Create transaction
Request
Live
POST https://fumopay.app/transaction/pay/
Test
POST https://fumopay.dev/transaction/pay/
The test bank details is available here.
Payload
{
"merchant_profile": {
"profile_key": "your public key"
},
"currency": "GBP",
"description": "Description on customer's app",
"ext_reference": "Your internal reference",
"ext_customer": "Your customer reference",
"amount": 100,
"age": 1,
"redirect_url": "optional url",
"signature": "Signed fields",
"signature_date": "Date signed"
}
Field descriptions
| field | usage |
|---|---|
| profile_key | This is your public key from the profile that you are using |
| currency | 3 digit ISO currency code. This currently only accepts GBP |
| description | This is the description that is shown to the customer |
| ext_reference | This is your internal reference code. For example an order number |
| ext_customer | This is your customer reference. For example it can be an email or a customer id |
| amount | The amount in minor units, eg. £1.34 is 134 |
| age | How many hours the transaction stays active. This is an optional field with a default of 1 hour. |
| redirect_url | This is an optional field to override the redirect url set on the used profile. |
| signature | The signed request which is detailed below |
| signature_date | ISO 8601 / RFC 3339 date in the format YYYY-MM-DDTHH:MM:SSZ This date is valid for 5 minutes |
Request signing
The signature is the concatenation of certain fields which is then given a SHA512 hash which is finally base64 encoded. In pseudo code as follows:
signed_date = now()
strToHash = currency + description + profile_key + ext_reference + signed_date + secret_key
hash = sha512(strToHash)
signature = base64.encode(hash)
The secret key is from the profile that you are using.
See code examples below.
Response
{
"transaction_id": "fumo transaction code",
"result": "1",
"error": "error description",
"url": "a fumopay url"
}
Field descriptions
| field | usage |
|---|---|
| transaction_id | This is the fumo transaction code |
| result | The result of the call. Please see status codes |
| error | The error message if not successful |
| url | The url relevant to the type of profile. For redirect profiles this is where you redirect the user. For inline it can be used to load the iframe. Please see TODO for more information. |
Signing Code examples
JavaScript
const signDate = (new Date()).toISOString()
let toHash = `${currency}${description}${profile_key}${reference}${signDate}${secret_key}`
const msgUint8 = new TextEncoder().encode(toHash)
const hashBuffer = await crypto.subtle.digest("SHA-512", msgUint8)
let signature = window.btoa(String.fromCharCode(...new Uint8Array(hashBuffer)))
PHP
$signed = date('c')
$strToHash = implode('',[$currency, $description, $profile_key, $reference, $signed, $secret_key]);
$hashed = hash("sha512", $strToHash, true);
$signature = base64_encode($hashed);
Golang
signedDate = time.Now().UTC().Format(time.RFC3339)
stringToHash := fmt.Sprintf("%s%s%s%s%s%s", currency, description, profileKey, reference, signedDate,secretKey)
hash := sha512.New()
hash.Write([]byte(stringToHash))
signature := base64.StdEncoding.EncodeToString(hash.Sum(nil))
Python
signedDate = datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0).isoformat()
stringToHash = "".join([currency, description, profileKey, reference, signedDate, secretKey])
hash = hashlib.sha512(stringToHash.encode('utf-8'))
signature = base64.b64encode(hash.digest()).decode("utf-8")
Dart
final signatureDate = DateTime.now().toUtc().toIso8601String();
final strtoHash = "$currency$description$profileKey$extReference$signatureDate$secretKey";
var bytes = utf8.encode(strtoHash);
var digest = sha512.convert(bytes);
var signature = base64.encode(digest.bytes);