund rules and how to initiate a refund for a successful transaction, see Refund for more information.
Dispute
When a buyer chooses to pay with a card, a dispute may occur. To learn more, see Dispute.
Reconciliation
After the transaction is completed, use the financial reports provided by APO for reconciliation. For more information on how to reconcile and the settlement rules of APO, please refer to Reconciliation.