Checkout API
Ottu provides a comprehensive collection of APIs that offer a seamless and efficient way to test payments and enable merchants to accept and process transactions instantly. The Checkout API is the cornerstone of any payment initiation, whether it's API-based or SDK-based.
In order to ensure optimal transaction success tracking and minimize the number of required payment transactions, merchants should create a Payment Transaction as soon as the amount is known. This typically occurs when a customer adds their first item to their cart. Following this, any changes to the total amount should be updated using the Checkout API PATCH method.
By updating the same payment transaction, rather than creating a new one for each payment attempt, merchants can more effectively trace customer interactions with their cart. This is particularly useful for events such as insufficient funds, where a customer may remove an item from their cart and successfully complete a transaction on their next attempt. Tracking and analyzing such events can help merchants make data-driven decisions for future improvements.
Permissions are managed using Basic Authentication and API-Key. Specifically, Basic Authentication is used to grant permissions for creating, updating, and reading data, as well as using allowed PG codes when creating or updating payment transactions.
It is important to ensure that the appropriate level of permissions is assigned to each user or application using the APIs. This can help to prevent unauthorized access or modification of sensitive data. Additionally, it is recommended to rotate API-Keys on a regular basis and to use secure password storage practices when using Basic Authentication.
Ottu Checkout API supports different levels of permissions for the Payment Request and E-Commerce plugins. The permissions depend on the authentication method being used.
When using the API-Key, all permissions are granted by default, as the API-Key is considered to have admin permissions. See How to Generate API Keys
For Basic Authentication, permissions are granted as follows:
To create a transaction, the user needs specific permission depending on the plugin being used:
"Can add payment requests" for the Payment Request plugin
"Can add e-commerce payments" for the E-Commerce plugin
Permission to use the payment gateway code is also required: "Can use
pg_code"
To update a transaction, the user needs specific permission depending on the plugin being used:
"Can change payment requests" for the Payment Request plugin
"Can change e-commerce payments" for the E-Commerce plugin
Permission to use the payment gateway code is also required: "Can use
pg_code"
By default, if a user has either the "Can add" or "Can change" permission, they can fetch transactions from the API.
For more granular control, the following view permissions can be used:
"Can view e-commerce payments" for the E-Commerce plugin
"Can view payment requests" for the Payment Request plugin
The objective of the POST request is to facilitate the creation of payment transactions and the subsequent generation of payment links, each of which is associated with a unique session ID. These links can be effortlessly shared with customers through a range of communication channels, including email, WhatsApp, and SMS. Additionally, it is possible to incorporate the customer's billing and shipping information into the transaction. Moreover, users of this API have the ability to include diverse forms of data and information within the body request.
An established contractual arrangement with the payer, which authorizes the merchant to securely store and subsequently utilize their payment information for specific purposes. This could encompass arrangements like recurring payments for services such as mobile subscriptions, installment-based payments for purchases, arrangements for ad-hoc charges like account top-ups, or for standard industry practices like penalty charges for missed appointments. For more information please refer here.
Represents the total amount of the payment transaction, which includes the cost of the purchased items or services but excludes any additional fees or charges. The number of decimals must correlate with the currency_code. Max length: 24 Min value: 0.01
Attachments can be included as an optional feature in email notifications sent to the customer regarding their payment. These attachments will also be available for download on the checkout page. The primary purpose of this field is to provide the customer with additional information or documentation related to their purchase. However, it's important to note the following:
Attachments should be sent using the multipart/form-data encoding type. Ensure that you change the content type to
multipart/form-datawhen sending attachments. They cannot be sent using JSON encoding.Allowed file extensions for attachments include: PDF, JPEG, PNG, DOC, DOCX, JPG, XLS, XLSX, and TXT.
The name of the attached file should not exceed 100 characters.
An object to save customer registered address data into payment transaction.
This field allows the merchant to define specific rules and conditions that a card must meet to be eligible for payment. These stipulations apply regardless of whether a customer chooses to pay using a saved card or opts to add a new card for the transaction. By leveraging the card_acceptance_criteria, merchant gains the power to fine-tune his payment processing strategy, tailoring acceptance rules to align with his business needs, security standards, and risk management policies.
Example: If merchant runs an exclusive service that caters predominantly to premium customers, he might set criteria that only allow transactions from high-tier credit cards like VISA Platinum. This ensures that payments align with the exclusivity and branding of his services. Merchant should configure these criteria thoughtfully. Striking the right balance between security, risk mitigation, and user experience is paramount.
The currency in which the transaction is denominated. However, it does not guarantee that the payment must be made in this currency, as there can be currency conversions or exchanges resulting in a different currency being charged. See currencies. 3 letters code.
string datetime optional
Specifies the customer's date of birth. This field can be used for various purposes such as identity verification, eligibility checks, or customer profiling. The value must be provided in the YYYY-MM-DD format.
This field specifies the customer's email address and is used to send payment notifications and receipts. Additionally, it is used for fraud prevention and is transmitted to the payment gateway. The email address may also be included on invoices, receipts, and displayed on the payment page. It must be a valid email address. Max length 128
The first name of the recipient of the payment. This field is used for various communications such as the invoice, receipt, email, SMS, or displayed on the payment page. It may also be sent to the payment gateway if necessary. Max length 64.
The customer ID is a unique identifier for the customer within the merchant's system. It is also used as a merchant identifier for the customer and plays a critical role in tokenization. All the customer's cards will be associated with this ID. Max length: 64.
The last name of the recipient of the payment. This field is used for various communications such as the invoice, receipt, email, SMS, or displayed on the payment page. It may also be sent to the payment gateway if necessary. Max length 64.
Customer phone number associated with the payment. This might be sent to the payment gateway and depending on the gateway, it may trigger a click to pay process on the payment page. The phone number will also be included in the invoice, receipt, email, and displayed on the payment page. Max length 16.
The date and time by which the payment is due. This field may be used to help remind the customer to complete the payment before the due date The default value is UTC. Should be in format (DD/MM/YYYY hh:mm)
A comma-separated list of email addresses for internal recipients who will receive customer emails. These recipients will be included in email notifications sent to the customer regarding their payment.
If defined, any payment transactions created more than the defined period of time ago will be invalidated or expired if the customer tries to pay them. This field may be used to help ensure that payment transactions are processed in a timely manner. By default, this expiration period is set to 24 hours from the time of transaction creation. Should be In format (DD HH:MM:SS).
An object for extra data aka dynamic fields. Extra data can accept any value by default. However, if the merchant wants to enforce a specific type, they can use the plugins.Field class to do so. All CUSTOM fields are validated inside extra field.
If set to true, the qr_code_url field will be present in the response. Upon scanning it, the customer will be redirected to the checkout_url, which is the Ottu Checkout page. Default value is false.
When set to true, the Checkout API will include the sdk_setup_preload_payload in its response. This payload facilitates immediate UI setup without the need for further API calls.
By default, the parameter is set to false, and the sdk_setup_preload_payload is not included in the API response.
This field specifies the language to be used for communication with the customer, including the payment page, receipt, invoice, email, SMS, and any other communications related to the payment transaction. Available choices: en, ar. Default language is en. Max length: 2.
An object that contains the notification settings for this payment transaction, including SMS and email notifications, as well as the events for which they will be sent (e.g., created, paid, refund, canceled, etc.). This field may be used to configure and customize the notifications sent to customers and internal recipients throughout the payment process.
The unique identifier assigned to this payment transaction. It is used for tracking purposes and is set by the merchant or the system. Max length: 128.
The list of payment gateway codes from which a customer can select to perform the payment or authorization. Customer uses only one PG code. For Basic authentication: User can use the PG code that has permission to access to. For API Private key: User can use all the PG code.
Enum: one_off, auto_debit, or save_card
one_off: For payments that occur only once without future commitments.save_card: To indicates that the transaction is for the purpose of saving the card information. For additional information, please refer to the Tokenization without Payment document.auto_debit: For payments that are automatically deducted, such as recurring subscriptions, installments, or unscheduled auto-debits. for more information about auto-debit API, please refer to Auto-Debit API documentation.
If auto_debit is selected:
agreement and customer_id parameters will also be mandatory.
Only
PG codessupporting tokenization can be selected. As a side effect, the card used for the payment will be associated with the suppliedagreement.id. This card will be locked, preventing the customer from deleting it from the system until an alternate card is chosen forauto-debitpayments.
The type of product or service being purchased. This field may be used for tracking and reporting purposes Max length: 128.
It is the destination where customers are redirected after the payment stage, only if the webhook_url returns a success status. Query parameters, including order_no, reference_number, session_id, and any extra parameters, will be added to the redirect_url.
For more information on how redirection works, please check here.
An object to save address data into payment transaction
If true, it generates short attachment retrieval URL, which could be embedded in either SMS, Email, or WhatsApp messages, as it uses fewer characters. If an external URL shortening service, such as Bitly, is configured, the attachment_short_url will be shorter than attachment response parameter. if not configured, the attachment_short_url will be in the same format with attachment response parameter. Default value is false.
If true, it generates short checkout retrieval URL, which could be embedded in either SMS, Email, or WhatsApp messages, as it uses fewer characters. If an external URL shortening service, such as Bitly, is configured, the checkout_short_url will be shorter than checkout_url parameter. If not configured, the checkout_short_url will be in the format of "https://<ottu-url>>/b/abc123". Default value is false.
The type of the payment transaction. This field represents the purpose of the payment and can be one of several pre-defined choices. Available choices: payment_request, e_commerce. Max length: 24.
A writable field used to reference an attachment that has already been uploaded to the server.
The name of the vendor or merchant associated with this payment. This field may be used for accounting and reporting purposes. Max length: 64.
In case of a payment event or payment operation, Ottu triggers an HTTP request to this URL, to disclose transactional data. It should be provided by merchant. See Webhook Payment Notification.
These parameters will be returned for all the response status.
It denotes a pre-arranged contractual agreement with the paying customer, enabling the secure retention and future use of their payment details for specific purposes. These agreements encompass various payment arrangements, including recurring service payments like mobile subscriptions, installment payments for purchases, one-time charges such as account reloads, or compliance with industry practices like penalty fees for missed appointments. See the request parameter agreement for more information.
Presence condition:
This parameter should be included when the payment_type is set to
auto_debitOn the other hand, it must not be sent when the payment_type is designated asone_offImportantly, this isn't restricted to just the initial transaction but should be consistently present in all following transactions associated with the "auto_debit" payment type.
Payment transaction total amount. The merchant should always check if the amount he receives from Ottu is the same amount of the order, to avoid user changing the cart amount in between. See the request parameter amount for more information.
Attachment retrieval URL. See the request parameter attachment for more information.
Presence condition:
The attachment should be uploaded using attachment request parameter.
A short attachment retrieval URL. Max length: 200.
Presence condition:
shortify_attachment_url request parameter should be "true" in order to generate it.
Customer’s registered address data. See the request parameter billing_address for more information.
Presence condition:
Any child parameter provided with the billing_address object in the request payload will be populated in the response as billing_address child parameter.
It outlines the rules for a card's payment eligibility See the request parameter card_acceptance_criteria for more information.
Presence condition:
Any child parameter provided with the card_acceptance_criteria object in the request payload will be populated in the response as card_acceptance_criteria child parameter.
Short checkout url.
Presence condition:
shortify_checkout_url request parameter should be set to "true" in order to generate it.
URL that directs the customer to the Ottu Checkout Page where they can see the payment details and available payment methods for the transaction. If you need to share the payment link over SMS or WhatsApp, use checkout_short_url instead.
The code of the currency used in the transaction. See the request parameter currency_code for more information.
string datetime optional
Customer's date of birth. For more information, please refer to customer_birthdate.
Presence condition:
customer_birthdate request parameter should be provided.
Customer’s email address. See the request parameter customer_email for more information.
Presence condition:
customer_email request parameter should be provided.
Customer’s first name. See the request parameter customer_first_name for more information.
Presence condition:
customer_first_name request parameter should be provided.
It is a unique identifier assigned to a customer. This identifier can be used to distinguish one customer from another and can be utilized for tracking purposes or to retrieve specific customer information from the API. See the request parameter customer_id for more information.
Presence condition:
customer_id request parameter should be provided.
Customer’s last name. See the request parameter customer_last_name for more information.
Presence condition:
customer_last_name request parameter should be provided.
Customer's phone number. See the request parameter customer_phone for more information.
Presence condition:
customer_phone request parameter should be provided.
It specifies the deadline for payment. It has no effect on changing the transaction state, and the transaction can be paid even after due_datetime. See the request parameter due_datetime for more information.
This is a list of internal email recipients, who will receive notifications sent to the customer about their payment. See the request parameter email_recipients for more information.
Presence condition:
email_recipients should be provided in the request payload.
It refers to the specific point in time after which the transaction cannot be paid anymore, and its state changes accordingly. See the request parameter expiration_time for more information.
It represents additional data fields that can be dynamically added to the response using the extra request parameter. See the request parameter extra for more information.
Presence condition:
The user who initiated the creation of this payment transaction, if available. This field is optional and may be used to track who created the payment transaction Max length: 11.
Presence condition:
It is present only when Basic Authentication is used, because API-Key Authentication is not associated with any user.
It represents the language code that is utilized for all communication related to payment transactions with the customer, including payment page, receipt, invoice, email, and SMS For more details check the request parameter language
It represents the notification settings for this payment transaction which have been received and processed. See the request notifications for more information.
Presence condition:
Any child parameter provided with the notifications object in the request payload will be populated in the response as notifications child parameter.
Specifies the type of operation to be performed by the payment gateway. If set to 'purchase', the payment source will be directly charged. If set to 'authorize', the payment source will only be authorized and the actual charge will be made at a later time Max length: 16.
It is a unique identifier assigned to the payment transaction, which is primarily used for tracking purposes. The identifier can be set by the merchant or the system. See the request parameter order_no for information.
Presence condition:
order_no request parameter should be included in the request payload.
An array containing all the payment methods derived from the pg_codes input. Each object in the array contains information about a single payment gateway, including its icon and the redirect_url that will redirect the customer to the payment gateway's payment page
The options of the payment gateway codes included in the request payload to enable customers to make payments. See the request parameter pg_codes for more information.
It presents options such as one_off for one-time payments without future obligations and auto_debit for automated deductions, encompassing recurring subscriptions, installment payments, or unscheduled debits. For further details on the Auto Debit API and payment_type please refer to Auto-Debit API.
Default value: "one_off".
See the request parameter payment_type for more information.
The nature of the purchased product or service, which can be employed for the purpose of keeping track and generating reports. See the request parameter product_type for more information.
Presence condition:
product_type request parameter should be included in the request payload.
A QR code that, when scanned, redirects to the checkout page for this payment. This QR code may be displayed on invoices, receipts, or other documents to allow customers to easily access the checkout page and make a payment.
Presence condition:
The request parameter generate_qr_code should be set to
true.
It represents the URL where the customer will be redirected after the payment stage is complete. See the request parameter redirect_url more information.
Presence condition:
The request parameter redirect_url should be provided.
It is a JSON object containing preloaded data necessary for initializing the Checkout SDK. This data encompasses vital details such as customer information, available payment methods, and specific transaction details, all formatted according to the Checkout SDK's initialization specifications. By offering essential information upfront, this feature streamlines the checkout process, contributing to an improved user experience and increased efficiency.
Presence Conditions:
It will be included in the response solely when the include_sdk_setup_preload parameter is set to
true.
A unique identifier for each payment transaction, used to maintain the session state during the payment process. It can be used to perform subsequent operations, like retrieve, acknowledge, refund, capture, and cancellation. Max length: 128.
Shipping location data of the customer. See the request parameter shipping_address for more information.
Presence condition:
The child objects of the shipping_address parameter provided in the request object will be populated as child objects of the shipping_address parameter in the response object.
The current state of the payment transaction, it helps to understand the progress of the payment.
Enum: created , pending , attempted , authorized , paid , failed , canceled , expired , invalided ,refunded , cod.
See payment transaction state for more information.
The type of the payment transaction. See the request parameter type for more information.
A field in the response that contains the URL of an attachment that has already been uploaded to the server.
Presence condition:
The request parameter attachment_upload_url should be included in the request payload.
It represents the name of the merchant or vendor associated with a payment transaction. For more information see vendor_name.
Presence condition:
The request parameter vendor_name should be included in the request payload.
It contains the URL where the payment result will be sent via a POST request after the customer has completed the payment session. The payment result will be included in the request body. See Webhook Payment Notification.
Presence condition:
The request parameter webhook_url should be provided.
{
"type": "payment_request",
"pg_codes": ["pg_codes"],
"amount": "14",
"currency_code": "KWD",
"customer_email":"example@example.com",
"customer_phone":"customer phone",
"notifications": {
"email": ["created", "paid", "canceled", "failed", "expired", "authorized", "voided", "refunded", "captured"],
"sms": ["created", "paid", "canceled", "failed", "expired", "authorized", "voided", "refunded", "captured"]
}
}
{
"amount": "14.000",
"checkout_url": "https://<ottu-url>/b/checkout/redirect/start/?session_id=5ca114666d472a170d3c4ea6cadbf347679b2532",
"currency_code": "KWD",
"customer_email": "example@example.com",
"customer_phone": "customer phone",
"due_datetime": "15/01/2023 11:04:55",
"expiration_time": "1 00:00:00",
"language": "en",
"notifications": {
"email": [
"authorized",
"created",
"canceled",
"expired",
"failed",
"captured",
"paid",
"voided",
"refunded"
],
"sms": [
"authorized",
"created",
"canceled",
"expired",
"failed",
"captured",
"paid",
"voided",
"refunded"
]
},
"operation": "authorize",
"payment_methods": [
{
"code": "pg_codes",
"name": "ottu PG",
"pg": "Ottu PG",
"type": "sandbox",
"amount": "14.000",
"currency_code": "KWD",
"fee": "0.000",
"fee_description": "fix fee",
"icon": "https://<ottu-url>/static/images/pg_icons/master_visa_mada.png",
"flow": "redirect",
"redirect_url": "https://<ottu-url>/checkout/5ca114666d472a170d3c4ea6cadbf347?chd-only=True"
}
],
"pg_codes": [
"pg_codes"
],
"session_id": "5ca114666d472a170d3c4ea6cadbf347",
"state": "created",
"type": "payment_request"
}
Update Payment
PATCH https://<ottu-url>/b/checkout/v1/pymt-txn/{session_id}
Headers
Authorization*
API key
Api-Key {{api_key}}
Using a patch function is a good method of increasing trustability whenever any change gets made to the payment transaction, such as updating the amount on the card or removing items from the cart.
All the same fields from create request can be used. The type of update is partial. But some fields can be cross-validated and require other fields to be provided.
Retrieve Payment
GET https://<ottu-url>/b/checkout/v1/pymt-txn/{session_id}
To get the information of the payment transaction.
Authentication: This endpoint is public
The Checkout API is used to create and manage payment transactions. It enables merchants to generate a payment session (session_id), redirect users to a payment gateway, and receive payment updates via webhooks.
To create a payment transaction, send a POST request to the Checkout API with the required parameters:
amount– Payment amountcurrency_code– Transaction currencypg_codes– Payment gateways allowedtype-e_commerceorpayment_request
After submission, the API returns a session_id, which is required for processing the transaction.
To prevent a payer from completing a payment after a specific period, you need to configure the expiration_time parameter based on the payment gateway (PG) auto inquiry time. This ensures that even if the user remains on the payment page, they won’t be able to proceed once the expiration time has passed.
The expiration time should be set as:
expiration_time = auto inquiry time + max{PG auto inquiry time}
- Auto inquiry time:
This is the time Ottu waits before automatically checking the transaction status with the payment gateway. for more information, please refer here.
- PG auto inquiry time:
This is the maximum duration the payment gateway allows before timing out a payment session. More information about PG auto inquiry time is accessible here.
Example Calculation:
For MPGS (Mastercard Payment Gateway Services), the PG auto inquiry time is 11 minutes.
For KNET, the PG auto inquiry time is 8 minutes.
If your system sets an auto inquiry time of 5 minutes, then:
For MPGS: expiration_time = 5 + 11 = 16 minutes
For KNET: expiration_time = 5 + 8 = 13 minutes
This means that after 16 minutes (for MPGS) or 13 minutes (for KNET), the payer will not be able to complete the transaction, even if they are still on the payment page.
Yes! You can update a transaction before it is completed by sending a PUT request to the Checkout API, referencing the session_id. Updates might include modifying the amount, currency_code, or allowed pg_codes.
If a customer does not complete the payment, the transaction remains in a pending state until it expires. Ottu's automatic inquiry will check the status based on the configured timing and update the state accordingly.
Ottu sends a payment notification webhook to the webhook_url you provided in the API request. The webhook contains details like:
status:success,failed,pendingamountandcurrency_codepg_response: Response from the payment gateway
Ensure your server verifies and processes these webhook notifications.
webhook_url– The API sends real-time payment updates it (for backend processing).redirect_url– After payment, the customer is sent to it (for UI redirection).
For more details on redirection behavior related to webhook_url, please refer to this section.
Both are optional but recommended for a seamless experience.
Yes, if a transaction fails, you can reuse the same session_id. the payment state will be attempt. for more information about , please refer here.
Yes! Use Auto-Debit with a payment_type set to auto_debit to create agreements for recurring transactions. Learn more in the Auto-Debit.
The Checkout SDK (Web, Android, iOS) requires a session_id from the Checkout API. Your backend should:
Call the Checkout API to create a transaction.
Pass the
session_idto the SDK for UI rendering.Handle webhooks for transaction updates.
Last updated