Integrating Silent Order Post
The operation of SilentOrderPost occurs in four stages:
- Merchant authentication through the creation of the OAuth2
access_tokenfor access to the Silent Order Post API; - Creation of the SOP
AccessTokenin the Silent Order Post API to integrate the script; - Execution of the script;
- Sending the transaction authorization request to API Cielo E-commerce informing the
PaymentToken.
1. Obtaining the OAuth2 AccessToken
When the buyer accesses the checkout, the store must generate the access_token from the authentication API (OAuth2). If successful, the API will return an access_token that should be used in the next authentication layer of the tool.
To obtain the access_token in the OAuth 2.0 standard, send a request using the HTTP POST VERB to the following URL, formed by the "environment base URL + endpoint", in the server-to-server model:
| Environment | Base URL + endpoint | Authorization |
|---|---|---|
| SANDBOX | https://authsandbox.braspag.com.br/oauth2/token | "Basic {base64}" |
| PRODUCTION | https://auth.braspag.com.br/oauth2/token | "Basic {base64}" |
Note: The value "{base64}" for "Basic" authorization must be obtained as follows:
- Concatenate the
ClientIdandClientSecret(ClientId:ClientSecret). - Encode the result of the concatenation in base64.
- Make a request to the authentication server using the generated alphanumeric code.
To obtain your store's
ClientIdandClientSecretcredentials for use in the sandbox and production environments request the Silent Order Post credential.
Request
--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded"
--data-binary "grant_type=client_credentials"
| Parameters | Format | Sending |
|---|---|---|
Authorization | "Basic {base64}" | Send in header. |
Content-Type | "application/x-www-form-urlencoded" | Send in header. |
grant_type | "client_credentials" | Send in body. |
Response
{
"access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
"token_type": "bearer",
"expires_in": 599
}
| Response Properties | Description |
|---|---|
access_token | The requested authentication token. It will be used in the step of obtaining the SOP AccessToken. |
token_type | Indicates the type of token. |
expires_in | Expiration of the access token, in seconds. When the token expires, a new one must be obtained. |
2. Obtaining the SOP AccessToken
Create the Silent Order Post (SOP) AccessToken by sending a POST request. Provide the OAuth2 access_token obtained in the previous step as the Bearer in the request header.
The SOP
AccessTokenwill be provided in the script in step 3.
| Environment | Base URL + endpoint |
|---|---|
| Sandbox | https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken |
| Production | https://transaction.pagador.com.br/post/api/public/v2/accesstoken |
Request
--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose
| Property | Description | Type | Size | Mandatory? |
|---|---|---|---|---|
MerchantId | Store identifier in API Cielo E-commerce | GUID | 36 | Yes |
Authorization | Bearer [OAuth2 AccessToken] | text | 36 | Yes |
Response
As a response, the store will receive a JSON ("HTTP 201 Created") containing, among other information, the SOP AccessToken.
{
"MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
"Issued": "2023-08-05T08:50:04",
"ExpiresIn": "2023-08-05T09:10:04"
}
| Property | Description | Type | Size | Format |
|---|---|---|---|---|
MerchantId | Store identifier in the Payment Gateway | GUID | 36 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
AccessToken | Silent Order Post access token (AccessToken SOP). For security reasons, this token will allow the establishment to save only one card within a stipulated period in the response, through the ExpiresIn attribute (by default, 20 minutes). Whichever occurs first will invalidate this token to prevent future use. | text | -- | NjBhMjY1ODktNDk3YS00NGJkLWI5YTQtYmNmNTYxYzhlNjdiLTQwMzgxMjAzMQ== |
Issued | Date and time of AccessToken generation. | text | -- | YYYY-MM-DDTHH:MM:SS |
ExpiresIn | Date and time of AccessToken expiration. | text | -- | YYYY-MM-DDTHH:MM:SS |
3. Implementing the script
Mapping classes
Download the Silent Order Post script and insert the script in JavaScript format on your checkout page. This script will allow our system to process all card information without store intervention.
Parameterize the form elements with the following classes:
| Property | Class Name | Mandatory? |
|---|---|---|
| Credit/debit cardholder name | bp-sop-cardholdername | Yes |
| Credit/debit card number | bp-sop-cardnumber | Yes |
| Credit/debit card expiration date | bp-sop-cardexpirationdate | Yes |
| Credit/debit card security code | bp-sop-cardcvvc | Yes |
| Card type to be verified ("debitCard" or "creditCard"). | bp-sop-cardtype | No* |
*If the bp-sop-cardtype class is not provided, the script will assume that the card used in the purchase is a credit card.
Defining parameters
Script parameters
The script parameters must be inserted in the HTML of the checkout page to reference the script.
| Property | Description |
|---|---|
accessToken | Silent Order Post access token (AccessToken SOP). |
environment | Environment type: "sandbox" for testing / "production" for production. |
language | Language: "pt" for Portuguese/ "en" for English/ "es" for Spanish. |
enableTokenize | "true" (saves the card directly in the Protected Card, returning a CardToken instead of a PaymentToken) / "false" (otherwise).* |
cvvRequired | "false" (disables the requirement to send the CVV) / "true" (otherwise). The store needs authorization from the acquirer to transact without the CVV. |
cardType | Use "creditCard" or "debitCard" to force card type verification. Important for validating multiple cards. If nothing is sent, the issuer will consider only the "Credit" type. |
* The corresponding service needs to be enabled.
To enable card tokenization, please contact Customer Service.
Using Silent Order Post with Card tokenization
Card tokenization is the encrypted card storage service. You can use Silent Order Post to transmit card data and Protected Card to securely and encryptedly store the card, which is PCI DSS certified.Learn more at Card tokenization
Script Returns
The script will return a JSON with the PaymentToken (tokenized card that should be sent in the authorization) and card information.
Example of script return JSON
{
"PaymentToken": "366f8470-54d0-43cb-95f5-c80a502afc27",
}
Script return properties
| Property | Description | Condition |
|---|---|---|
PaymentToken* | Ephemeral token used for payment in the format of a GUID (36). It lasts for 20 minutes and can be used only once. It is the value that should be sent in the authorization request. | *** |
CardToken | Permanent token used for payment in the format of a GUID (36). | When enableTokenize is "true". |
_In Script Parameters, if enableTokenize is _true*, the script will return the CardToken instead of the PaymentToken. Learn more about CardToken in the Protected Card manual.
Implementing events
The provided script offers the following three events for store handling and processing:
| Event | Description |
|---|---|
| onSuccess | Event in case of success. Returns the PaymentToken and also the card data, if card verification was requested. For security reasons, this PaymentToken can be used for a single authorization. After processing, it will be invalidated. |
| onError | Event in case of error. Returns the error code and description. |
| onInvalid | Event in case of incorrect data provision. Returns details of fields with errors. The messages returned in the validation result are available in the following languages: Portuguese (default), English, and Spanish. |
Characteristics of the
PaymentToken:
For security reasons, thePaymentTokencan be used for a single authorization and/or within the period of 20 minutes. After processing, thePaymentTokenwill be invalidated.
4. Authorizing with PaymentToken
After obtaining the PaymentToken through the script, execute the authorization process, sending the PaymentToken instead of card data.
To submit a credit transaction, send the
Payment.CreditCard.PaymentTokenparameter instead ofPayment.CreditCard. Learn more in the API Cielo E-commerce manual;
To submit a debit transaction, send thePayment.DebitCard.PaymentTokenparameter instead ofPayment.DebitCard. Learn more in the API Cielo E-commerce manual .
See the example below, describing the sending of authentication data for the authorization request to API Cielo E-commerce.
Request
{
"MerchantOrderId":"2017051002",
"Customer":
{
(...)
},
"Payment":
{
(...)
"CreditCard":{
"PaymentToken":"eedcb896-40e1-465b-b34c-6d1119dbb6cf"
}
}
}
| Field | Description | Type/Size | Mandatory? |
|---|---|---|---|
Payment.CreditCard.PaymentToken | Provides the PaymentToken generated through the script. This information replaces the card data. Replace with DebitCard if using a debit card. | GUID / 36 | Yes |
Response
Refer to the API Cielo E-commerce manual for examples of authorization request responses.
Integration Example
We share a practical example on our GitHub of how you should map the classes and integrate Silent Order Post into your checkout.
Updated 9 days ago