Prerequisites
- Pass UQPAY’s risk control review to enable the feature
- A publicly accessible HTTPS endpoint to receive authorization requests
- PGP key pair for request/response encryption
How it works
Key principles:- You only receive authorization requests for transactions that have already passed UQPAY’s risk controls.
- Transactions declined by UQPAY are not sent to your endpoint — you receive only the
issuing.transaction.authorizationwebhook notification. - You must respond within the configured timeout period (1 to 5 seconds, set per your agreement with UQPAY). If no valid response is received, the transaction result is determined by your configured default timeout action (approve or decline).
Security: PGP encryption
The entire request and response body is PGP-encrypted. Before integration, you and UQPAY exchange PGP public keys:| Direction | Encryption |
|---|---|
| UQPAY → You (request) | Encrypted with your public key. Decrypt with your private key. |
| You → UQPAY (response) | Encrypt with UQPAY’s public key before sending. |
UQPAY PGP public key
UQPAY PGP public key
API specification
Request
UQPAY sends aPOST request to your configured endpoint with these headers:
| Header | Description |
|---|---|
Content-Type | application/json; charset=utf-8 |
x-request-id | Unique UUID for each request |
| Field | Type | Description |
|---|---|---|
transaction_id | string (UUID) | Unique transaction identifier |
transaction_type | integer | 1000 Authorization, 1100 Transfer Out, 1200 Cash Withdrawal, 2000 Refund |
card_id | string (UUID) | Card identifier |
processing_code | string | Card schema process code |
billing_amount | float | Billing amount |
transaction_amount | float | Transaction amount |
auth_amount | float | Authorization amount |
date_of_transaction | string | Format: YYYY-MM-DD HH:MM:SS |
billing_currency_code | string | 3-character ISO currency code |
transaction_currency_code | string | 3-character ISO currency code |
auth_currency_code | string | 3-character ISO currency code |
card_balance | float | Card available balance |
merchant_id | string | Merchant identifier |
merchant_name | string | Merchant name |
merchant_category_code | string | MCC |
merchant_city | string | Merchant city |
merchant_country | string | 2-character ISO country code |
terminal_id | string | Terminal identifier |
pos_entry_mode | string | POS entry mode (see below) |
pos_condition_code | string | Transaction condition code (see below) |
pin_entry_capability | string | 0 Unknown, 1 Can accept PIN, 2 Cannot accept PIN, 8 PIN pad down |
retrieval_reference_number | string | RRN, 12 digits |
system_trace_audit_number | string | STAN, 6 digits |
acquiring_institution_country_code | string | 2-character ISO country code |
acquiring_institution_id | string | Acquiring institution identifier |
wallet_type | string | APPLE, SAMSUNG, GOOGLE, GOOGLE ECOMMERCE, GOOGLE PAY, MI PAY, Garmin Pay, ECOMMERCE |
POS entry mode values
POS entry mode values
| Code | Description |
|---|---|
00 | Unknown or terminal not used |
01 | Manual (key entry) |
02 | Magnetic stripe read; CVV checking may not be possible |
03 | Optical code |
05 | Contact ICC read using VSDC chip data rules |
07 | Contactless device read using qVSDC chip data rules |
10 | Credential on file |
90 | Magnetic stripe read with exact Track 1/2 content (CVV check possible) |
91 | Contactless device read using magnetic stripe data rules |
95 | ICC read; CVV or iCVV checking may not be possible |
POS condition code values
POS condition code values
| Code | Description |
|---|---|
00 | Normal transaction |
01 | Customer not present |
02 | Unattended cardholder-activated environment, PIN data present |
03 | Merchant suspicious of transaction (or card) |
05 | Customer present, card not present |
06 | Preauthorized request |
08 | Mail, telephone, recurring, advance, or installment order |
51 | Address/CVV2/account verification without authorization |
59 | E-commerce request by public network |
Response
Respond with HTTP200 and the following JSON body, encrypted with UQPAY’s PGP public key:
| Field | Type | Description |
|---|---|---|
transaction_id | string (UUID) | Must match the request’s transaction_id, otherwise the transaction is declined |
response_code | string | Authorization response code (see table below) |
partner_reference_id | string | Your internal reference ID for reconciliation (optional, can be empty) |
Response codes
| Code | Description |
|---|---|
00 | Approved |
04 | Picked Card |
05 | Do Not Honor |
06 | Error |
13 | Invalid Amount |
14 | Invalid Account Number |
43 | Stolen Card |
51 | Insufficient Funds |
59 | Suspected Fraud |
65 | Activity Count Limit Exceeded |
- HTTP status code is
200 response_codeis"00"transaction_idmatches the request
Integration steps
- Contact UQPAY — Reach out to UQPAY to enable the Authorization Decision API feature for your account.
-
Exchange configuration — Provide the following to UQPAY:
- Your PGP public key (RSA 2048-bit)
- Your authorization decision endpoint URL (HTTPS)
- Decision timeout window (1 to 5 seconds; defaults to 2 seconds)
- Default timeout action:
decline(auto-decline on timeout) ordelegate(UQPAY decides on your behalf)
18.139.246.78. - Implement your endpoint — Build a POST endpoint that decrypts the request body using your PGP private key, evaluates the transaction based on your business logic, encrypts the response using UQPAY’s public key, and returns the encrypted response within the configured timeout period.
- Test the integration — Work with UQPAY to run test transactions in the sandbox environment and verify correct encryption, decryption, and response handling.