Payment Open API (1.1.0)

Qashier Open API is a RESTful API that allows you to integrate your application with Qashier's payment terminal.

Stall Requests

We check the timestamp field(in seconds) in the request body or query parameters to validate the request. The timestamp must be within 10 minutes of the server's current time, or the request will be rejected. If it's a POST or PUT request, we get the timestamp from the request body. For the request of other methods, we get the timestamp from the query parameters.

IP Whitelist

For security reasons, we validate the IP address of the request against the partner's IP whitelist.

Authentication

You are required to add the following headers to your request:

x-qashier-partner: The partner ID provided by Qashier
x-qashier-sign: The signature of the request payload

Signature Generation

Use crypto-js library to generate the signature if your language is JavaScript or TypeScript. For other languages, the implementation is similar. You can refer to the example below:

export const signRequestBody = ({
  rawString,
  hmacKey
}: {
  rawString: string;
  hmacKey: string;
}) => {
  const computedHash = CryptoJS.HmacSHA256(rawString, hmacKey);
  const computedHmac = CryptoJS.enc.Base64.stringify(computedHash);
  return computedHmac;
};

For POST or PUT Requests

The signature is computed from the raw request body.

The payload must be identical to the one used in the signature generation in order to ensure the signature is correct.

Example for a POST request:

const requestBody = { clientId: "client123", storeId: "store456", timestamp: 1702500000 };
const rawString = JSON.stringify(requestBody);
const signature = signRequestBody({ rawString, hmacKey: "your-secret-key" });

const response = await fetch('https://api.staging.qashier.com/v2/partner/qpay/initiate', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'x-qashier-partner': 'your-partner-id',
    'x-qashier-sign': signature
  },
  // payload must be identical to the one used in the signature generation
  body: rawString
});

For The Request of Other Methods

The signature is computed from the query parameters, sorted alphabetically by parameter name, and formatted as a query string without the leading '?'.

Example for a GET request with query parameters:

// For a request to /payment-method/list?clientId=client123&storeId=store456&timestamp=1702500000
const params = { clientId: "client123", storeId: "store456", timestamp: 1702500000 };

// Sort the keys alphabetically
const sortedKeys = Object.keys(params).sort();

// Create the raw string in the format key1=value1&key2=value2
const rawString = sortedKeys
  .map(key => `${key}=${params[key]}`)
  .join("&");
// Result: "clientId=client123&storeId=store456&timestamp=1702500000"

const signature = signRequestBody({ rawString, hmacKey: "your-secret-key" });

Error Responses

The API may return the following error responses:

Status Code	Error Message	Description
400	Content-Type must be application/json for POST and PUT requests	The Content-Type header is missing or not set to application/json for POST or PUT requests
400	Missing signature	The x-qashier-sign header is missing
400	Missing timestamp	The timestamp field is missing in the request body (POST/PUT) or query parameters (GET)
400	Timestamp is stale or invalid (must be within the last 10 minutes)	The timestamp is more than 10 minutes old or in the future
400	Invalid signature	The provided signature does not match the computed signature
403	Invalid IP address	The request's IP address is not in the partner's IP whitelist
403	Partner is expired	The partner account may not be configured properly, contact your sales or partner manager
403	Partner does not have payment API feature enabled	The partner account may not be configured properly, contact your sales or partner manager
404	Partner not found	The partner account may not be configured properly, contact your sales or partner manager

Payment

Get available payment methods

It shows payment methods that the merchant has submitted and are approved.

Respect the "enabled" field in the response, if it's false, do not use the payment method. It's false normally due to deactivation or temporary maintenance.

Authorizations:

QashierPartnerHeader

query Parameters

clientId required	string The client ID
storeId required	string The store ID of the payment terminal
timestamp required	integer Unix epoch time in seconds. Must be within 10 minutes of the server's current time.

header Parameters

x-qashier-sign

required

string

The signature of the request payload

Responses

Response samples

200

Content type

application/json

{"success": true,
"message": "string",
"data": {"paymentMethods": [{"name": "string",
"scheme": "visa-master",
"paymentMethod": "card-payment",
"country": "SG",
"voidable": true,
"enabled": true,
"brandImages": {"sm": "string",
"md": "string",
"lg": "string"
}
}
]
}
}

Initiate a payment

This endpoint is used to initiate a

Authorizations:

QashierPartnerHeader

header Parameters

x-qashier-sign

required

string

The signature of the request payload

Request Body schema: application/json

Must include a timestamp field in Unix epoch time format (seconds since January 1, 1970). The timestamp must be within 10 minutes of the server's current time.

clientId required	string
storeId required	string
amount required	string The amount to be paid
currency required	string The currency of the payment
paymentMethod required	string Value: "card-payment" Currently, only card-payment is supported
scheme	string Enum: "visa-master" "amex" Optional, default is visa-master
country required	string Country code
clientReference required	string Reference for partner
notificationUrl	string <uri> Webhook URL for payment status notification, make sure the url is callable or just leave it out, check Callbacks for the payload

Responses

Callbacks

Request samples

Content type

application/json

{"clientId": "string",
"storeId": "string",
"amount": "string",
"currency": "SGD",
"paymentMethod": "card-payment",
"scheme": "visa-master",
"country": "SG",
"clientReference": "string",
"notificationUrl": "http://example.com"
}

Response samples

200

Content type

application/json

{"success": true,
"message": "string",
"data": {"paymentRecordId": "string",
"qrString": "string",
"timeoutSec": 60
}
}

Callback payload samples

Callback

POST: Payment status notification

Content type

application/json

{"eventCode": "AUTHORIZATION",
"eventTimestamp": "2019-08-24T14:15:22Z",
"notificationBody": {"remark": "string",
"scheme": "string",
"merchantId": "string",
"terminalId": "string",
"maskedCardNumber": "string",
"panSeq": "string",
"cardEntryMode": "string",
"aid": "string",
"authCode": "string",
"retrievalReferenceNumber": "string",
"transactionCertificate": "string",
"result": "approved"
}
}

Cancel a initiated payment

This endpoint is used to cancel a initiated payment

Authorizations:

QashierPartnerHeader

path Parameters

paymentRecordId

required

string

The unique ID of the payment

query Parameters

timestamp

required

integer

Unix epoch time in seconds. Must be within 10 minutes of the server's current time.

header Parameters

x-qashier-sign

required

string

Generate the signature using this string format clientId={clientId}&paymentRecordId={paymentRecordId}.
If remark is provided in the request body, include it in the string as well &remark={remark}.

Request Body schema: application/json

Must include a timestamp field in Unix epoch time format (seconds since January 1, 1970). The timestamp must be within 10 minutes of the server's current time.

clientId	string
remark	string

Responses

Request samples

Content type

application/json

{"clientId": "string",
"remark": "string"
}

Response samples

200

Content type

application/json

{"success": true,
"message": "string",
"data": { }
}

Void a payment

This endpoint is used to void a payment

Authorizations:

QashierPartnerHeader

path Parameters

paymentRecordId

required

string

The unique ID of the payment

query Parameters

timestamp

required

integer

Unix epoch time in seconds. Must be within 10 minutes of the server's current time.

header Parameters

x-qashier-sign

required

string

Generate the signature using this string format client={clientId}&paymentRecordId={paymentRecordId}

Request Body schema: application/json

Must include a timestamp field in Unix epoch time format (seconds since January 1, 1970). The timestamp must be within 10 minutes of the server's current time.

clientId required	string
timestamp required	integer Unix epoch time in seconds

Responses

Request samples

Content type

application/json

{"clientId": "string",
"timestamp": 0
}

Response samples

200

Content type

application/json

{"success": true,
"message": "string",
"data": { }
}

Get payment status

This endpoint is used to query the payment status

Authorizations:

QashierPartnerHeader

path Parameters

paymentRecordId

required

string

The unique ID of the payment

query Parameters

timestamp

required

integer

Unix epoch time in seconds. Must be within 10 minutes of the server's current time.

header Parameters

x-qashier-sign

required

string

The signature of the request payload

Responses

Response samples

200

Content type

application/json

{"success": true,
"message": "string",
"data": {"status": "string",
"cardPaymentInfo": {"remark": "string",
"scheme": "string",
"merchantId": "string",
"terminalId": "string",
"maskedCardNumber": "string",
"panSeq": "string",
"cardEntryMode": "string",
"aid": "string",
"authCode": "string",
"retrievalReferenceNumber": "string",
"transactionCertificate": "string"
}
}
}