NAV
shell python php

Introduction

The Shieldgate by Afirme API is organized around REST. Our API has predictable, resource-oriented URLs, and uses HTTP response codes to indicate API errors. JSON is returned by all API responses, including errors, although our API libraries convert responses to appropriate language-specific objects.

You should never expose your Server Credentials in any public website's client-side code.

To start the integration you will need to request to Shieldgate by Afirme Team integraciones@shieldgate.mx for a Development/Sandbox account. Please send us your e-mail to identify you as a developer and the name of your company.

We will create an Application and give you the application code. From now this will be the identifier for your Application in the whole integration. We also give you a developer account based on the e-mail you provided. We will send you the password via e-mail to access to your developer account. You can access to this configuration here:

Environment URL
development https://dashboard-stg.shieldgate.mx
production https://dashboard.shieldgate.mx

You can change you account password or if you forget it you can always use the forgot password option to recover it. In the Shieldgate by Afirme admin system you will see your transactions, application settings (including application URLs and application key) and so more.

Configurations have to be done for the application in development environment and production environment, URLs and application key are different for every environment. Development environment will be always available for tests even after launching your application to production.

Environments

In order to use the API, you need to use one of the following base URLs depending of the environment:

Cards payment method

Environment URL
development https://ccapi-stg.shieldgate.mx
production https://ccapi.shieldgate.mx
Environment URL
development https://noccapi-stg.shieldgate.mx
production https://noccapi.shieldgate.mx

Authentication

To build the auth_token, you can use this code:

#!/usr/bin/env python
import time
import hashlib
from base64 import b64encode
print '#########################################################'
print '####### AUTH TOKEN TEST'
print '#########################################################'
server_application_code = ''
server_app_key = ''
unix_timestamp = str(int(time.time()))
print 'UNIX TIMESTAMP: %s' % unix_timestamp
uniq_token_string = server_app_key + unix_timestamp
print 'UNIQ STRING: %s' % uniq_token_string
uniq_token_hash = hashlib.sha256(uniq_token_string).hexdigest()
print 'UNIQ HASH: %s' % uniq_token_hash
auth_token = b64encode('%s;%s;%s' % (server_application_code,
unix_timestamp, uniq_token_hash))
print 'AUTH TOKEN: %s' % auth_token

import time
import hashlib
from base64 import b64encode
print '#########################################################'
print '####### AUTH TOKEN TEST'
print '#########################################################'
server_application_code = ''
server_app_key = ''
unix_timestamp = str(int(time.time()))
print 'UNIX TIMESTAMP: %s' % unix_timestamp
uniq_token_string = server_app_key + unix_timestamp
print 'UNIQ STRING: %s' % uniq_token_string
uniq_token_hash = hashlib.sha256(uniq_token_string).hexdigest()
print 'UNIQ HASH: %s' % uniq_token_hash
auth_token = b64encode('%s;%s;%s' % (server_application_code,
unix_timestamp, uniq_token_hash))
print 'AUTH TOKEN: %s' % auth_token
<?php
const API_LOGIN_DEV     = "Application Code Server";
const API_KEY_DEV       = "Application Key Server";

$server_application_code = API_LOGIN_DEV;
$server_app_key = API_KEY_DEV ;
$date = new DateTime();
$unix_timestamp = $date->getTimestamp();
// $unix_timestamp = "1546543146";
$uniq_token_string = $server_app_key.$unix_timestamp;
$uniq_token_hash = hash('sha256', $uniq_token_string);
$auth_token = base64_encode($server_application_code.";".$unix_timestamp.";".$uniq_token_hash);
echo "TIMESTAMP: $unix_timestamp";
echo "\nUNIQTOKENST: $uniq_token_string";
echo "\nUNIQTOHAS: $uniq_token_hash";
echo "\nAUTHTOKEN: $auth_token";
?>

All the requests must have the header Auth-Token: . This is a base64 encoded string, the string should be created as follows(consider the ; between each one):

APPLICATION-CODE;UNIXTIMESTAMP;UNIQ-TOKEN

Element Description
APPLICATION-CODE Ask the Shieldgate by Afirme team for it.
UNIXTIMESTAMP This must be created at the same time as the request, be aware that the time is in UTC and in SECONDS, you will have 15 seconds before you need to create a new one, or your request will be rejected (error.type: Invalid timestamp).
UNIQ-TOKEN Is the hexa representation of a hash sha256 generate from the string “secret-key”+”timestamp”, the secret-key is given by Shieldgate by Afirme team.

Once you have the UNIQ-TOKEN you need to apply the sha256 and the hexa convertion, you can use the next python example, just add your server_application_code and server_app_key:

Payment Methods

Cash

In this platform we can generate a reference to pay with cash.

Generate a reference

curl -k  -L -X POST -H 'Content-Type: application/json'
-H 'Auth-Token: auth_token' -d '{
    "carrier":{
        "id": "payvalida"
    },
    "user": {
        "id": "sadfasdf",
        "email": "user@example.com"
    },
    "order": {
        "country": "COL",
        "currency": "COP",
        "dev_reference": "prueba_stg_2",
        "amount": 50001,
        "expiration_days": 5,
        "recurrent": false,
        "description": "Esto es una prueba desde rest client"
    }
}' 'https://noccapi-stg.shieldgate.mx/order/'

The above request returns JSON structured like this:

{
    "application": {
        "code": "AbiColApp"
    },
    "commerce": {
        "merchant_id": "example"
    },
    "user": {
        "email": "user@example.com",
        "id": "sadfasdf"
    },
    "transaction": {
        "currency": "COP",
        "country": "COL",
        "dev_reference": "prueba_stg_2",
        "amount": 50001.0,
        "expiration_date": "2018-07-01",
        "recurrent": false,
        "description": "Esto es una prueba desde rest client",
        "reference": "69193",
        "agreement": {
          "baloto": 95715,
          "efecty": 110342,
          "dimonex": 110342,
          "puntored": 113042,
          "redservi": 761
        },
        "status": "pending",
        "id": "PV-0000000000021"
    }
}

Cash transactions generates a payment reference through a carrier

POST https://noccapi-stg.shieldgate.mx/order/

Parameter Type Required Description
carrier.id String Yes Indicates the method by which the reference will be created. See carrier list
carrier.extra_params.user.name String Yes (*) User name.
carrier.extra_params.user.last_name String Yes (*) User last name.
carrier.extra_params.user.phone String Yes (*) User phone.
carrier.extra_params.user.fiscal_number String Yes (*) The fiscal number (identification number) given by the user.
carrier.extra_params.user.address Json Yes (*) Object with user address, see the specification of address.
user.id String Yes Buyer identifier.
user.email String Yes Buyer email, with valid e-mail format.
order.dev_reference String Yes Id from commerce to identify the order.
order.amount Number Yes Total amount to pay. Format: Decimal with two fraction digits.
order.expiration_days Number No Number of days in which the payment reference expires. Default 2.
order.recurrent Boolean No To indicate if the pay is recurrent or not.
order.description String Yes The order description.
order.hours Number No Optional. If there is value, the reference will last hours.
order.country String Optional Country where payment will be made. By default the credential settings will be used.
order.currency String Optional Currency to be used for payment. By default the credential settings will be used.

Parameter Description
application.code Identifier of the application.
commerce.merchant_id Identifier of the commerce.
user.email Buyer email registered to order.
user.id Buyer identifier.
transaction.currency Currency of the transaction.
transaction.country Country where the transaction has made.
transaction.dev_reference Reference from commerce.
transaction.amount Total amount to pay.
transaction.expiration Limit date to pay the reference.
transaction.recurrent Show if the transaction will be recurrent.
transaction.reference Reference to make the pay in a store.
transaction.agreement Json object with all agreements to pay (For payvalida).
transaction.status The status of payment (pending, approved, cancelled).
transaction.id Id generated by Shieldgate by Afirme
transaction.url_reference Detailed printable view of the transaction.reference.

Carriers

Carrier Response fields needed to pay
oxxo transaction.reference that must be converted in a barcode.
bradesco transaction.url_reference this send the printable view

Fields needed for every cash carrier

Carrier Fields needed in extra_params
oxxo user.name, user.last_name
bradesco user.name, user.last_name, user.fiscal_number, user.address
Address

In case you are sending address, this is the Json Object Format:

This is an example of request with Address Object:

curl -k  -L -X POST -H 'Content-Type: application/json'
-H 'Auth-Token: auth_token' -d '{
     "carrier":{
         "id": "bradesco",
          "extra_params":{
            "extra_amount": 0,
            "user":{
                "name": "Pay",
                "last_name": "Mentez",
                "fiscal_number": "68753238850",
                "address": {
                    "state": "SP",
                    "city": "Sao Paulo",
                    "zip_code": "01418000",
                    "street": "Alameda Santos",
                    "house_number": "200",
                    "district": "Cerqueira",
                    "additional_address_info": "additional test"
                }
            }
          }
     },
     "user": {
         "email": "lcruz@email.com",
         "id": 1
     },
     "order": {
        "dev_reference": "prueba_stg_2",
        "amount": 10,
        "expiration_days": 2,
        "currency":"BRL",
        "description": "Esto es una prueba desde rest client"
     }
}' 'https://noccapi-stg.shieldgate.mx/order/'

Parameter Type Required Description
state String No The state: ISO 3166-2 country subdivision code
city String No The city, max length of 30 characters.
zip_code String No The zip or postal code. Max length allowed of 30 characters.
street String No The name of the street.
house_number String No The house number
district String No The district.
additional_address_info String No Additional address info, without format.

Cards

In this platform we can securely store the sensitive credit card data.

This data is transformed into an encrypted code called token, which can be stored in a database. With the platform, the store will be able to offer features like “One click buy” and “Retry transaction”, always preserving the integrity and the confidentiality of the information.

Add a Card

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "test@example.com"
    },
    "card": {
        "number": "5119159076977991",
        "holder_name": "citlali calderon",
        "expiry_month": 9,
        "expiry_year": 2020,
        "cvc": "123",
        "type": "vi"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/card/add'

The above request returns JSON structured like this:

{
    "card": {
        "bin": "511915",
        "status": "review",
        "token": "17121538682542236138",
        "message": "",
        "expiry_year": "2020",
        "expiry_month": "9",
        "transaction_reference": "CI-488",
        "type": "vi",
        "number": "7991",
        "origin": "ORIGIN"
    }
}

This endpoint add a card to the platform related to a user.

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/card/add

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
user.id String Yes Customer identifier. This is the identifier you use inside your application.
user.email String Yes Buyer email, with valid e-mail format.
user.phone String No Buyer phone.
user.ip_address String No User IP address. Valid v4 IP address.
user.fiscal_number String No The fiscal number given by the buyer Note: For card types ex, ak, vr, sx, ol, ep and cd this field is mandatory.
card.number String Yes A valid credit card number.
card.holder_name String Yes The credit card holder name.
card.expiry_month Number Yes The credit card expiry month.
card.expiry_year Number Yes The credit card expiry year.
card.cvc String Yes The credit card security number.
card.type String No Abbreviated card type. See the valid options
card.account_type String No The corresponding values for: Credit, Checking and Savings accounts are: C, R and A respectively. This field is mandatory for QR Colombia.
extra_params Json No Optional params (3DS 2 objects included) used for some commerce in Json format. Please contact your commercial executive for more details.
billing_address Json No Object with the billing address, see the specification of address.
Response
Parameter Description
card.bin The BIN of the card (First six digits of the card).
card.status Either of the following status: valid, review, pending and rejected. If the response is "review" or "pending", the transaction associated to the attempt to add a card (transaction_reference) needs to be verified by the user, to set this card as valid.
card.token New card identifier. This code is unique among all cards, only returned if status is valid or review, "" otherwise.
card.message If any, would be the message of the carrier for example in case of rejected by carrier.
card.expiry_year The expiry year of the card.
card.expiry_month The expiry month of the card.
card.transaction_reference The transaction.id that origin the addition of the card (only if it was sent to review, by the anti-fraud system, null otherwise).
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.
card.origin The origin of the credit card. Could be one of the following: Shieldgate, VisaCheckout, Masterpass.

Get all Cards

curl \
-k -L -H 'Content-Type: application/json' \
-H 'Auth-Token: auth_token' \
'https://ccapi-stg.shieldgate.mx/v2/card/list?uid=4'

The above request returns JSON structured like this:

{
    "cards": [
        {
            "bin": "511915",
            "status": "review",
            "token": "17121538682542236138",
            "holder_name": "citlali calderon",
            "expiry_year": "2020",
            "expiry_month": "9",
            "transaction_reference": "CI-473",
            "type": "vi",
            "number": "7991"
        },
        {
            "bin": "422023",
            "status": "valid",
            "token": "15363681013452573066",
            "holder_name": "citlali calderon",
            "expiry_year": "2020",
            "expiry_month": "9",
            "transaction_reference": null,
            "type": "mc",
            "number": "8431"
        },
        {
            "bin": "453254",
            "status": "valid",
            "token": "10135134879450157925",
            "holder_name": "citlali calderon",
            "expiry_year": "2020",
            "expiry_month": "9",
            "transaction_reference": null,
            "type": "vi",
            "number": "8311"
        }
    ],
    "result_size": 3
}

This endpoint retrieves all Cards related to a user.

HTTP Request

GET https://ccapi-stg.shieldgate.mx/v2/card/list

URL Parameters
Parameter Type Required Description
uid String Yes Customer identifier. This is the identifier you use inside your application.
Response

A list of cards

Parameter Description
result_size Number of items of the list of cards.
card.bin The BIN of the card (First six digits of the card).
card.status Either of the following status: valid, review, pending and rejected. If the response is "review" or "pending", the transaction associated to the attempt to add a card (transaction_reference) needs to be verified by the user, to set this card as valid.
card.token Card identifier. This code is unique among all cards
card.holder_name The credit card holder name.
card.expiry_year The expiry year of the card.
card.expiry_month The expiry month of the card.
card.transaction_reference The transaction.id that origin the addition of the card (only if it was sent to review, by the anti-fraud system, null otherwise).
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.

Delete a Card

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
   "card": {
        "token": "2293795539132514250"
    },
    "user": {
        "id": "4"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/card/delete/'

The above request returns JSON structured like this:

{
  "message": "card deleted"
}

This endpoint delete a Card related to a user

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/card/delete/

URL Parameters
Parameter Type Required Description
card.token String Yes Card Identifier. This code is unique among all cards. Format: Long Integer.
user.id String Yes Customer identifier. This is the identifier you use inside your application.

Init a Reference

This is an example of basic request for init reference

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
   "locale":"es",
   "order":{
      "amount":100.00,
      "description":"Jhon Doe",
      "vat":0,
      "dev_reference":"Jhon Doe Buying",
      "installments_type":0
   },
   "user":{
      "id":"117",
      "email":"jhon@doe.com"
   }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/init_reference/'

This is an example of request with all parameters for init reference

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
   "locale":"es",
   "session_id":"",
   "origin":"",
   "antifraud":{
      "device_fingerprint":"testa.a92176a7552eb582e1b10b30edc7ac522085d15c54f6",
      "server_ip_address":"54.236.214.202",
      "shopping_cart":[
         {
            "category":"16",
            "tax_value":0,
            "name":"Testing product",
            "price":399.9,
            "id":"1119",
            "quantity":1
         },
         {
            "category":"10",
            "tax_value":0,
            "name":"Testing name",
            "price":399.9,
            "id":"1119",
            "quantity":1
         }
      ],
      "merchant_custom_data":{
         "1":"campo1",
         "2":"dos"
      }
   },
   "order":{
      "amount":100.00,
      "description":"Jhon Doe",
      "vat":0,
      "dev_reference":"Jhon Doe Buying",
      "installments_type":0
   },
   "user":{
      "id":"117",
      "email":"jhon@doe.com"
   },
   "conf":{
      "theme":{
          "logo": "https://mysite.com/images/logo.png",
          "primary_color": "#00BF84",
          "secondary_color": "#545454"
        }
      }
   },
   "billing_address":{
      "street":"Calle 1 Sur",
      "city":"Chia",
      "country":"COL",
      "district":"Chia",
      "zip":"69885",
      "state":"CU",
      "house_number":"179",
      "additional_address_info":"Casa 53"
   }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/init_reference/'

The above request returns JSON structured like this:

{
   "checkout_url":"https://ccapi-stg.shieldgate.mx/v2/transaction/checkout?reference=12438255612471559230",
   "reference":"12438255612471559230"
}

This endpoint is used for initialize a reference for checkout.

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/init_reference/

URL Parameters
Parameter Type Required Description
locale String Yes User's preferred language (es, en, pt). English will be used by default.
session_id String No Fraud related parameter. 32-length numeric hash.
antifraud Json No Object with antifraud data, see the specification of antifraud.
order.amount Number Yes Amount to debit. Format: Decimal with two fraction digits.
order.description String Yes Description of the order to be purchase. Format: (Maximum Length 250)
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.dev_reference String Yes Merchant order reference. You will identify this purchase using this reference.
order.installments_type Number No Only available for Ecuador and Mexico. See the valid values
conf Json No Object with data for conf , see the specification for conf.
billing_address Json No Object with the billing address, see the specification of address.
user.id String Yes Customer identifier. This is the identifier you use inside your application.
user.email String Yes Buyer email, with valid e-mail format.
Response
Parameter Description
checkout_url Checkout URL, use for render checkout
reference Reference, use for render checkout, is required a reference for render.

Data for conf

Required from conf, when integration is API
Parameter Type Required Description
conf.allowed_card_brands String No Allowed card brands to this operation. See the valid options
conf.allowed_card_types String No Allowed card types
conf.invalid_card_type_message String No Define a custom message to show for invalid card types.
conf.theme JSON No Data for custom checkout color's

Debit with token

Base Case

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com"
    },
    "order": {
        "amount": 99.0,
        "description": "pozole",
        "dev_reference": "referencia",
        "vat": 0.00
    },
    "card": {
        "token": "2293795539132514250"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2017-09-26T21:00:47",
    "amount": 11.1,
    "authorization_code": "088428",
    "installments": 1,
    "dev_reference": "referencia",
    "message": "Operation Successful",
    "carrier_code": "6",
    "id": "CI-489",
    "status_detail": 3,
    "installments_type": "Revolving credit",
    "payment_method_type": "0",
    "product_description": "pozole"
  },
  "card": {
    "bin": "450700",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "CI-489",
    "type": "vi",
    "number": "6651",
    "origin": "ORIGIN"
  }
}

This is an example of response for 3DS 2 with objects for authentication:

{
  "transaction": {
    "status": "failure",
    "payment_date": null,
    "amount": 11.1,
    "authorization_code": null,
    "installments": 1,
    "dev_reference": "referencia",
    "message": null,
    "carrier_code": null,
    "id": "RB-5969",
    "status_detail": 37
  },
  "card": {
    "bin": "401600",
    "status": "",
    "token": "",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "RB-5969",
    "type": "vi",
    "number": "0051",
    "origin": "ORIGIN"
  },
  "3ds": {
    "sdk_response": {
      "acs_trans_id": "00000000-0005-5a5a-8000-016ab2e4246c",
      "acs_signed_content": null,
      "acs_reference_number": "JCB0002"
    },
    "authentication": {
      "status": "U",
      "return_message": "U-status/Challenge authentication via ACS: ",
      "version": null,
      "xid": "MDAwMDAwMDAwMDAwMDAwMDAyMDg=",
      "reference_id": "ffffffff-9002-51a3-8000-0000000345a2",
      "cavv": null,
      "return_code": "5",
      "eci": null
    },
    "browser_response": {
      "hidden_iframe": "",
      "challenge_request": ""
    }
  }
}

This endpoint creates a debit transaction with a stored credit card. If you want to debit with 3D Secure 2 authentication. You will need to include extra_params in the request, that are used for authentication (See objects for authentication)

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/debit/

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
order.amount Number Yes Amount to debit. Format: Decimal with two fraction digits.
order.description String Yes Description of the order to be purchase. Format: (Maximum Length 250)
order.dev_reference String Yes Merchant order reference. You will identify this purchase using this reference.
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.installments Number No The number of installments for the payment, only for COP, MXN, BRL, PEN, CLP and USD (Ecuador).
order.installments_type Number No Only available for Ecuador and Mexico. See the valid values
order.taxable_amount Number No Only available for Ecuador. The taxable amount is the total amount of all taxable items excluding tax. If not sent, it's calculated on the total. Format: Decimal with two fraction digits.
order.tax_percentage Number No Only available for Ecuador. The tax rate to be applied to this order. Should be 0 or 12.
order.months_grace Number No Only available for Mexico and Ecuador (Medianet), the number of months of grace for a deferred payment.
user.id String Yes Customer identifier. This is the identifier you use inside your application.
user.first_name String No User name.
user.last_name String No User last name.
user.email String Yes Buyer email, with valid e-mail format.
user.phone String No Buyer phone.
user.ip_address String No User IP address. Valid v4 IP address.
user.fiscal_number String No The fiscal number given by the buyer Note: For card types ex, ak, vr, sx, ol, ep and cd this field is mandatory.
card.token String No Card Identifier. This code is unique among all cards. Format: Long Integer.
card.cvc String No The credit card security number.
wallet.type String No Type of wallet, the valid are : 'VisaCheckout', 'Masterpass' and 'CyberSource'.
wallet.key String No The id of the wallet (either callid, transactionId or subscriptionID ).
extra_params Json No Optional params (3DS 2 objects included) used for some commerce in Json format. Please contact your commercial executive for more details.
shipping_address Json No Object with the shipping address, see the specification of address.
airline Json No Object with airline data, see the specification of airline.
hotel Json No Object with hotel data, see the specification of hotel.
Response
Parameter Description
transaction.status Could be success, failure or pending.
transaction.payment_date If staging environment the date will be in UTC, otherwise will depend on carrier.
transaction.amount The amount of the transaction.
transaction.authorization_code If success the authorization code responded from carrier.
transaction.installments The number of installments for the payment.
transaction.dev_reference Merchant order reference.
transaction.message The returned message from carrier or fraud analysis system.
transaction.carrier_code The returned code from carrier.
transaction.id Transaction identifier. This code is unique among all transactions.
transaction.status_detail The status detail of the transaction, for more information status detail
transaction.installments_type Only available for Ecuador and Mexico. See the valid values
transaction.payment_method_type Payment method of the transaction, for more information payment_method_types
transaction.product_description Order description.
transaction.trace_number Only available for Ecuador and Mexico.
transaction.lot_number Only available for Ecuador.
card.bin The BIN of the card (First six digits of the card).
card.expiry_year The expiry year of the card.
card.expiry_month The expiry month of the card.
card.transaction_reference If any, the transaction.id
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.
card.origin The origin of the credit card. Could be one of the following: Shieldgate, VisaCheckout, Masterpass.

In case of transactions that were authenticated with 3DS 2, the response will include:

Parameter Description
3ds.sdk_response.acs_trans_id Transaction ID from ACS.
3ds.sdk_response.acs_signed_content Signed content from ACS.
3ds.sdk_response.acs_reference_number ACS reference number.
3ds.authentication.status Authentication status, could be: "Y", "N", "U", "A", "R", "C" or "-" if value not available due errors or not enrolled, for more information authentication_status.
3ds.authentication.xid Transaction identifier sent to MPI.
3ds.authentication.return_code Returned code from MPI, that provides all the information that is needed to determine how to manage the transaction, for more information return code mpi
3ds.authentication.eci Electronic Commerce Indicator, with visa cards, the value to be passed in Authorization message.
3ds.authentication.return_message Description of the return_code.
3ds.authentication.version 3DS message version used.
3ds.authentication.cavv Cardholder Authentication Verification Value, determined by ACS. Format: base64
3ds.authentication.reference_id DS Transaction Id.
3ds.browser_response.challenge_request If cardholder was enrolled and or challenge authentication requested, payment page application must redirects the user browser to the ACS. If this field is not empty, it will contain the html to redirect.
3ds.browser_response.hidden_iframe If this field is not empty, the content should be render into an intermediate page into an invisible iframe and wait about 5 seconds.
3ds.service The name of the MPI that has authenticated the transaction.
Objects for authentication

Before perform a payment whether through a debit with token, a debit with card or an authorization, it is possible to first perform a 3D Secure authentication, sending this objects in extra_params:

Object name Description
threeDS2_data If authentication will be performed directly in debit/authorization this object is required.
browser_info Required for device_type browser.
auth_data Use this object if you performed the authentication first.
risk_indicator Additional risk fields for 3DS 2. Include this in your request whenever available.
Parameter Type Required Description
extra_params.threeDS2_data.term_url String Yes Merchant page url, where ACS will post (via user browser) CRes message after authentication.
extra_params.threeDS2_data.device_type String Yes Device type. Valid strings: browser, SDK.
extra_params.threeDS2_data.process_anyway Boolean No Process anyway, ie. no matter the result of the authentication, perform the debit/authorize. If not provided default false.
extra_params.threeDS2_data.reference_id String Yes* Mandatory only for MPI CyberSource, the id used to build the jwt sent in the init method in front end.
extra_params.browser_info.ip String C User IP address. Valid v4 IP address.
extra_params.browser_info.language String C Language of the browser.
extra_params.browser_info.java_enabled Boolean C If java is enabled in the browser.
extra_params.browser_info.js_enabled Boolean C If Java Script is enabled in the browser.
extra_params.browser_info.color_depth Number C Color depth of the browser.
extra_params.browser_info.screen_height Number C Screen height of the browser.
extra_params.browser_info.screen_width Number C Screen width of the browser.
extra_params.browser_info.timezone_offset Number C Time Zone Offset.
extra_params.browser_info.user_agent String C User agent.
extra_params.browser_info.accept_header String C Accept header.
extra_params.auth_data.cavv String Yes Cardholder Authentication Verification Value, determined by ACS. Format: base64
extra_params.auth_data.xid String No Transaction identifier sent to MPI.
extra_params.auth_data.eci String Yes Electronic Commerce Indicator, with visa cards, the value to be passed in Authorization message.
extra_params.auth_data.version String Yes 3DS message version used.
extra_params.auth_data.reference_id UUID Yes DS Transaction Id.
extra_params.auth_data.status String Yes Authentication status, could be: "Y", "N", "U", "A", "R" or "C", for more information authentication_status
Address

This is an example of request with Billing Address Object:

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com",
        "phone": "1234567890123"
    },
    "order":{
        "amount": 11.1,
        "description": "una paleta",
        "vat": 0,
        "dev_reference": "referencia",
        "installments": 4
    },
    "card": {
        "number": "4456530000001047",
        "holder_name": "citlali calderon",
        "expiry_month": 12,
        "expiry_year": 2024,
        "cvc": "123",
        "type": "vi"
    },
     "billing_address": {
        "street": "Street Test",
        "house_number": "24",
        "city": "ciudad de mexico",
        "zip": "67890",
        "state": "DF",
        "country": "MEX",
        "district": "colonia",
        "additional_address_info": ""
    },
    "extra_params": {
        "threeDS2_data": {
            "term_url": "https://your.url.com/YOUR_3DS_NOTIFICATION_URL",
            "device_type": "browser",
            "reference_id": "2"
        },
        "browser_info": {
            "ip": "88.196.25.166",
            "language": "en-US",
            "java_enabled": false,
            "js_enabled": true,
            "color_depth": 24,
            "screen_height": 1200,
            "screen_width": 1920,
            "timezone_offset": 0,
            "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
            "accept_header": "text/html"
        }
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

In case you are sending the billing or shipping address, this is the Json Object Format:

Parameter Type Required Description
first_name String No Address owner name
last_name String No Address owner last name
street String No The name of the street.
city String No The city, max length of 50 characters.
state String No The state: ISO 3166-2 country subdivision code in case of 3DS authentication, free format otherwise
district String No The district.
zip String No The zip or postal code. Max length allowed of 50 characters.
house_number String No The house number
country String No Country in ISO 3166-1 alpha-3 format, for example: COL, MEX, ECU.
additional_address_info String No Additional address info, without format.
Hotel Data

This is an example of request with hotel data.

 curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
     "card": {
             "cvc": "",
             "expiry_month": 5,
             "expiry_year": 2024,
             "holder_name": "GMC",
             "number": "5123450000000008"
         },
         "order": {
             "amount": 200,
             "description": "PASSIVE99465427",
             "dev_reference": "PASSIVE99465427",
             "installments_type": 0,
             "taxable_amount": 0,
             "vat": 0
         },
         "origin": "ORIGIN",
         "user": {
             "email": "PASSIVE99465427@test.com",
             "fiscal_number": "",
             "id": "PASSIVE99465427",
             "ip_address": "127.0.0.1",
             "phone": ""
         }
         "hotel": {
                 "booking_reference ": "4556778999",
                 "booking_country": "CO",
                 "issue_date": "2021-08-24 12:55:11",
                 "name": "Fiesta Americana",
                 "code": "HT001",
                 "arrival_date": "2021-09-24 12:55:11",
                 "departure_date": "2021-09-30 12:55:11",
                 "payer_in": true,
                 "country": "MX",
                 "numbers_child": 2,
                 "numbers_adt": 1,
                 "transportation_include": true,
                 "transport_name": "latam"
             }
 }' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

In case you are sending airline hotel, this is the Json Object Format.

Parameter Type Required Description
booking_reference String Yes Booking reference.
booking_country String No Country booking, Format: ISO 3166-2.
issue_date String Yes Reservation date in the following format:YYYY-MM-DD HH:MM:SS.
name String Yes Hotel name.
code String Yes Hotel code.
arrival_date String Yes Arrival date in the following format:YYYY-MM-DD HH:MM:SS.
departure_date String Yes Departure date in the following format:YYYY-MM-DD HH:MM:SS.
payer_in Boolean No True if payer is in booking.
country String Yes Hotel country, Format: ISO 3166-2.
numbers_child Number Yes Total child.
numbers_adt Number Yes Total adult.
transportation_include Boolean No True if include transportation.
transport_name String No Transport name.
Airline Data

This is an example of request with airline data.

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "card": {
            "cvc": "",
            "expiry_month": 5,
            "expiry_year": 2024,
            "holder_name": "GMC",
            "number": "5123450000000008"
        },
        "order": {
            "amount": 200,
            "description": "PASSIVE99465427",
            "dev_reference": "PASSIVE99465427",
            "installments_type": 0,
            "taxable_amount": 0,
            "vat": 0
        },
        "origin": "ORIGIN",
        "user": {
            "email": "PASSIVE99465427@test.com",
            "fiscal_number": "",
            "id": "PASSIVE99465427",
            "ip_address": "127.0.0.1",
            "phone": ""
        }
        "airline": {
                "flight_legs": [
                    {
                        "carrier_code": "T1",
                        "departure_airport": "TAO",
                        "departure_date": "2021-09-30 08:00:00",
                        "destination_airport": "TAD",
                        "arrival_date": "2021-09-30 11:00:00",
                        "flight_number": "123456"
                    }
                ],
                "passengers": [
                    {
                        "first_name": "Gabriel",
                        "last_name": "Cruz",
                        "middle_name": "Omar",
                        "title": "Mr Dr"
                    },
                    {
                        "first_name": "Jhon",
                        "last_name": "Doe",
                        "middle_name": "",
                        "title": "Mr"
                    },
                    {
                        "first_name": "Jane",
                        "last_name": "Doe",
                        "middle_name": "",
                        "title": "Mrs"
                    }
                ],
                "reservation": {
                    "airline_code": "T1",
                    "booking_reference": "1234567890",
                    "document_type": "ELECTRONIC_TICKET",
                    "issue_date": "2021-09-30 00:00:00",
                    "ticket_number": "12345678901",
                    "travel_agent_code": "TESTAIR1",
                    "travel_agent_name": "TestAirline",
                    "itinerary_type": "ONE_WAY"
                }
        }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

In case you are sending airline data, this is the Json Object Format.

Parameter Type Required Description
flight_legs Array Yes Array with one or more objects of flight leg.see the specification of flight_leg.
passengers Array Yes Array with one or more objects of passenger.see the specification of passenger
reservation.airline_code String Yes Airline code.
reservation.booking_reference String Yes Booking reference.
reservation.document_type String Yes Document type can be ELECTRONIC_TICKET or OTHER.
reservation.issue_date Date Time Yes Reservation date in the following format:YYYY-MM-DD HH:MM:SS.
reservation.ticket_number String No Ticket number.
reservation.travel_agent_code String Yes Travel agent code.
reservation.travel_agent_name String Yes Travel agent name.
reservation.itinerary_type String No Itinerary type can be MULTI_DESTINATION, ONE_WAY, ROUND_TRIP.
reservation.complete_route String No Complete route example: SFO-JFK:JFK-LHR:LHR-CDG.
reservation.frequent_flyer String No Frequent flyer code, split with _.
reservation.delta_days Number No Delta days.
reservation.city_departure String No Departure city.
reservation.city_arrival String No Arrival City.
Flight leg object detail.
Parameter Type Required Description
carrier_code String Yes Carrier code.
departure_airport String Yes Departure airport.
departure_date Date Time Yes Departure date in the following format:YYYY-MM-DD HH:MM:SS.
destination_airport String Yes Destination airport
arrival_date Date Time Yes Arrival date in the following format:YYYY-MM-DD HH:MM:SS.
flight_number String Yes Flight number.
stopover_allowed Boolean No Allow stopover.
Passenger object detail.
Parameter Type Required Description
id String No User id.
first_name String Yes First name passenger.
last_name String Yes Last name passenger.
middle_name String No Middle name passenger.
title String Yes Title passenger.
email String No Passenger email.
type String No Passenger type : ADT, INF ó CHD.
phone String No Passenger phone.
amount Number No Amount for passenger. Format: Decimal with two fraction digits.
Installments Type

The installments type are only available for Ecuador and Mexico. For this countries if you send installments, then the installments_type are mandatory. The valid values are:

Type Description
0 Revolving credit (rotativo).
1 Revolving and deferred without interest (The bank will pay to the commerce the installment, month by month).
2 Deferred with interest.
3 Deferred without interest.
7 Deferred with interest and months of grace.
6 Deferred without interest pay month by month. (*)
9 Deferred without interest and months of grace.
10 Deferred without interest promotion bimonthly. (*)
21 For Diners Club exclusive, deferred with and without interest.
22 For Diners Club exclusive, deferred with and without interest.
30 Deferred with interest pay month by month. (*)
50 Deferred without interest promotions (Supermaxi). (*)
51 Deferred with interest (Cuota fácil). (*)
52 Without interest (Rendecion Produmillas). (*)
53 Without interest sale with promotions. (*)
70 Deferred special without interest. (*)
72 Credit without interest (cte smax). (*)
73 Special credit without interest (smax). (*)
74 Prepay without interest (smax). (*)
75 Deffered credit without interest (smax). (*)
90 Without interest with months of grace (Supermaxi). (*)

Split payment

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "11",
        "email": "test@test.com"
    },
    "order": {
        "amount": 19000,
        "description": "RBM-TES",
        "dev_reference": "11372",
        "vat": 0.0,
        "installments": 1
    },
    "card": {
        "token": "4813322119168991180"
    },
    "extra_params": {
        "split": {
            "transactions": [
                {
                    "application_code": "App2",
                    "installments": 1,
                    "amount": 10000
                },
                {
                    "application_code": "App1",
                    "installments": 1,
                    "amount": 9000
                }
            ]
        }
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2020-01-28T21:09:55.424",
    "amount": 19000.0,
    "authorization_code": "615246",
    "installments": 1,
    "dev_reference": "11372",
    "message": "Aprobado",
    "carrier_code": "00",
    "id": "RB-37",
    "status_detail": 3
  },
  "split": {
    "transactions": [
      {
        "installments": 1,
        "amount": 10000.0,
        "id": "RB-37-1",
        "application_code": "App2",
        "authorization_code": "615246"
      },
      {
        "installments": 1,
        "amount": 9000.0,
        "id": "RB-37-2",
        "application_code": "App1",
        "authorization_code": "580705"
      }
    ]
  },
  "card": {
    "bin": "377813",
    "status": "valid",
    "token": "6837968442995217183",
    "expiry_year": "2021",
    "expiry_month": "3",
    "transaction_reference": "RB-37",
    "type": "ax",
    "number": "9063",
    "origin": "ORIGIN"
  }
}

This endpoint is used to make payments that enables to split the order amount between different applications (Available only for Colombia).

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/debit/

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
order.amount Number Yes Total amount to pay. Format: Decimal with two fraction digits.
order.description String Yes The order description.
order.dev_reference String Yes Id from commerce to identify the order.
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.installments Number No The number of installments for the payment, only for COP, MXN, BRL, PEN, CLP and USD (Ecuador).
user.id String Yes Buyer identifier.
user.email String Yes Buyer email registered to order.
user.phone String No Numero de teléfono del comprador.
user.ip_address String No User IP address. Valid v4 IP address.
user.fiscal_number String No The fiscal number given by the buyer Note: For card types ex, ak, vr, sx, ol, ep and cd this field is mandatory.
card.token String Yes Card Identifier. This code is unique among all cards. Format: Long Integer.
extra_params Json Yes Required params to generate a split transaction See split params
Split params
Parameter Type Required Description
split.transactions Array Yes Array with the information of how the payment will be divided (commerce/amounts)
split.transactions.application_code String Yes Application that has the account to which a partial amount will be sent
split.transactions.amount Number Yes Partial amount of payment
split.transactions.installments Number Yes The number of installments for the partial amount
Split response
Parameter Description
transaction.status Could be success, failure, pending, expired or canceled.
transaction.payment_date If staging environment the date will be in UTC, otherwise will depend on carrier.
transaction.amount The amount of the transaction.
transaction.authorization_code If success the authorization code responded from carrier.
transaction.installments The number of installments for the payment.
transaction.dev_reference Merchant order reference.
transaction.message The returned message from carrier or fraud analysis system.
transaction.carrier_code The returned code from carrier.
transaction.id Transaction identifier. This code is unique among all transactions.
transaction.status_detail The status detail of the transaction, for more information status detail
card.bin The BIN of the card (First six digits of the card).
card.expiry_year The expiry year of the card.
card.expiry_month The expiry month of the card.
card.transaction_reference If any, the transaction.id
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.
card.origin The origin of the credit card. Could be one of the following: Shieldgate, VisaCheckout, Masterpass.
split.transactions Array containing authorized transactions on split payment
split.transactions.application_code Application that corresponds to that payment
split.transactions.amount Partial amount of the total order
split.transactions.id Transaction identifier of split payment
split.transactions.installments The number of installments for the partial amount
split.transactions.authorization_code Split transaction authorization code

Debit with QR

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "11",
        "email": "example@example.com",
        "fiscal_number": "1111111111",
        "phone": "111112222333"
    },
    "order": {
        "amount": 123,
        "description": "Product Description",
        "dev_reference": "nnnnn",
        "vat": 0
    },
    "card": {
        "token": "1111222233334444555",
    },
    "extra_params": {
        "qr_data": {
            "complete_info": {
                "is_new": false,
                "qr_type": "DINAMICO",
                "data_amount": {
                    "base_amount": 123,
                    "inc": 0,
                    "iva": 0,
                    "tip": 0,
                    "total_amount": 123,
                    "transaction_amount": 123
                },
                "qr_entity": {
                    "address": "my address",
                    "country_code": null,
                    "crc": null,
                    "max_inc_percentage": "0.0",
                    "max_iva_percentage": "0.0",
                    "merchant_category_code": null,
                    "merchant_city": null,
                    "merchant_name": "Product Description",
                    "merchant_account_information_c": {
                        "id_acquirer": null,
                        "unique_code_merchant": "1111112222",
                        "unique_code_merchant_agree": null
                    },
                    "merchant_additional_data_c": {
                        "id_acquirer": null,
                        "bill_number": null,
                        "customer_label": null,
                        "loyalty_number": null,
                        "mobile_number": null,
                        "purpose_of_transaction": null,
                        "reference_label": null,
                        "store_label": null,
                        "terminal_label": "XXXXYYY12"
                    },
                    "merchant_a_unreserved_c": {
                        "base_iva": "0",
                        "channel": "DA",
                        "condition_inc": "N",
                        "condition_iva": "N",
                        "condition_tax_one": null,
                        "condition_tax_two": null,
                        "consecutive_transaction": "4321",
                        "security_field": null,
                        "tax_one": null,
                        "tax_two": null,
                        "value_inc": "0",
                        "value_iva": "0"
                    },
                    "merchant_information_languaje_c": {
                        "language_preference": null,
                        "merchant_city_alternate_language": null,
                        "merchant_name_alternate_language": null
                    },
                    "payload_format_indicator": null,
                    "point_of_initiation_method": "D",
                    "postal_code": null,
                    "tip_or_convenience_indicator": "N",
                    "total_amount": "123",
                    "transaction_amount": "123",
                    "transaction_currency": null,
                    "value_of_convenience_fee_fixed": "0",
                    "value_of_convenience_fee_percentage": "0.0"
                }
            }
        }
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit/'

This endpoint creates a debit transaction with a QR code, only for Colombia (COP).

This is a solution that allow to pay throw a QR code generated in the dataphone or mobile application that is scaned from the mobile wallet of the client.

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/debit/

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
order.amount Number Yes Total amount to pay. Format: Decimal with two fraction digits.
order.description String Yes The order description.
order.dev_reference String Yes Id from commerce to identify the order.
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.installments Number No The number of installments for the payment, only for COP, MXN, BRL, PEN, CLP and USD (Ecuador).
user.id String Yes Buyer identifier.
user.email String Yes Buyer email registered to order.
user.phone String No Numero de teléfono del comprador.
user.ip_address String No User IP address. Valid v4 IP address.
user.fiscal_number String No The fiscal number given by the buyer Note: For card types ex, ak, vr, sx, ol, ep and cd this field is mandatory.
user.fiscal_number_type String No Fiscal number type
card.token String Yes Card Identifier. This code is unique among all cards. Format: Long Integer.
card.account_type String No The corresponding values for: Credit, Checking and Savings accounts are: C, R and A respectively.
extra_params.qr_data Json Yes Json returned in the SDK.
Response

See Objects in response

Debit with credit card

Base Case


curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com"
    },
    "order":{
        "amount": 11.1,
        "description": "una paleta",
        "vat": 0,
        "dev_reference": "referencia"
    },
    "card": {
        "number": "4507000397186651",
        "holder_name": "citlali calderon",
        "expiry_month": 9,
        "expiry_year": 2020,
        "cvc": "123",
        "type": "vi"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2017-10-12T21:07:22",
    "amount": 11.1,
    "authorization_code": "472921",
    "installments": 1,
    "dev_reference": "referencia",
    "message": "Operation Successful",
    "carrier_code": "6",
    "id": "CI-507",
    "status_detail": 3,
    "installments_type": "Revolving credit",
    "product_description": "una paleta",
    "payment_method_type": "0"
  },
  "card": {
    "bin": "450700",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "CI-507",
    "type": "vi",
    "number": "6651",
    "origin": "ORIGIN"
  }
}

An example of request with extra_params:


curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com"
    },
    "order":{
        "amount": 11.1,
        "description": "una paleta",
        "vat": 0,
        "dev_reference": "referencia"
    },
    "card": {
        "number": "4507000397186651",
        "holder_name": "citlali calderon",
        "expiry_month": 9,
        "expiry_year": 2020,
        "cvc": "123",
        "type": "vi"
    },
    "extra_params": {
        "config_01": "value_01",
        "config_02": {"name_01": "name_v01"}
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

This is an example of request making the request with 3ds 2 objects for authentication:


curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com"
    },
    "order":{
        "amount": 11.1,
        "description": "una paleta",
        "vat": 0,
        "dev_reference": "referencia"
    },
    "card": {
        "number": "4507000397186651",
        "holder_name": "citlali calderon",
        "expiry_month": 9,
        "expiry_year": 2020,
        "cvc": "123",
        "type": "vi"
    },
    "extra_params": {
        "threeDS2_data": {
            "term_url": "https://your.url.com/YOUR_3DS_NOTIFICATION_URL",
            "device_type": "browser",
            "process_anyway": false
        },
        "browser_info": {
            "ip": "88.196.25.166",
            "language": "en-US",
            "java_enabled": false,
            "js_enabled": true,
            "color_depth": 24,
            "screen_height": 1200,
            "screen_width": 1920,
            "timezone_offset": 0,
            "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
            "accept_header": "text/html"
        }
    }

}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

This endpoint creates a debit transaction with a credit card.

If you want to debit with 3D Secure 2 authentication. You will need to include extra_params in the request, that are used for authentication (See objects for authentication)

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc/

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
order.amount Number Yes Amount to debit. Format: Decimal with two fraction digits.
order.description String Yes Description of the order to be purchase. Format: (Maximum Length 250)
order.dev_reference String Yes Merchant order reference. You will identify this purchase using this reference.
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.installments Number No The number of installments for the payment, only for COP, MXN, BRL, PEN, CLP and USD (Ecuador).
order.installments_type Number No Only available for Ecuador and Mexico. See the valid values
order.taxable_amount Number No Only available for Ecuador. The taxable amount is the total amount of all taxable items excluding tax. If not sent, it's calculated on the total. Format: Decimal with two fraction digits.
order.tax_percentage Number No Only available for Ecuador. The tax rate to be applied to this order. Should be 0 or 12.
order.months_grace Number No Only available for Mexico and Ecuador (Medianet), the number of months of grace for a deferred payment.
user.id String Yes Customer identifier. This is the identifier you use inside your application.
user.first_name String No User name.
user.last_name String No User last name.
user.email String Yes Buyer email, with valid e-mail format.
user.phone String No Buyer phone.
user.ip_address String No User IP address. Valid v4 IP address.
user.fiscal_number String No The fiscal number given by the buyer Note: For card types ex, ak, vr, sx, ol, ep and cd this field is mandatory.
card.number String Yes A valid credit card number.
card.holder_name String Yes The credit card holder name.
card.expiry_month Number Yes The credit card expiry month.
card.expiry_year Number Yes The credit card expiry year.
card.cvc String Yes The credit card security number.
card.type String No Abbreviated card type. See the valid options
extra_params Json No Optional params (3DS 2 objects included) used for some commerce in Json format. Please contact your commercial executive for more details.
billing_address Json No Object with the billing address, see the specification of address.
shipping_address Json No Object with the shipping address, see the specification of address.
airline Json No Object with airline data, see the specification of airline.
hotel Json No Object with hotel data, see the specification of hotel.
Response

See Objects in response

Split payment

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "11",
        "email": "test@test.com"
    },
    "order": {
        "amount": 19000,
        "description": "Split TEST",
        "vat": 0,
        "dev_reference": "117"
    },
    "card": {
        "number": "4276981328765847",
        "holder_name": "Leidy Cruz",
        "expiry_month": 12,
        "expiry_year": 2022,
        "cvc": "355"
    },
     "extra_params": {
        "split": {
            "transactions": [
                {
                    "application_code": "APP_1",
                    "installments": 1,
                    "amount": 10000
                },
                {
                    "application_code": "APP_2",
                    "installments": 1,
                    "amount": 9000
                }
            ]
        }
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

The above request returns JSON structured like this:

{
    "transaction": {
        "status": "success",
        "payment_date": "2021-02-09T15:58:00.272",
        "amount": 19000.0,
        "authorization_code": "845889",
        "installments": 1,
        "dev_reference": "117",
        "message": "Aprobado",
        "carrier_code": "00",
        "id": "RB-7",
        "status_detail": 3
    },
    "split": {
        "size": 2,
        "transactions": [
            {
                "installments": 1,
                "amount": 10000.0,
                "id": "RB-7-1",
                "application_code": "APP_1",
                "authorization_code": "845889"
            },
            {
                "installments": 1,
                "amount": 9000.0,
                "id": "RB-7-2",
                "application_code": "APP_2",
                "authorization_code": "152244"
            }
        ]
    },
    "card": {
        "bin": "427698",
        "expiry_year": "2022",
        "expiry_month": "12",
        "transaction_reference": "RB-7",
        "type": "vi",
        "number": "5847",
        "origin": "ORIGIN"
    }
}

This endpoint is used to make payments that enables to split the order amount between different applications (Available only for Colombia).

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc/

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
order.amount Number Yes Total amount to pay. Format: Decimal with two fraction digits.
order.description String Yes The order description.
order.dev_reference String Yes Id from commerce to identify the order.
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.installments Number No The number of installments for the payment, only for COP, MXN, BRL, PEN, CLP and USD (Ecuador).
user.id String Yes Buyer identifier.
user.email String Yes Buyer email registered to order.
user.phone String No Numero de teléfono del comprador.
user.ip_address String No User IP address. Valid v4 IP address.
user.fiscal_number String No The fiscal number given by the buyer Note: For card types ex, ak, vr, sx, ol, ep and cd this field is mandatory.
card.number String Yes A valid credit card number.
card.holder_name String Yes The credit card holder name.
card.expiry_month Number Yes The credit card expiry month.
card.expiry_year Number Yes The credit card expiry year.
card.cvc String Yes The credit card security number.
card.type String No Abbreviated card type. See the valid options
extra_params Json Yes Required params to generate a split transaction See split params
Split params
Parameter Type Required Description
split.transactions Array Yes Array with the information of how the payment will be divided (commerce/amounts)
split.transactions.application_code String Yes Application that has the account to which a partial amount will be sent
split.transactions.amount Number Yes Partial amount of payment
split.transactions.installments Number Yes The number of installments for the partial amount
Split response
Parameter Description
transaction.status Could be success, failure, pending, expired or canceled.
transaction.payment_date If staging environment the date will be in UTC, otherwise will depend on carrier.
transaction.amount The amount of the transaction.
transaction.authorization_code If success the authorization code responded from carrier.
transaction.installments The number of installments for the payment.
transaction.dev_reference Merchant order reference.
transaction.message The returned message from carrier or fraud analysis system.
transaction.carrier_code The returned code from carrier.
transaction.id Transaction identifier. This code is unique among all transactions.
transaction.status_detail The status detail of the transaction, for more information status detail
card.bin The BIN of the card (First six digits of the card).
card.expiry_year The expiry year of the card.
card.expiry_month The expiry month of the card.
card.transaction_reference If any, the transaction.id
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.
card.origin The origin of the credit card. Could be one of the following: Shieldgate, VisaCheckout, Masterpass.
split.transactions Array containing authorized transactions on split payment
split.transactions.application_code Application that corresponds to that payment
split.transactions.amount Partial amount of the total order
split.transactions.id Transaction identifier of split payment
split.transactions.installments The number of installments for the partial amount
split.transactions.authorization_code Split transaction authorization code

Steps debit with 3DS

If you wish to make the payment throw your web checkout, extra steps are needed for calling JavaScript components provided by the MPI CyberSource. This steps works only for a brower integration, NOT for a mobile one.

The following steps are needed:

1. Get the reference_id and jwt.
curl -k  -L -H 'Content-Type: application/json' -H 'Auth-Token: auth-token'
'https://ccapi-stg.shieldgate.mx/v2/3ds/init/cybersource'

The above request returns JSON structured like this:

{
  "jwt": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJSZWZlcmVuY2VJZCI6ICIxIiwgImlzcyI6ICI1ZmY0NDVlZTU1ZjEwNTcwOWUyNjljODkiLCAianRpIjogIjgxZGY0MzZjLWZmMzEtNDhiNi1iMGYwLTBkM2Y1Y2NjOGEwOSIsICJleHAiOiAxNjQ2OTU5MTgxLCAiaWF0IjogMTY0Njk1MTk4MSwgIk9yZ1VuaXRJZCI6ICI1ZmY0NDVlZTA5YzUwYjJkNDA4ZjcyMDkifQ==.zHfhpRXB4u8noaHnwvvWSw2lGJHwM4Uky9FNZjRBeIc=",
  "reference_id": "1"
}
HTTP Request

GET https://ccapi-stg.shieldgate.mx/v2/3ds/init/cybersource

Response
Parameter Description
reference_id Unique Id per transaction that will be needed in backend and front end (thru the jwt).
jwt Token for autenticate in the front end service (CyberSource).
2. In your front end call the init method. You can listen for the payments.setupComplete event to be notified when Songbird has finished initializing.

In front end call the init. Continue only when the initializing has finished.

<script src="https://includestest.ccdc02.com/cardinalcruise/v1/songbird.js"></script>
Cardinal.setup('init', {
        jwt: jwt,
        order: {
            Consumer: {
                Account: {
                    AccountNumber: bin,
                }
            }
        }
    });

Cardinal.on('payments.setupComplete', function () {
    // this is an example
    document.getElementById('init').disabled = true;
    document.getElementById('Authenticate').disabled = false;
});


Cardinal.on('payments.validated', function (data, jwt) {
    // This event is triggered when the transaction has been finished. This is how Songbird hands back control to the merchant's webpage.
    // You can call the verify, this is an example:
   Payment.verifyTransaction(user_id, transaction_id, 'BY_CRES', '', useCases, successCallback, errorCallback);
});



The following is the javascript component of the MPI (CyberSource). For further information

Environment URL
development https://includestest.ccdc02.com/cardinalcruise/v1/songbird.js
production https://songbird.cardinalcommerce.com/edge/v1/songbird.js

The parameters needed for the Init:

Parameter Description
bin The first 6 digits of the card.
jwt Token obtained in the previous step.
3. In your backend call the debit with credit card method.

Debit with credit card example.

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com",
        "phone": "1234567890123"
    },
    "order":{
        "amount": 11.1,
        "description": "una paleta",
        "vat": 0,
        "dev_reference": "referencia",
        "installments": 4
    },
    "card": {
        "number": "4456530000001047",
        "holder_name": "citlali calderon",
        "expiry_month": 12,
        "expiry_year": 2024,
        "cvc": "123",
        "type": "vi"
    },
     "billing_address": {
        "street": "Street Test",
        "house_number": "24",
        "city": "ciudad de mexico",
        "zip": "67890",
        "state": "DF",
        "country": "MEX",
        "district": "colonia",
        "additional_address_info": ""
    },
    "extra_params": {
        "threeDS2_data": {
            "term_url": "https://your.url.com/",
            "device_type": "browser",
            "reference_id": "2"
        },
        "browser_info": {
            "ip": "88.196.25.166",
            "language": "en-US",
            "java_enabled": false,
            "js_enabled": true,
            "color_depth": 24,
            "screen_height": 1200,
            "screen_width": 1920,
            "timezone_offset": 0,
            "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
            "accept_header": "text/html"
        }
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/debit_cc'

Remarks on some parameters:

Parameter Description
extra_params.threeDS2_data.term_url The URL of the merchant’s return page.
extra_params.threeDS2_data.device_type Only browser is possible.
extra_params.threeDS2_data.reference_id The reference_id obtained in the first step.
billing_address The billing address is mandatory for CyberSource

In the response will be information needed for the next step:

Parameter Description
3ds.browser_response.challenge_request Match the AcsUrl.
3ds.browser_response.transaction_id Match the TransactionId in CyberSource.
3ds.browser_response.pareq Match the Payload.
4. If the status_detail obtained in the previous step was 36, in your front end call the continue method.

In front end, call continue.

<script src="https://includestest.ccdc02.com/cardinalcruise/v1/songbird.js"></script>
Cardinal.continue('cca',
        {
            "AcsUrl": browser_response.challenge_request,
            "Payload": browser_response.pareq,
        },
        {
            "OrderDetails": {
                "TransactionId": browser_response.transaction_id
            }
        }
    );

The params needed for continue are: AcsUrl, TransactionId y Payload received in the previous step.

5. If the forth step was needed, call the verify BY_CRES.

Verify BY_CRES example:

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth-token' -d '{
  "user": {
    "id": "4"
  },
  "transaction": {
    "id": "RB-340"
  },
  "type": "BY_CRES",
  "value": "",
  "more_info": true

}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/verify'

In this case you will sent an empty string for value.

Cards to test different scenarios:
Card Scenario
5200000000001096 challenge
5200000000001005 frictionless

Authorize

Case a) sending only the card.token

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com"
    },
    "order": {
        "dev_reference": "referencia",
        "amount": 99.0,
        "description": "pozole",
        "vat": 0.00
    },
    "card": {
        "token": "6221308792087238335"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/authorize/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2017-09-26T21:03:04",
    "amount": 99.0,
    "authorization_code": "148177",
    "installments": 1,
    "dev_reference": "referencia",
    "message": "Operation Successful",
    "carrier_code": "4",
    "id": "CI-490",
    "status_detail": 0
  },
  "card": {
    "bin": "453254",
    "status": "valid",
    "token": "10135134879450157925",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "CI-490",
    "type": "vi",
    "number": "8311",
    "origin": "ORIGIN"
  }
}

Case b) sending all the information of the card (pci commerce)

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4",
        "email": "user@example.com"
    },
    "order": {
        "dev_reference": "referencia",
        "amount": 99.0,
        "description": "pozole",
        "vat": 0.00
    },
    "card": {
            "number": "4507000397186651",
            "holder_name": "citlali calderon",
            "expiry_month": 9,
            "expiry_year": 2020,
            "cvc": "123",
            "type": "vi"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/authorize/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2017-09-26T21:02:04",
    "amount": 99.0,
    "authorization_code": "148177",
    "installments": 1,
    "dev_reference": "referencia",
    "message": "Operation Successful",
    "carrier_code": "4",
    "id": "CI-491",
    "status_detail": 0
  },
  "card": {
    "bin": "450700",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "CI-491",
    "type": "vi",
    "number": "6651"
  }
}

This endpoint send for authorization a transaction of Credit Card (Only for Cielo (BRL), Prosa (MXN) Procesos and Visanet (PEN))

If you want to authorize with 3D Secure 2 authentication, there are two possible ways:

  1. Direct authorization with Shieldgate by Afirme. This will include extra params in the request, that are used for authentication (See objects for authentication)

  2. By Performing a 3D Secure 2 authentication calling the proper endpoint Authentication 3DS 2 section, before calling the authorize.

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/authorize/

URL Parameters
Parameter Type Required Description
session_id String No Fraud related parameter. 32-length numeric hash.
order.amount Number Yes Amount to debit. Format: Decimal with two fraction digits.
order.description String Yes Description of the order to be purchase. Format: (Maximum Length 250)
order.dev_reference String Yes Merchant order reference. You will identify this purchase using this reference.
order.vat Number Yes Sales tax amount, included in product cost. Format: Decimal with two fraction digits.
order.installments Number No The number of installments for the payment, only for COP, MXN, BRL, PEN, CLP and USD (Ecuador).
order.installments_type Number No Only available for Ecuador and Mexico. See the valid values
order.months_grace Number No Only available for Mexico and Ecuador (Medianet), the number of months of grace for a deferred payment.
user.id String Yes Customer identifier. This is the identifier you use inside your application.
user.first_name String No User name.
user.last_name String No User last name.
user.email String Yes Buyer email, with valid e-mail format.
user.phone String No Buyer phone.
user.ip_address String No User IP address. Valid v4 IP address.
card.token String No (*) Card Identifier. This code is unique among all cards. Format: Long Integer.
card.number String No A valid credit card number.
card.holder_name String No (*) The credit card holder name.
card.expiry_month Number No (*) The credit card expiry month.
card.expiry_year Number No (*) The credit card expiry year.
card.cvc String No (*) The credit card security number.
card.type String No (*) Abbreviated card type. See the valid options
extra_params Json No Optional params (3DS 2 objects included) used for some commerce in Json format. Please contact your commercial executive for more details.
billing_address Json No Object with the billing address, see the specification of address.
shipping_address Json No Object with the shipping address, see the specification of address.
airline Json No Object with airline data, see the specification of airline.
hotel Json No Object with hotel data, see the specification of hotel.
Response

See Objects in response

Capture

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "transaction": {
        "id": "CI-325"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/capture/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2017-09-26T21:03:04",
    "amount": 99.0,
    "authorization_code": "148177",
    "installments": 1,
    "dev_reference": "referencia",
    "message": "Operation Successful",
    "carrier_code": "6",
    "id": "CI-490",
    "status_detail": 3
  },
  "card": {
    "bin": "453254",
    "status": "valid",
    "token": "10135134879450157925",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "CI-490",
    "type": "vi",
    "number": "8311"
  }
}

This endpoint capture an authorized transaction (Only for Cielo (BRL), Prosa (MXN) Procesos and VisaNet (PEN))

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/capture/

URL Parameters
Parameter Type Required Description
transaction.id String Yes Transaction identifier. This code is unique among all transactions.
order.amount Number No The order amount to capture, could be greater o lower than original (Prosa MXN), or only lower (Cielo, BRL Procesos and VisaNet (PEN)). Format: Decimal with two fraction digits. If not provided, the full amount of the original authorize will be captured.
Response

See Objects in response

Verify

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "user": {
        "id": "4"
    },
    "transaction": {
        "id": "CI-316"
    },
    "type": "BY_AMOUNT",
    "value": "99.99"

}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/verify'

The above request returns JSON structured like this:

{
  "status": 1,
  "payment_date": "2017-09-26T21:16:00",
  "amount": 99.0,
  "transaction_id": "CI-491",
  "status_detail": 3,
  "message": ""
}

In case of more_info = true, this is an example:

{
  "transaction": {
    "status": "failure",
    "payment_date": null,
    "amount": 11.1,
    "authorization_code": null,
    "installments": 1,
    "dev_reference": "referencia",
    "message": null,
    "carrier_code": null,
    "id": "RB-5969",
    "status_detail": 37
  },
  "card": {
    "bin": "401600",
    "status": "",
    "token": "",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "RB-5969",
    "type": "vi",
    "number": "0051",
    "origin": "ORIGIN"
  },
  "3ds": {
    "sdk_response": {
      "acs_trans_id": "00000000-0005-5a5a-8000-016ab2e4246c",
      "acs_signed_content": null,
      "acs_reference_number": "JCB0002"
    },
    "authentication": {
      "status": "U",
      "return_message": "U-status/Challenge authentication via ACS: ",
      "version": null,
      "xid": "MDAwMDAwMDAwMDAwMDAwMDAyMDg=",
      "reference_id": "ffffffff-9002-51a3-8000-0000000345a2",
      "cavv": null,
      "return_code": "5",
      "eci": null
    },
    "browser_response": {
      "hidden_iframe": "",
      "challenge_request": ""
    }
  }
}

After have been performed a transaction, whether through an add card, a debit with token, a debit with card or an authorization, if the response transaction status is pending, this end point should be posted after that.

Sometimes an add card or debit transaction would need to be verified with a code from the financial entity that charges the card. Another case that needs verification is when the card issuer send a OTP to the user in order to continue with the transaction, or after the buyer have been challenged in a 3DS 2 transaction.

When the buyer gets the verification code from his bank, or when the buyer obtain the SMS with the OTP, or when the merchant gets the result of the challenge response, its possible to verify the operation making a request to:

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/verify

URL Parameters
Parameter Type Required Description
transaction.id String Yes Transaction identifier. This code is unique among all transactions.
user.id String Yes Customer identifier. This is the identifier you use inside your application.
type String Yes The type of value that is going to be sent in the request. Valid strings "BY_AMOUNT", "BY_AUTH_CODE", "BY_OTP", "BY_CRES" and "AUTHENTICATION_CONTINUE".
value String Yes Could be the authorization code provided by the financial entity to the buyer, the transaction amount, the One Time Password (OTP), the Challenge Response (CRES), or empty string in case of AUTHENTICATION_CONTINUE.
more_info Boolean No true or false to determine if the response will include more info about the transaction.
Response
Parameter Description
status The status of the transaction, for more information status detail
payment_date If staging environment the date will be in UTC, otherwise will depend on carrier.
amount The amount of the transaction.
transaction_id Transaction identifier. This code is unique among all transactions.
status_detail The status detail of the transaction, for more information status detail
message If the type of verification was "BY_OTP", the response message in case of failure.

If you send more_info with value true: See Objects in response

Currency Amount
COP 256
CRC 256
CLP 256
USD 2.56
BRL 2.56
PEN 2.56
SGD 2.56
MXN 25.6
HNL 25.6
NIO 25.6
UYU 25.6
ARS 128

Refund

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "transaction": {
        "id": "CI-311"
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/refund/'

The above request returns JSON structured like this:

{
  "status": "success",
  "detail": "Completed"
}

Example of refund with partial amount

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "transaction": {
        "id": "CI-311"
    },
    "order": {
        "amount": 11.10
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/refund/'

Example of request with reference_label. For QR Colombia only.

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "transaction": {
        "reference_label": 1234567891011141618
    }
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/refund/'

Example of request, with param 'more_info'

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "transaction": {
        "id": "PR-11"
    },
    "order": {
        "amount": 8.00
    },
    "more_info": true
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/refund/'

Example of response with more info

{
  "status": "success",
  "transaction": {
    "status": "success",
    "payment_date": "2020-02-11T00:39:58.477",
    "authorization_code": "TEST00",
    "refund_amount": 8.0,
    "dev_reference": "referencia",
    "carrier_code": null,
    "status_detail": 34,
    "amount": 11.1,
    "installments": 1,
    "message": "Reverse by mock",
    "id": "PR-11"
  },
  "detail": "Completed partial refunded with 8.0",
  "card": {
    "bin": "400000",
    "status": "",
    "token": "",
    "expiry_year": "2020",
    "expiry_month": "9",
    "transaction_reference": "PR-11",
    "type": "vi",
    "number": "0077",
    "origin": "ORIGIN"
  }
}

This endpoint is used to refund a transaction

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/refund/

URL Parameters
Parameter Type Required Description
transaction.id String Yes (*) Transaction identifier. This code is unique among all transactions.
transaction.reference_label Number Yes (*) Only for QR Colombia. ID Reference for a QR transaction.
order.amount Number No The order amount to refund. Format: Decimal with two fraction digits. If not provided, the full amount of the transaction. Works with Cielo (BRL), Prosa (MXN), Credibanco and Redeban (COP) (**).
more_info Boolean No true or false to determine if the response will include more info about the transaction.
Response
Parameter Description
status Could be one of the following: success, pending or failure
detail If success could be Completed or Completed partial refunded with NN.NN where NN.NN is the amount of the partial refund. If failure could be Error: Not completed, Transaction already refunded or Invalid Status. If pending, Waiting gateway confirmation or Waiting gateway confirmation for partial refund with NN.NN.

Void

curl -k  -L -X POST -H 'Content-Type: application/json' -H 'Auth-Token: auth_token' -d '{
    "transaction": {
        "id": "PR-11"
    },
}' 'https://ccapi-stg.shieldgate.mx/v2/transaction/void/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "success",
    "payment_date": "2022-08-11T18:52:32",
    "amount": 99.0,
    "authorization_code": "148177",
    "installments": 1,
    "dev_reference": "referencia",
    "message": "Operation Successful",
    "carrier_code": null,
    "id": "PR-11",
    "status_detail": 29
  },
  "card": {
    "bin": "453254",
    "status": "valid",
    "token": "10135134879450157925",
    "expiry_year": "2025",
    "expiry_month": "10",
    "transaction_reference": "PR-11",
    "type": "vi",
    "number": "8311"
  }
}

This endpoint cancels an authorized transaction (Prosa (MXN))

HTTP Request

POST https://ccapi-stg.shieldgate.mx/v2/transaction/void/

URL Parameters
Parameter Type Required Description
transaction.id String Yes (*) Transaction identifier. This code is unique among all transactions.
Response

See Objects in response

Transaction Info

curl -k  -L -H 'Content-Type: application/json' -H 'Auth-Token: auth_token'
 'https://ccapi-stg.shieldgate.mx/v2/transaction/<transaction_id>/'

The above request returns JSON structured like this:

{
  "transaction": {
    "status": "pending",
    "payment_date": "2018-01-26T23:49:51.100Z",
    "amount": 10,
    "authorization_code": "",
    "installments": 1,
    "dev_reference": "",
    "status_detail": 0,
    "carrier_code": "",
    "message": "",
    "id": ""
  },
  "card": {
    "bin": "400552",
    "holder_name": "First Dev",
    "number": "4821",
    "expiry_year": "2020",
    "expiry_month": "12",
    "type": "vi",
    "origin": "ORIGIN"
  }
}

This endpoint is used to obtain transaction info

HTTP Request

GET https://ccapi-stg.shieldgate.mx/v2/transaction/<transaction_id>

URL Parameters
Parameter Type Required Description
transaction_id String Yes Shieldgate by Afirme transaction_id
Response
Parameter Description
transaction.status Could be success, failure, pending, expired or canceled.
transaction.payment_date If staging environment the date will be in UTC, otherwise will depend on carrier.
transaction.amount The amount of the transaction.
transaction.authorization_code If success the authorization code responded from carrier.
transaction.installments The number of installments for the payment.
transaction.dev_reference Merchant order reference.
transaction.message The returned message from carrier or fraud analysis system.
transaction.carrier_code The returned code from carrier.
transaction.id Transaction identifier. This code is unique among all transactions.
transaction.status_detail The status detail of the transaction, for more information status detail
card.bin The BIN of the card (First six digits of the card).
card.expiry_year The expiry year of the card.
card.expiry_month The expiry month of the card.
card.transaction_reference If any, the transaction.id
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.
card.origin The origin of the credit card. Could be one of the following: Shieldgate, VisaCheckout, Masterpass.

Card Brands

Internationals

Card type Brand Logo
vi Visa
mc Mastercard
ax American Express
di Diners
dc Discover
ms Maestro

Mexico

Card type Brand Logo
cn Carnet

LinkToPay

In this platform, we can generate a payment link, which can be completed with any of the payment methods assigned to the access credentials.

Example of request to generate link.

curl --request POST
  --url https://noccapi-stg.shieldgate.mx/linktopay/init_order/
  --header 'auth-token: auth-token'
  --header 'content-type: application/json'
  --data '{
    "user": {
        "id": "117",
        "email": "dummy@foo.com",
        "name": "Gabriel",
        "last_name": "Cruz"
    },
    "order": {
        "dev_reference": "1",
        "description": "Product description",
        "amount": 1000,
        "installments_type": 0,
        "currency": "COP"
    },
    "configuration": {
        "partial_payment": true,
        "expiration_days": 1,
        "allowed_payment_methods": ["All"],
        "success_url": "https://url-to-success.com",
        "failure_url": "https://url-to-failure.com",
        "pending_url": "https://url-to-pending.com",
        "review_url": "https://url-to-review.com"
    }
}'

Example of request to generate a link with billing_address.

curl --request POST
  --url https://noccapi-stg.shieldgate.mx/linktopay/init_order/
  --header 'auth-token: auth-token'
  --header 'content-type: application/json'
  --data '{
    "user": {
        "id": "117",
        "email": "dummy@foo.com",
        "name": "Gabriel",
        "last_name": "Cruz"
    },
    "order": {
        "dev_reference": "1",
        "description": "Product description",
        "amount": 1000,
        "installments_type": 0,
        "currency": "COP"
    },
    "configuration": {
        "partial_payment": true,
        "expiration_days": 1,
        "allowed_payment_methods": ["Card"],
        "success_url": "https://url-to-success.com",
        "failure_url": "https://url-to-failure.com",
        "pending_url": "https://url-to-pending.com",
        "review_url": "https://url-to-review.com"
    },
   "billing_address": {
         "street": "Calle 1 Sur",
         "city": "Chia",
         "country": "COL",
         "district": "Chia",
         "zip": "#5",
         "state": "CU",
         "house_number": "179",
         "additional_address_info": "Casa 53"
 }
}'

The above request returns JSON structured like this:

{
    "success": true,
    "detail": "Operation completed successfully.",
    "data": {
        "user": {
            "id": "117",
            "email": "dummy@foo.com"
        },
        "order": {
            "id": "8REV4qMyevlR4xGm3OL",
            "status": "Init",
            "dev_reference": "1",
            "description": "Product description",
            "currency": "COP",
            "amount": 1000.0,
            "taxes": [
                {
                    "type": "vat",
                    "amount": 0
                },
                {
                    "type": "inc",
                    "amount": 0
                }
            ],
            "additional_amounts": [
                {
                    "type": "tip",
                    "amount": 0
                }
            ]
        },
        "configuration": {
            "expiration_date": "2022-11-19 18:45:39",
            "partial_payment": true,
            "allowed_payment_methods": [
                "All"
            ],
            "allow_retry": true
        },
        "payment": {
            "payment_url": "https://link-stg.shieldgate.mx./checkout/8REV4qMyevlR4xGm3OL",
            "payment_qr": "iVBORw0KGgoAAAANSUhEUgAAAZoAAAGaAQAAAAAefbjOAAADC0lEQVR4nO2cXa7aMBBGz9SReDRSF8BSzA7ukq66s2Q
                           pLAApeURK9PXBdhJoVaniFigZP6Ak5Ahbsebnmwkm/np03/6eAYcccsghhxxy6D0hK6PJRzCYme2Bbjk1Mzs+ZXoOPR
                           5KkqQe1MYRO0aJ1E9GkmRHgiRJ19DjpufQ46GhGoB02kk/9kBnO2VDAWBmzfOm59DDoObm3IgXUzoZAvh9bvria3LoS6
                           HUgx0JotsDMJnaf/JLDr0kVG1EFDDUq90+YGAIQrYTa2vx4mty6AugzmpywbATqQdSH2THocGOTFaSkOdMz6FH24hfwo
                           V4MbrDxej2WLEgz5ieQw+HyFllkoplII4lGW1v7ozlPrUvviaH7oHqjuhB0ojUl8CB1AdJGoFYNkhWJXxHvDNUHrL6UL
                           ZFG8e6NyTV0+ujF1+TQ/dAV15D8+iD1BJUnMhsLdxrvD1UdkQOEuo+qB5iBLgxHr4j3hyac42pUXcYsSTKR/5i+I6KVh
                           W8rrEBqMYR2R5QPES7MhnMX3hkuQUo2wgjnlH3cc6GAoByFM+NuiNopVq8+Jocuh/KUWQ67QRDg332U9Uns4QZZLafXL
                           PcALT2GqlmEyWUJJSeCVXByr3GZqBuHwTDrjz4FlgkzGIe4ngDPW56Dj3BRix6xFgz0jyCFtXK9Yj3h2aXUPOKlGXrpb
                           hRXMf62ouvyaF7oLmuEVTLF+FKq4ql1uFxxEagqlANIAZDSQDxYsVtDA10HyMkTbW95sXX5NA90NxnOZmIgu7jPGsUPU
                           Y8N5ZjTNcsNwTV9qm5SyqHFZNlPaJ0WLkesQVolWssGcZS5FIbrzQKjyM2Ai3vdOUYs6vvZtiRoBJMHFyP2AK06o/IKc
                           Xy0UaJXA3Pt3g1fAvQqquupKCrnJN1k533WW4TUhsvOZ4029f6Vs41hqbI2//bmhy6C0qnhlLDiCNqo2qThNc1NgXND7
                           47jNjnqUFtTUbNDvO2eNL0HHoYdFvVysHE3FiZrxGvimEeR7wzZL9/+/uPw/+ZzCGHHHLIIYccAvgJATB20GiZw/kAAA
                           AASUVORK5CYII="
        }
    }
}

To generate a link to pay, certain information is required, this allows to consume any payment method provided by Shieldgate by Afirme

POST https://noccapi-stg.shieldgate.mx/linktopay/init_order/

Parameter Type Required Description
user.id String Yes Buyer identifier. Max length 250 characters.
user.email String Yes Buyer email, with valid e-mail format. Max length 250 characters.
user.name String Yes Buyer name. Max length 100 characters.
user.last_name String Yes Buyer name. Max length 100 characters.
user.fiscal_number_type String No Indicates the type of fiscal number (user identification).
user.fiscal_number String No Fiscal number (identification number) given by the user. Max length 100 characters.
order.dev_reference String Yes Id from commerce to identify the order. Max length 100 characters.
order.description String Yes The order description. Max length 250 characters.
order.amount Number Yes Total amount to pay. Format: Decimal with two fraction digits.
order.installments_type Number Yes Only available Ecuador and Mexico see the valid types. For the rest of the countries, 0 to allow installments, -1 otherwise. Only available to card payment method.
order.vat Number Yes Sales tax amount, included in order amount. Format: Decimal with two fraction digits.
order.inc Number No National consumption tax, included in order amount. Format: Decimal with two fraction digits.
order.tip Number No Only available for pay with Qr code . Tip, not included in order amount. Format: Decimal with two fraction digits.
order.taxable_amount Number No Only available for Ecuador and Colsubsidio. The taxable amount is the total amount of all taxable items excluding tax. If not sent, it's calculated on the total. Format: Decimal with two fraction digits.
order.tax_percentage Number No Only available for Ecuador and Colsubsidio. The tax rate to be applied to this order. Should be 0 or 12.
order.currency String Yes Order currency see the valid types.
configuration.partial_payment Boolean Yes Indicates if the partial payment is allowed.
configuration.expiration_days Number No(*) Number of days in which the link to pay expires.
configuration.expiration_time Number No(*) Time in seconds it will take for the link to pay to expire.
configuration.allowed_payment_methods Array (String) No Indicates allowed payment methods. 'All' is the default. See the valid types.
configuration.currency_exchange String No Currency in which the link to pay will be paid see the valid types.
configuration.success_url String Yes URL to redirect when transaction is success.
configuration.failure_url String Yes URL to redirect when transaction is failure.
configuration.pending_url String Yes URL to redirect when transaction is pending.
configuration.review_url String Yes URL to redirect when transaction is in review.
billing_address.street String No The name of the street.
billing_address.city String Yes The city, max length of 50 characters.
billing_address.state String No The state: ISO 3166-2 country subdivision code in case of 3DS authentication, free format otherwise
billing_address.district String No The district.
billing_address.zip String Yes The zip or postal code. Max length allowed of 50 characters.
billing_address.house_number String No The house number
billing_address.country String Yes Country in ISO 3166-1 alpha-3 format, for example: COL, MEX, ECU.
billing_address.additional_address_info String No Additional address info, without format.
Parameter Description
user.id Buyer identifier.
user.email Buyer email registered to order.
order.dev_reference Reference from commerce.
order.amount Total amount to pay.
order.description Order description.
configuration.expiration_date Date limit to pay.
configuration.partial_payment Indicates if the partial payment is allowed.
configuration.allowed_payment_methods Indicates allowed payment methods.
payment.payment_url Link To Pay, URL to do redirect.
payment.payment_qr Code Qr base64, URL to do redirect.

Allowed currencies:

Currency Country
COP Colombia
USD Ecuador, El Salvador, Panama
BRL Brazil
MXN Mexico
ARS Argentina
CLP Chile
PEN Peru
GTQ Guatemala
HNL Honduras
NIO Nicaragua
CRC Costa Rica

Allowed payment methods by country:

Key Description
All All payment methods
Card Only card payment method (All countries)
BankTransfer Only bank transfer method (Colombia)
Cash Only cash / reference payment method (Colombia, Mexico, Ecuador)
Colsubsidio Only colsubsidio for Colombia
EWallet Only E-wallet payment method (Colombia)
Qr Only Qr code payment method (Colombia)
Pix Only Pix (Qr code) payment method (Brazil)
Rappi Only Rappi Pay payment method (Colombia)

Third party integrations

VTEX

We have implementation in the eCommerce VTEX platform.

For further information visit the following manual.

Test Cards

You can use the following cards for your tests. For adding a card or direct purchase in staging environment:

Card Return Code Scenarios
4111111111111111, 36417002140808 valid Charge succeeds
5119159076977991, 370236553676505 review Charge is under Review
4242424242424242, 347763907473248 rejected Not Authorized
4520121813132351, 378196561987405 rejected Rejected by Fraud System
375953548754701, 376337093362277 rejected Card in black list

For a card not listed above, the system will leave the card as valid. Once you add a valid card in the platform you can prove the debit using a specific description as follow:

order.description Result
Approved transaction status = success, status_detail = 3
Denied transaction status = failure, status_detail = 9
Reviewed transaction status = pending, status_detail = 1
Rejected by fraud system transaction status = failure, status_detail = 11
Card in black list status = failure, status_detail = 12

You can use either the test cards or the description to prove, but not both.

WebHook

The above is the JSON returned in the WebHook:

{
  "transaction": {
     "status": "1",
     "order_description": "ORDER #1507155336536",
     "authorization_code": "113310",
     "status_detail": "3",
     "date": "04/10/2017 22:15:37",
     "message": "Operation Successful",
     "id": "CI-502",
     "dev_reference": "1507155336536",
     "carrier_code": "6",
     "amount": "10.5",
     "paid_date": "04/10/2017 19:15:00",
     "installments": "1",
     "ltp_id": "LeNgJbx57Vnj9Rnq",
     "stoken": "e03f67eba6d730d8468f328961ac9b2e",
     "application_code": "AndroidTest",
     "terminal_code": "12334"
  },
  "user": {
     "id": "4",
     "email": "user@example.com"
  },
  "card": {
     "bin": "411111",
     "holder_name": "Martin Mucito",
     "type": "vi",
     "number": "1111",
     "origin": "ORIGIN",
     "fiscal_number": "2365448809"
  }
}

Example of stoken generation (python):


transaction_id = 123
app_code = HF
user_id = 123456
app_key = 2GYx7SdjmbucLKE924JVFcmCl8t6nB
for_md5 = 123_HF_123456_2GYx7SdjmbucLKE924JVFcmCl8t6nB
stoken = hashlib.md5(for_md5).hexdigest()

So the stoken for this example is e242e78ae5f1ed162966f0eacaa0af01

The above is an example of JSON returned for the case of Split Payment:

{
  "transaction": {
     "status": "1",
     "order_description": "ORDER #1507155336536",
     "authorization_code": "113310",
     "status_detail": "3",
     "date": "04/10/2017 22:15:37",
     "stoken": "e03f67eba6d730d8468f328961ac9b2e",
     "application_code": "AndroidTest",
     "status": "1",
     "paid_date": "04/10/2017 22:15:37",
     "amount": "19000.0",
     "authorization_code": "615246",
     "installments": "1",
     "dev_reference": "11372",
     "message": "Aprobado",
     "carrier_code": "00",
     "id": "RB-37",
     "status_detail": "3"
  },
  "split": {
    "transactions": [
      {
        "installments": "1",
        "amount": "10000.0",
        "id": "RB-37-1",
        "application_code": "App2",
        "authorization_code": "615246"
      },
      {
        "installments": "1",
        "amount": "9000.0",
        "id": "RB-37-2",
        "application_code": "App1",
        "authorization_code": "580705"
      }
    ]
  },
  "card": {
    "bin": "377813",
    "holder_name": "Martin Mucito",
    "type": "ax",
    "number": "9063",
    "origin": "ORIGIN"
  }
}

The following is an example of returned JSON for the case of payment with Cash or Bank Transfer:

{
  "transaction": {
     "status": "1",
     "order_description": "ORDER #1507155336536",
     "status_detail": "3",
     "date": "04/01/2020 22:15:37",
     "id": "PSE-1000",
     "payment_method_type": "2",
     "dev_reference": "1507155336536",
     "amount": "10.5",
     "paid_date": "04/10/2017 19:15:00",
     "ltp_id": "LeNgJbx57Vnj9Rnq",
     "stoken": "e03f67eba6d730d8468f328961ac9b2e",
     "application_code": "AndroidTest",
     "terminal_code": "12334"
  },
  "user": {
     "id": "4",
     "email": "user@example.com"
  }
}

Every time a transaction gets approved or cancelled you will get an HTTP POST request from Shieldgate by Afirme to your callback_url (you need to provide this url to our staff). The POST includes the following fields:

Parameter Description
transaction.status The status of the transaction, for more information status
transaction.order_description Description of the order to be purchase. Format: (Maximum Length 250)
transaction.authorization_code If success the authorization code responded from carrier.
transaction.status_detail The status detail of the transaction, for more information status detail
transaction.date Transaction date (used for approved numbers in the Dashboard).
transaction.message The returned message from carrier or fraud analysis system.
transaction.id Transaction identifier. This code is unique among all transactions.
transaction.dev_reference Merchant order reference.
transaction.carrier_code The returned code from carrier.
transaction.amount The amount of the transaction.
transaction.paid_date Transaction paid date (used for approved numbers in the Dashboard).
transaction.installments The number of installments for the payment.
transaction.stoken MD5 hash of [transaction_id]_[application_code]_[user_id]_[app_key]
transaction.ltp_id Reference to the link to pay used to pay.
transaction.application_code The transaction belongs to this application code.
transaction.payment_method_type Payment method of the transaction, for more information payment_method_types
transaction.terminal_code Terminal id of the transaction.
user.id Customer identifier. This is the identifier you use inside your application.
user.email Buyer email, with valid e-mail format.
card.bin The BIN of the card (First six digits of the card).
card.holder_name The credit card holder name.
card.type Abbreviated card type. See the valid options
card.number The last four digits of the card.
card.origin The origin of the credit card. Could be one of the following: Shieldgate, VisaCheckout, Masterpass.
card.fiscal_number Fiscal number of the payer of the transaction.

For every transaction you must return an HTTP status, this status is only used to know that you received correctly the call:

Status Case
200 success
203 token error

You just need to generate the stoken and match the token against the one you receive to be sure that the POST came from Shieldgate by Afirme . You must store this information from all transactions in your database and always check the transaction.id to make sure you are not getting a duplicated POST.

If your server doesn’t respond with an HTTP 200 OK message, the POST will be retrying until get an status HTTP 200, this during 48 hours, with incremental period of time in each retry, first retry will be at 5 min aprox., second retry at 10 min aprox. and so on. In case of receiving any HTTP status >= 500 we will stop trying.

Additionally to approve transactions we also send you those approved transactions that get cancelled, this time the only difference is the status value, which will be 2. In this case you should answer with 200 (so we don’t send it again) and should update the transaction status so you ensure your data and accounting matches with Shieldgate by Afirme

Status details

The Shieldgate by Afirme API uses the following status and status details:

Status Meaning
0 Pending
1 Approved
2 Cancelled
4 Rejected
5 Expired
Status Detail Meaning
0 Waiting for Payment.
1 Verification required, please see Verification section.
2 Paid Partially
3 Paid.
4 In Dispute.
5 Overpaid.
6 Fraud.
7 Refund.
8 Chargeback
9 Rejected by carrier.
10 System error.
11 Shieldgate by Afirme fraud.
12 Shieldgate by Afirme blacklist.
13 Time tolerance.
14 Expired by Shieldgate by Afirme
15 Expired by carrier.
16 Rejected by Shieldgate by Afirme
17 Abandoned by Shieldgate by Afirme
18 Abandoned by Customer
19 Invalid Authorization Code.
20 Authorization code expired.
21 Shieldgate by Afirme Fraud - Pending refund.
22 Invalid AuthCode - Pending refund.
23 AuthCode expired - Pending refund.
24 Shieldgate by Afirme Fraud - Refund requested.
25 Invalid AuthCode - Refund requested.
26 AuthCode expired - Refund requested.
27 Merchant - Pending refund.
28 Merchant - Refund requested.
29 Annulled.
30 Transaction seated (only Ecuador).
31 Waiting for OTP.
32 OTP successfully validated.
33 OTP not validated.
34 Partial refund.
35 3DS method requested, waiting to continue.
36 3DS challenge requested, waiting CRES.
37 Rejected by 3DS.

Errors

The Shieldgate by Afirme API uses the following error codes:

Http Status Code Meaning
400 Bad Request -- For example json not well formatted, data type or parameters missing.
401 Unauthorized -- Your auth_token is wrong or expired.
403 Forbidden -- For several reasons, for example invalid card, card already added, carrier not configured or operation not allowed.
404 Not found -- The resource does not exist.
409 Conflict -- For several reasons, for example transaction could not be created, a miss configuration, the response from third party service response with error.
500 Internal Server Error -- We had a problem with our server. Try again later.
503 Service Unavailable -- We're temporarily offline for maintenance. Please try again later.

Response in case of error

An example of an error returns JSON structured like this:

{
  "error": {
    "type": "Invalid Token",
    "help": "Auth-Token: should have a format like b64encode(application_code;unix_timestamp;token)",
    "description": "{}"
  }
}

Parameter Description
error.type Type of error.
error.help In some cases a useful help for the developers.
error.description A description of the error.

Payment Method Types

These are the meanings of the different payment method types.

Payment Method Type Code Meaning
0 Credit Card
1 Boleto (Bank Ticket)
5 Vouchers Card
7 Debit Card
8 Prepaid Card