Introduction
Payment process online (all payment methods except invoice)
In general there are two phases in the payment process:
Request to pay with a specific payment method (the payment request) We capture directly after the acceptance of the contract/payment
Modification of a request consisting of:
- Cancellation
- Refund
Payment process offline
In general there are two phases in the payment process:
- Request to pay with barcode and a specific payment method (the payment request). We do a direct capture.
- Modification of a request consisting of:
- Refund
Payment process invoice
In general there are two phases in the payment process:
Receive a Request to pay with Invoice
- Directly return an
AcceptedorRejected. When something went wrong we will cancel the payment request after a few hours - Payment request is waiting for a Capture of Refund.
- Directly return an
Modification of a request consisting of:
- Capture
- Cancellation
- Refund
Payment methods
Possible values for payment method:
| Payment method | Description |
|---|---|
Credit | Pay in monthly installments, current interest rate applies to the total credit balance. |
ZeroPercentCredit | Pay in 12 monthly installments, customer does not pay interest on this specific amount. |
ZeroPercent24Months | Pay in 24 monthly installments, customer does not pay interest on this specific amount. |
ZeroPercent36Months | Pay in 36 monthly installments, customer does not pay interest on this specific amount. |
Invoice | Pay with invoice, customer needs to pay the whole amount after capturing. |
FashionLoan | Pay in 12 monthly installments, customer pay interest rate of 13.9% on the total credit balance. Designed only for fashion products. |
Credit24Months | Pay in 24 monthly installments, current interest rate applies to the total credit balance. |
Credit36Months | Pay in 36 monthly installments, current interest rate applies to the total credit balance. |
Payment request decision
Possible values for a decision of a payment request:
| Decision | End state | Description |
|---|---|---|
InProgress | No | Payment request is received, processing has not been completed. |
Accepted | Yes | The requested payment method is accepted. |
Rejected | Yes | The requested payment method is rejected. |
Cancelled | Yes | The request is cancelled by the customer or merchant. |
Pending | No | Some additional steps need to be performed in order to accept or reject. This state will be follow up with Accepted or Rejected. |
Security
Authorization is being done on three levels
- IP whitelisting
- Basic authentication
- Request signing using HMAC
HMAC
Requests to Tinka
All requests to Tinka need to have the correct HTTP header for signing:
X-Authorization: hmac <merchant-id>:<hash>:<nonce>:<timestamp>
hmac: Authentication scheme, is always hmacmerchant-id: id provided by Tinka to identify the merchant. This is used to lookup the secret key used to sign the requesthash: base64 encoded HMAC SHA256 hash. The content for the hash is a concatenated string consisting of merchant-id, timestamp, nonce and request content separated by semicolons. The HMAC is signed with the secret key.nonce: random sequence of characters that should be different for each request, valid characters: a-z, A-Z, 0-9, ‘-‘timestamp: request time in seconds since the epoch (01-01-1970 00:00:00) in UTC time
The hash is calculated over a concatenated string consisting of merchant-id, timestamp, nonce and request content separated by semicolons.
The request content can either be
- the URL path and the JSON body in case of a POST or PUT separated by a semicolon
- the URL path followed by a semicolon in case of a GET request. Some examples:
- POST to /merchant-api/v2/online/payment-requests with body { “key1”: “value1” } : the input for the hash is “/merchant-api/online/v2/payment-requests;{ “key1”: “value1” }”
- POST to /merchant-api/v2/refunds/12345678 with body { “key1”: “value1” } : the input for the hash is “/merchant-api/v2/refunds/12345678;{ “key1”: “value1” }”
- GET /merchant-api/v2/status/12345678: the input for the hash is “/merchant-api/v2/status/12345678;”
Response from Tinka
Responses from Tinka are also signed. For this purpose the HTTP header X-Authorization is used. This header will have the following structure:
X-Authorization: hmac <hash>:<nonce>:<timestamp>
hmac: Authentication scheme, is always hmachash: base64 encoded HMAC SHA256 hash. The content for the hash is a concatenated string consisting of merchant-id, timestamp, nonce and request content separated by semicolons. The HMAC is signed with the secret key.nonce: random sequence of characters that should be different for each request, valid characters: a-z, A-Z, 0-9, ‘-‘timestamp: request time in seconds since the epoch (01-01-1970 00:00:00) in UTC time
The hash is calculated over a concatenated string consisting of merchant-id, timestamp, nonce and response content (or the empty string if there is no body) separated by semicolons.