Alipay, China's leading third-party online payment solutionAlipay, China's leading third-party online payment solution

Auto Debit (WAP)

This article introduces the integration solution to support automatic deduction from a mobile browser. After integration, you can access various payment methods like digital wallets, bank cards, and bank transfers.

User experience

The buyer is redirected from the merchant page in the mobile browser to a wallet page in the same browser.

登录授权WAP.webp

Payment flow

After obtaining the buyer's authorization, you can directly initiate the Auto Debit service without the need to go through the authorization process again for each payment.

Before conducting an automatic deduction, you need to obtain the buyer's authorization first. After the authorization is successfully obtained, obtain a payment token using an authorization code. The payment token is used to perform subsequent Auto Debit.

image.png

Integration steps

You need to obtain the buyer's authorization before conducting an Auto Debit. Upon successful authorization, obtain an authorization code to request a payment token for subsequent Auto Debit. You can obtain the buyer's authorization and conduct an Auto Debit by completing the following integration steps:

  1. Get and redirect to the authorization URL
  2. Obtain the authorization result
  3. Apply for a payment token
  4. Initiate an Auto Debit
  5. Obtain the payment results

Step 1:Get and redirect to the authorization URL Server side

You need to get the authorization URL first and redirect buyers to the authorization URL to complete authorizations.

Get the authorization URL

Antom provides server-side API libraries for multiple languages. The following codes use Java as an example. You need to install Java 6 or higher.

Install an API library

You can find the latest version on GitHub.

copy
<dependency>
    <groupId>com.alipay.global.sdk</groupId>
    <artifactId>global-open-sdk-java</artifactId>
    <version>2.0.44</version>
</dependency>

Initialize the request instance

copy
import com.alipay.global.api.AlipayClient;
import com.alipay.global.api.DefaultAlipayClient;
import com.alipay.global.api.model.constants.EndPointConstants;

public class Sample {
    public static final String        CLIENT_ID            = "";
    public static final String        ANTOM_PUBLIC_KEY     = "";
    public static final String        MERCHANT_PRIVATE_KEY = "";

    private final static AlipayClient CLIENT               = new DefaultAlipayClient(
            EndPointConstants.SG, MERCHANT_PRIVATE_KEY, ANTOM_PUBLIC_KEY, CLIENT_ID);

}

Call the consult API

The following parameters are included in the consult request.

Parameter name

Is required?

Description

authRedirectUrl

Yes

The URL used to redirect buyers to the merchant page after the authorization is completed.

authState

Yes

A string specified by you to identify an authorization request.

customerBelongsTo

Yes

Specify the target payment method for which you are requesting authorization.

scopes

Yes

Fixed value is AGREEMENT_PAY.

terminalType

Yes

Indicates the terminal type where the merchant terminal is located.

The following sample code is used for calling the consult API to get the authorization URL:

copy
public static void authorizationConsult() {
    AlipayAuthConsultRequest alipayAuthConsultRequest = new AlipayAuthConsultRequest();

    // replace with your authState
    String authState = UUID.randomUUID().toString();
    alipayAuthConsultRequest.setAuthState(authState);

    // set the target payment method for which you are requesting authorization
    alipayAuthConsultRequest.setCustomerBelongsTo(CustomerBelongsTo.GCASH);

    // set the authorization scope
    alipayAuthConsultRequest.setScopes(new ScopeType[]{ScopeType.AGREEMENT_PAY});

    // set terminalType
    alipayAuthConsultRequest.setTerminalType(TerminalType.WAP);
    alipayAuthConsultRequest.setOsType(OsType.ANDROID);

    // replace with your authRedirectUrl
    alipayAuthConsultRequest.setAuthRedirectUrl("http://www.yourRedirectUrl.com");

    // do authorization consult
    AlipayAuthConsultResponse alipayAuthConsultResponse;
    try {
        alipayAuthConsultResponse = CLIENT.execute(alipayAuthConsultRequest);
    } catch (AlipayApiException e) {
        String errorMsg = e.getMessage();
        // handle error condition
    }
}

The following code shows a sample of the request message:

copy
{
    "authRedirectUrl": "http://www.yourRedirectUrl.com",
    "authState": "b2983991-9ab6-4bad-8cc8-092581c39950",
    "customerBelongsTo": "GCASH",
    "osType": "ANDROID",
    "scopes": [
        "AGREEMENT_PAY"
    ],
    "terminalType": "WAP"
}

Receive a consult response

The normalUrl parameter is returned. You need to redirect your buyer to the address specified by the normalUrl parameter.

copy
{
    "appIdentifier": "com.iap.linker_portal",
    "normalUrl": "https://ac.alipay.com/page/sandbox/common-auth-pMiddle.html?acqSiteId=102XXX",
    "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "success.",
        "resultStatus": "S"
    }
}

Common questions

Q: How to set terminalType?

A: The valid values of terminalType are:

  • If the buyer initiates a transaction from PC, the terminalType needs to be specified as WEB.
  • If the buyer initiates a transaction from the mobile browser, the terminalType needs to be specified as WAP. Add the osType parameter and fill in the corresponding system parameters ANDROID or IOS according to the buyer's mobile phone.
  • If the buyer initiates a transaction from app, the terminalType needs to be specified as APP.

Q: Can I use Chinese characters in the value of the request parameters?

A: To avoid incompatibility of a certain payment method, do not use Chinese characters for fields in the request.

Q: How to set the URL to receive the payment notification?

A: Antom sends you the payment result via notifyPayment. You can provide the address to receive the notification in Antom Dashboard.

Q: What should I do after getting the returned normalUrl?

A: For transactions that occur in the desktop browser, Antom returns the normalUrl parameter in the consult response. Your server needs to pass this URL to your client for redirection. It is recommended not to cache the returned normalUrl. When the authorization is initiated again, you need to obtain a new normalUrl for redirection.

Redirect to the authorization URL

After your server gets normalUrl, pass the URL to your client side. Your front-end page performs the action of redirecting the buyer to the address specified by normalUrl. The authorization process can lead to success or failure, with different redirections in each case:

  • Authorization success: Redirect your buyer back to the merchant page. The page address is a reconstructed URL composed of authRedirectUrlauthCode, and authState values.
  • Authorization failure:
    • If the buyer exits the authorization page, some payment methods allow buyers to be redirected to the merchant page. The address of the merchant page is specified by the value of authRedirectUrl.
    • If the buyer fails to be redirected to the merchant page from the payment method application due to authorization timeout or failure, we recommend that you guide the buyer to reinitiate the authorization process. Usually, if the buyer fails to be redirected to the merchant page from the payment method application after 15 minutes, the authorization fails.

Since the authorization URL can only be used once, if the user authorization fails, you need to call the consult API with a new authState value.

Step 2: Obtain the authorization result Server side

After the buyer completes the authorization, you can obtain the authorization code (authCode) in one of the following ways:

  • Obtain the authorization code from the reconstructed URL returned by the payment method.
  • Obtain the authorization code from the asynchronous authorization notification sent by Antom.

Obtain authCode from reconstructed URL

After the buyer's authorization process is completed, the buyer is to be redirected to the reconstructed URL returned by the payment method. This URL consists of three parts:

  • The value of the authRedirectUrl parameter that you specified in the consult API.
  • The authCode returned by the payment method.
  • The value of the authState parameter that you specified in the consult API.

The following sample shows a reconstructed URL:

copy
https://www.alipay.com/?authCode=d2f60253-ecdc-e9bc-27d1-566970191040&authState=663A8FA9-D836-48EE-8AA1-1FF682989DC7

You can obtain the authCode value from the reconstructed URL. However, before using the authCode value, it is necessary to check whether the value of authState in the reconstructed URL is consistent with the value of the authState parameter you specified in the consult API. If they are inconsistent, authCode in the reconstructed URL cannot be used because the reconstructed URL is not reliable due to possible malicious events such as attacks during the redirection process.

Obtain authCode from authorization notification

Due to network issues or other reasons, you might not be able to obtain the reconstructed URL. Instead, you can obtain the authorization code (authCode) from the authorization notification sent by Antom in the following steps:.

  1. Configure the address for receiving the asynchronous authorization notifications. For more details, see Notifications.
  2. After the buyer agrees to authorize, you will receive an authorization success notification sent by Antom.
  3. After receiving the asynchronous notification, you need to send a response to Antom with a format presented in the Requirements topic. Otherwise, Antom will resend the asynchronous notification.

Note: You can get authCode from either the reconstructed URL or the authorization notification. In case you have received multiple authCodes, utilize the first one that arrives and refrain from reusing the same authCode value when applying for payment tokens.

The following is an notification request sample:

copy
{
    "authorizationNotifyType": "AUTHCODE_CREATED",
    "authState": "556c1e32-3723-4b02-88ed-8c46087540ca",
    "authCode": "28100113_1631148338197000019ba74",
    "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "success",
        "resultStatus": "S"
    }
}

How to verify the signature of the notification and make a response to the notification, see Sign a request and verify the signature.

Common questions

Q: When will the notification be sent?

A: After the buyer's authorization is completed, Antom sends an asynchronous notification to you.

Q: Will the asynchronous notification be re-sent?

A: Yes, the asynchronous notification will be re-sent automatically within 24 hours for the following cases:

  • If you didn't receive the asynchronous notification due to network reasons.
  • If you receive an asynchronous notification from Antom, but you didn't make a response to the notification in the Sample code format.

The notification can be resent up to 8 times or until a correct response is received to terminate delivery. The sending intervals are as follows: 0 minutes, 2 minutes, 10 minutes, 10 minutes, 1 hour, 2 hours, 6 hours, and 15 hours.

Q: When responding to asynchronous notification, do I need to add a digital signature?

A: If you receive an asynchronous notification from Antom, you are required to return the response in the Sample code format, but you do not need to countersign the response.

Q: What are the key parameters in the notification that I need to use?

A: Pay attention to the following key parameters:

  • authorizationNotifyType: Indicates the notification type. In this case, the value is AUTHCODE_CREATED.
  • authState: The request ID you provided when calling the consult API.
  • authCode: The authorization code generated after the user completes authorization. Use this authorization code to request for a payment token.

Step 3: Apply for a payment token Server side

After obtaining the authorization code (authCode), call the applyToken API to obtain a payment token (accessToken).

Call the applyToken API within one minute after obtaining the authorization code (authCode) to apply for the payment token (accessToken), otherwise the authorization code (authCode) will expire and become invalid. Only with the payment token (accessToken) can an automatic deduction from the buyer's account be implemented.

When calling the applyToken API, specify the following parameters correctly in the request:

Parameter name

Is required?

Description

grantType

Yes

Pass in the fixed value AUTHORIZATION_CODE.

customerBelongsTo

Yes

Specify the target payment method for which you are requesting authorization.

authCode

Yes

Pass in the value od authcode that you obtained.

The following code is a sample of applying for the payment token:

copy
public static void applyToken() {
    String authCode = "yourAuthCode";
    AlipayAuthApplyTokenRequest alipayPayRequest = new AlipayAuthApplyTokenRequest();

    // set grant type
    alipayPayRequest.setGrantType(GrantType.AUTHORIZATION_CODE);
    // set the target payment method for which you are requesting authorization
    alipayPayRequest.setCustomerBelongsTo(CustomerBelongsTo.GCASH);
    // set auth code
    alipayPayRequest.setAuthCode(authCode);

    // do apply token
    AlipayAuthApplyTokenResponse authApplyTokenResponse;
    try {
        authApplyTokenResponse = CLIENT.execute(alipayPayRequest);
    } catch (AlipayApiException e) {
        String errorMsg = e.getMessage();
        // handle error condition
    }
}

The following sample is a request message for applying for the payment token:

copy
{
  "authCode": "663A8FA9D83648EE8AA11FF68298XXXX",
  "customerBelongsTo": "GCASH",
  "grantType": "AUTHORIZATION_CODE"
}

In the response, you will receive the following key parameter:

  • accessToken: the payment token.

Notes:

  • Due to historical reasons, the key parameter above is applicable to new merchants in Antom. Refer to the table below for more information on token expiration time. If you have previously utilized the accessTokenExpiryTime, refreshToken, and refreshTokenExpiryTime fields, you may continue using your original logic.
  • If no response is received after calling the API, it is recommended that you use the same parameters and parameter values to initiate the request again.
  • If you can receive a response after calling the API, but the payment token (accessToken) is not returned in the response, the recommended handling method is as follows:
    • If result.resultStatus value is U, use the same parameters and parameter values to initiate the request again.
    • If the value of result.resultStatus is Faddress the associated issues based on the prompts provided by result.resultCode. If you need to call the applyToken API again to obtain a payment token, since the authCode can only be used once, you need to start over again from Step 1 to get the authorization URL, redirect to the authorization URL, get a new authCode, and then call the applyToken API again.
  • If you need to display the authorized account to the buyer, use the value of userLoginId returned in the applyToken API. The returned value of this field has been desensitized and can be displayed directly.

Regarding the payment methods supported by Auto Debit, the validity period of the payment token is shown in the following table:

Payment method

Validity period of token

Alipay

92 years

Kakao Pay

100 years

AlipayHK

100 years

GCash

100 years

DANA

100 years

Touch'n Go eWallet

100 years

TrueMoney

100 years

PayPay

100 years

NAVER Pay

2 years

Boost

100 years

KrungThai Bank

76 years

Siam Commercial Bank

76 years

Grabpay SG

10 years

Grabpay MY/PH

10 years

K PLUS

100 years

Maya

100 years

LINE Pay

100 years

Toss Pay

14 years

ZaloPay

10 years

Step 4: Initiate an auto debit Server side

Once you have obtained the buyer's authorization, you can offer the Auto Debit service directly to buyers without requiring them to undergo the authorization process for each payment.

Specify the following parameters when initiating an auto debit:

Parameter name

Is required?

Description

productCode

Yes

In this scenario, this field is fixed to AGREEMENT_PAYMENT.

paymentRequestId

Yes

A unique ID generated by the merchant. For each payment is initiated, a new ID must be created.

paymentAmount

Yes

The payment amount needs to be set in the smallest unit of the single currency, such as CNY for cents and KRW for yuan.

paymentMethod

Yes

Payment method enumeration value

paymentMethod.paymentMethodId

Yes

The value of the payment token (accessToken) obtained by calling the the applyToken API

paymentRedirectUrl

Yes

The merchant-side payment result page needs to be displayed based on the server-side results, and is not fixed to the success page.

paymentNotifyUrl

No

The payment result notification address can be transmitted through the API, or a fixed value can be set in the portal.

settlementStrategy

No

The settlement currency of this payment. If the business has signed multiple settlement currencies, it needs to be specified in the API.

order

Yes

Order information, including merchant order amount, order id, order description and other information

env

Yes

The terminal type from where the buyer initiates the transaction. For example, the transaction is initiated from the merchant PC website, the value is env.terminalType = WEB

The parameters listed above are not comprehensive. See the pay API for a complete list of parameters and any additional requirements for specific payment methods.

The following sample code shows how to initiate an auto debit:

copy
public static void pay() {
    AlipayPayRequest alipayPayRequest = new AlipayPayRequest();
    alipayPayRequest.setProductCode(ProductCodeType.AGREEMENT_PAYMENT);

    // replace with your paymentRequestId
    String paymentRequestId = UUID.randomUUID().toString();
    alipayPayRequest.setPaymentRequestId(paymentRequestId);

    // set amount
    // you should convert amount unit(in practice, amount should be calculated on your serverside)
    Amount amount = Amount.builder().currency("SGD").value("550000").build();
    alipayPayRequest.setPaymentAmount(amount);

    // set paymentMethod
    PaymentMethod paymentMethod = PaymentMethod.builder().paymentMethodType("GCASH").
            paymentMethodId("2828XXX77801726307481000Iba1Pm20IU171000179").build();
    alipayPayRequest.setPaymentMethod(paymentMethod);

    // set buyer info
    Buyer buyer = Buyer.builder().referenceBuyerId("yourBuyerId").build();

    // replace with your orderId
    String orderId = UUID.randomUUID().toString();
    // set order Info
    Order order = Order.builder().referenceOrderId(orderId).
            orderDescription("antom api testing order").orderAmount(amount).buyer(buyer).build();
    alipayPayRequest.setOrder(order);

    // set env info
    Env env = Env.builder().terminalType(TerminalType.WAP).osType(OsType.ANDROID).clientIp("114.121.121.01").build();
    alipayPayRequest.setEnv(env);

    // replace with your notify url
    alipayPayRequest.setPaymentNotifyUrl("http://www.yourNotifyUrl.com");

    AlipayPayResponse alipayPayResponse;
    try {
        alipayPayResponse = CLIENT.execute(alipayPayRequest);
    } catch (AlipayApiException e) {
        String errorMsg = e.getMessage();
        // handle error condition
    }
}

The following code shows a sample of the request message:

copy
{
    "env": {
        "clientIp": "114.121.121.01",
        "osType": "ANDROID",
        "terminalType": "WAP"
    },
    "order": {
        "buyer": {
            "referenceBuyerId": "yourBuyerId"
        },
        "orderAmount": {
            "currency": "SGD",
            "value": "550000"
        },
        "orderDescription": "antom api testing order",
        "referenceOrderId": "63fbe4c6-2253-461b-a561-87946d270169"
    },
    "paymentAmount": {
        "currency": "SGD",
        "value": "550000"
    },
    "paymentMethod": {
        "paymentMethodId": "2828XXX77801726307481000Iba1Pm20IU171000179",
        "paymentMethodType": "GCASH"
    },
    "paymentNotifyUrl": "http://www.yourNotifyUrl.com",
    "paymentRequestId": "0fdf99eb-4975-455a-92ec-e519d9c7bd53",
    "productCode": "AGREEMENT_PAYMENT"
}

Common questions

Q: How to set terminalType?

A: The valid values of terminalType are:

  • If the buyer initiates a transaction from PC, the terminalType needs to be specified as WEB.
  • If the buyer initiates a transaction from the mobile browser, the terminalType needs to be specified as WAP. Add the osType parameter and fill in the corresponding system parameters ANDROID or IOS according to the buyer's mobile phone.
  • If the buyer initiates a transaction from app, the terminalType needs to be specified as APP.

Q: Can I use Chinese characters in the value of the request parameters?

A: To avoid incompatibility of a certain payment method, do not use Chinese characters for fields in the request.

Q: How to set the URL to receive the payment notification?

A: Specify paymentNotifyUrl in the createPaymentSession API to receive the asynchronous notification about the payment result (notifyPayment), or configure the receiving URL in Antom Dashboard. If the URL is specified in both the request and Antom Dashboard, the value specified in the request takes precedence.

Step 5: Obtain the payment results

When the buyer completes the payment or the payment times out, you can get the corresponding payment result from the Antom asynchronous notification or by inquiring the payment result actively.

Receive the asynchronous notification

When a payment is completed or fails, Antom sends an asynchronous notification (notifyPayment) to the address that you specified in the pay API via the paymentNotifyUrl parameter. If the address of each payment is the same, you can also configure the address in Antom Dashboard.

The following is the notification request sample code:

copy
{
    "actualPaymentAmount": {
        "currency": "SGD",
        "value": "550000"
    },
    "notifyType": "PAYMENT_RESULT",
    "paymentAmount": {
        "currency": "SGD",
        "value": "550000"
    },
    "paymentCreateTime": "2024-09-14T02:59:28-07:00",
    "paymentId": "202409141940108001001888H0209958443",
    "paymentRequestId": "214c60e7-672d-4ad8-9163-905ad4abe71f",
    "paymentResultInfo": {},
    "paymentTime": "2024-09-14T02:59:30-07:00",
    "pspCustomerInfo": {
        "pspCustomerId": "use***@alipay.com",
        "pspName": "GCASH"
    },
    "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "success.",
        "resultStatus": "S"
    }
}

How to verify the signature of the notification and make a response to the notification, see Sign a request and verify the signature.

The following is the notification response sample code:

copy
{
  "result": {
    "resultCode": "SUCCESS",
    "resultStatus": "S",
    "resultMessage": "Success"
  }
}

Common questions

Q: When will the notification be sent?

A: It depends on whether the payment is completed:

  • If the payment is successfully completed, Antom will usually send you an asynchronous notification within 3 to 5 seconds. For some payment methods like OTC, the notification might take a bit longer.
  • If the payment is not completed, Antom needs to close the order first before sending an asynchronous notification. The time it takes for different payment methods to close the order varies, usually defaulting to 14 minutes.

Q: Will the asynchronous notification be re-sent?

A: Yes, the asynchronous notification will be re-sent automatically within 24 hours for the following cases:

  • If you didn't receive the asynchronous notification due to network reasons.
  • If you receive an asynchronous notification from Antom, but you didn't make a response to the notification in the Sample code format.

The notification can be resent up to 8 times or until a correct response is received to terminate delivery. The sending intervals are as follows: 0 minutes, 2 minutes, 10 minutes, 10 minutes, 1 hour, 2 hours, 6 hours, and 15 hours.

Q: When responding to asynchronous notification, do I need to add a digital signature?

A: If you receive an asynchronous notification from Antom, you are required to return the response in the Sample code format, but you do not need to countersign the response.

Q: What are the key parameters in the notification that I need to use?

A: Pay attention to the following key parameters:

  • result: indicates the payment result of the order.
  • paymentRequestId: indicates the payment request number you generated for consult, cancel, and reconciliation.
  • paymentId: indicates the payment order number generated by Antom, used for refund and reconciliation.
  • paymentAmount: indicates the payment amount.

Inquire about the payment result

Initiating a query request will involve the following parameters

Parameter name

Is required?

Description

paymentRequestId

Yes

The payment request ID generated by the merchant.

The following is the sample code:

copy
public static void inquiryPayment() {
    AlipayPayQueryRequest alipayPayQueryRequest = new AlipayPayQueryRequest();

    // replace with your paymentRequestId
    alipayPayQueryRequest.setPaymentRequestId("yourPaymentRequestId");

    AlipayPayQueryResponse alipayPayQueryResponse = null;
    try {
        alipayPayQueryResponse = CLIENT.execute(alipayPayQueryRequest);
    } catch (AlipayApiException e) {
        String errorMsg = e.getMessage();
        // handle error condition
    }
}

The following is the response code:

copy
{
    "actualPaymentAmount": {
        "currency": "SGD",
        "value": "550000"
    },
    "paymentAmount": {
        "currency": "SGD",
        "value": "550000"
    },
    "paymentId": "202409141940108001001888H0209958443",
    "paymentRequestId": "214c60e7-672d-4ad8-9163-905ad4abe71f",
    "paymentResultCode": "SUCCESS",
    "paymentResultMessage": "success",
    "paymentStatus": "SUCCESS",
    "paymentTime": "2024-09-14T02:59:30-07:00",
    "pspCustomerInfo": {
        "pspName": "GCASH"
    },
    "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "success.",
        "resultStatus": "S"
    }
}

Common questions

Q: How often should I call the inquiryPayment API?

A: Call the inquiryPayment API constantly with an interval of 2 seconds until the final payment result is obtained or an asynchronous payment result notification is received.

Q: What are the key parameters in the notification that I need to use?

A: Pay attention to these key parameters:

  • result: represents the result of this inquiryPayment API call, the result of the order needs to be judged according to paymentStatus:
    • SUCCESS and FAIL represent the final result;
    • PROCESSING represents the processing.
  • paymentAmount: indicates the payment amount.

Best practice

Follow these best practices to improve integration efficiency.

Configure the authorization URL

In the wap scenario, different payment methods in the response of the consult API may return some or all of the following three URLs:

  • normalUrl
  • applinkUrl
  • schemeUrl

Choose a URL

If the consult API response only contains one of the three URLs, use the received URL directly as the redirection link. If you receive multiple URLs, we recommend that you choose the URL based on the following instructions:

  • For iOS system: Prioritize using applinkUrl,then schemeUrl, and finally normalUrl.
  • For Android system: Prioritize using schemeUrl, then applinkUrl, and finally normalUrl.

Open the URL

To open the URL using JavaScrip's redirection method, use the following code:

copy
window.location.href = URL;