Integrating Silent Order Post

1. Getting Access Token OAuth2

When the shopper accesses the checkout, the merchant must generate the AccessToken from Cielo Authentication API (oAuth). On success, the API will return an AccessToken that must be populated in the script to load on the page.

To request AccessToken, send a request (POST) to the following endpoint in the server-to-server template:

Environmentbase URL + endpointAuthorization
SANDBOXhttps://authsandbox.braspag.com.br/oauth2/token"Basic {base64}"
PRODUCTIONhttps://auth.braspag.com.br/oauth2/token"Basic {base64}"

How to obtain the Base64 value:

  1. Concatenate "ClientId" and "ClientSecret" (ClientId:ClientSecret).
  2. Code the result in base64.
  3. Send a request to the authorization server with the alphanumeric code you just created.

To request your "ClientID" and "ClientSecret", please contact our Support

  • MerchantId;
  • Describe that you need the credentials "ClientID" e o "ClientSecret" to use Silent Order Post.

Request

POST oauth2/token
--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded" 
--data-binary "grant_type=client_credentials"
ParametersFormatWhere to send
Authorization"Basic {base64}"Header.
Content-Type"application/x-www-form-urlencoded"Header.
grant_type"client_credentials"Body.

Response

{
  "access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
  "token_type": "bearer",
  "expires_in": 599
}
{
  "access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
  "token_type": "bearer",
  "expires_in": 599
}
PropertiesDescription
access_tokenThe requested authentication token, that will be used in the next step.
token_typeIndicates the token type value.
expires_inAccess Token expiration, in seconds. When the token expires, you must request a new one.

2. Getting the SOP AccessToken

After obtaining AccessToken OAuth2, you should send a new request (POST) to the following URL:

Environmentbase URL + endpoint
Sandboxhttps://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken
Productionhttps://transaction.pagador.com.br/post/api/public/v2/accesstoken

Request

--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose
PropertiesDescriptionTypeSizeRequired?
MerchantIdMerchant identifier at Gateway de Pagamento.GUID36Yes
AuthorizationBearer [AccessToken OAuth2]Text36Yes

Response

As a response, you will receive a JSON ("HTTP 201 Created") with the SOP AccessToken and some other data.

{
    "MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
    "Issued": "2021-05-05T08:50:04",
    "ExpiresIn": "2021-05-05T09:10:04"
}
--header "Content-Type: application/json"
--header "RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--data-binary
{
    "MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
    "Issued": "2021-05-05T08:50:04",
    "ExpiresIn": "2021-05-05T09:10:04"
}
PropertiesDescriptionTypeSizeFormat
MerchantIdMerchant identifier at Pagador.Guid36xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AccessTokenAccessToken SOP. For safety reasons, this token will allow the merchant to save only one card within the deadline determined in the response, through the attribute Expires In. The default is 20 minutes. Whatever happens first will invalidate the token to prevent it from being used again.Texto--NjBhMjY1ODktNDk3YS00NGJkLWI5YTQtYmNmNTYxYzhlNjdiLTQwMzgxMjAzMQ==
IssuedToken creation date and hour.Texto--AAAA-MM-DDTHH:MM:SS
ExpiresInToken expiration date and hour.Texto--AAAA-MM-DDTHH:MM:SS

3. Implementing the script

Mapping Classes

The merchant must download the script provided by Cielo, and attach it to their checkout page. This script will allow Braspag to process all card information without merchant intervention.

ℹ️

Download the Silent Order Post script at https://www.pagador.com.br/post/scripts/silentorderpost-1.0.min.js

The Merchant must parameterize the form elements with the following classes:

PropertyClass Name
Credit/Debit Cardholder Namebp-sop-cardholdername
Credit/Debit Card Numberbp-sop-cardnumber
Credit/Debit Card Expiration Datebp-sop-cardexpirationdate
Credit/Debit Card Security Codebp-sop-cardcvvc

Setting Parameters

SCRIPT PARAMETERS

PropertyDescription
accessTokenAccess Token obtained via Braspag Authentication API
environmentsandbox or production
languagePT or EN or ES
enableBinQuerytrue if you want to enable BIN Query (returns card characteristics). false otherwise.
enableVerifyCardtrue if you want to enable ZeroAuth (returns if the card is valid or not). false otherwise.
enableTokenizetrue if you want to save the card directly on your vault in the Cartão Protegido (retorn a 'cardToken' instead of a 'paymentToken'). false otherwise.
cvvRequired"false" (unables CVV as required) / "true" (CVV is required).

SCRIPT RESPONSE

PropertyDescription
PaymentTokenPayment Token in the Format of a GUID (36)
CardTokenPermanent token to be used on a payment request on a GUID format (36) Obs.: Only works if 'enableTokenize' is true
brandReturned when enableBinQuery option is true. Card Brand Name (Visa, Master, Bond, Amex, Diners, JCB, Hipercard)
forerignCardReturned when enableBinQuery option is true. The field returns true if it is a card issued outside Brazil. false otherwise
binQueryReturnCodeReturned when enableBinQuery option is true. "00" if BIN parsing is successful.
binQueryReturnMessageReturned when enableBinQuery option is true. E.g. “Authorized Transaction” if BIN analysis succeeds
VerifyCardStatusReturned when enableVerifyCard option is true. Invalid Card 0; 1-Valid Card; 99-Unknown Situation
VerifyCardReturnCodeReturned when enableVerifyCard option is true. Zero Auth query code returned by the provider.
BinQueryReturnMessageReturned when enableBinQuery option is true. This is the same code returned by the provider during a standard authorization. E.g.: Cielo30 provider code "00" means validation success
BinQueryReturnMessageReturned when enableBinQuery option is true. E.g. “Authorized Transaction”
CardBinReturned when enableBinQuery option is true. E.g. “455187”
CardLast4DigitsReturned when enableBinQuery option is true. E.g. “0181”
IssuerReturns the card issuer.Returned when enableBinQuery is "true". Available for Cielo 3.0 only.
IssuerCodeReturns the card issuer code.Returned when enableBinQuery is "true". Available for Cielo 3.0 only.
CardTypeReturns the card type, E.g.: Credit, Debit, Multiple, Voucher etc.Returned when enableBinQuery is "true". Available for Cielo 3.0 only.
VerifyCardReturnCodeIt is the same code returned by the provider during a standard authorization. E.g.: code "00" for provider Cielo30 means succesful validation.Returned when enableBinQuery is "true". Available for Cielo 3.0 only.
VerifyCardReturnMessageE.g.: “Transacao Autorizada”/"Authorized Transaction".Returned when enableBinQuery is "true". Available for Cielo 3.0 only.
VerifyCardStatus"0"- Invalid Card; "1"- Valid Card; "99"- Unknown Situation.Returned when enableBinQuery is "true".

Implementing Events

The script provided by Cielo provides three events for handling and managed by the merchant.

EventDescription
onSuccessEvent on success. PaymentToken will be returned, as well as card details if you have requested to verify the card. For security reasons this PaymentToken may only be used for authorization. After processing it will be invalidated.
onErrorEvent on error. Error code and description will be returned
onInvalidEvent in case of incorrect data supply. Error field details will be returned. Messages returned in the validation result are available in the following languages: Portuguese (default), English and Spanish.

⚠️

For security reasons this PaymentToken may only be used for authorization. After processing it will be invalidated.


4. Authorizing with PaymentToken

After obtaining PaymentToken through the script, the authorization process is performed by sending PaymentToken in place of card data.

See example below, describing the submission of authentication data from the Gateway de Pagamento authorization request.

ℹ️

Please refer to the API Reference for the full request and response examples.

POST /v2/sales

Request

{
   "MerchantOrderId":"2017051002",
   "Customer":
   {
     (...)
   },
   "Payment":
   {
     (...)
     "Card":{
         "PaymentToken":"eedcb896-40e1-465b-b34c-6d1119dbb6cf"
     }
   }
}
curl
--request POST "https://apisandbox.braspag.com.br/v2/sales/"
--header "Content-Type: application/json"
--header "MerchantId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--header "MerchantKey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--data-binary
--verbose
{
   "MerchantOrderId":"2017051002",
   "Customer":
   {
     (...)
   },
   "Payment":
   {
     (...)
     "Card":{
         "PaymentToken":"eedcb896-40e1-465b-b34c-6d1119dbb6cf"
     }
   }
}
FieldDescriptionTypeSizeRequired
Payment.Card.PaymentTokenProvide the PaymentToken generated through the script. This information replaces the card dataGUID36Yes