Integrating Silent Order Post
The operation of SilentOrderPost occurs in four stages:
- Merchant authentication through the creation of the OAuth2
access_tokenfor access to the Silent Order Post API; - Creation of the SOP
AccessTokenin the Silent Order Post API to integrate the script; - Execution of the script;
- Sending the transaction authorization request to Gateway de Pagamento informing the
PaymentToken.
1. Obtaining the OAuth2 AccessToken
When the buyer accesses the checkout, the store must generate the access_token from the authentication API (OAuth2). If successful, the API will return an access_token that should be used in the next authentication layer of the tool.
To obtain the access_token in the OAuth 2.0 standard, send a request using the HTTP POST VERB to the following URL, formed by the "environment base URL + endpoint", in the server-to-server model:
| Environment | Base URL + endpoint | Authorization |
|---|---|---|
| SANDBOX | https://authsandbox.braspag.com.br/oauth2/token | "Basic {base64}" |
| PRODUCTION | https://auth.braspag.com.br/oauth2/token | "Basic {base64}" |
Note: The value "{base64}" for "Basic" authorization must be obtained as follows:
- Concatenate the
ClientIdandClientSecret(ClientId:ClientSecret). - Encode the result of the concatenation in base64.
- Make a request to the authentication server using the generated alphanumeric code.
Ask the support team to create your merchant's
ClientIdandClientSecretfor use in the sandbox and production environments. In the ticket, state that you want to integrate Silent Order Post and provide yourMerchantId.
Request
--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded"
--data-binary "grant_type=client_credentials"
| Parameters | Format | Sending |
|---|---|---|
Authorization | "Basic {base64}" | Send in header. |
Content-Type | "application/x-www-form-urlencoded" | Send in header. |
grant_type | "client_credentials" | Send in body. |
Response
{
"access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
"token_type": "bearer",
"expires_in": 599
}
| Response Properties | Description |
|---|---|
access_token | The requested authentication token. It will be used in the step of obtaining the SOP AccessToken. |
token_type | Indicates the type of token. |
expires_in | Expiration of the access token, in seconds. When the token expires, a new one must be obtained. |
2. Obtaining the SOP AccessToken
Create the Silent Order Post (SOP) AccessToken by sending a POST request. Provide the OAuth2 access_token obtained in the previous step as the Bearer in the request header.
The SOP
AccessTokenwill be provided in the script in step 3.
| Environment | Base URL + endpoint |
|---|---|
| Sandbox | https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken |
| Production | https://transaction.pagador.com.br/post/api/public/v2/accesstoken |
Request
--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose
| Property | Description | Type | Size | Mandatory? |
|---|---|---|---|---|
MerchantId | Store identifier in Gateway de Pagamento | GUID | 36 | Yes |
Authorization | Bearer [OAuth2 AccessToken] | text | 36 | Yes |
Response
As a response, the store will receive a JSON ("HTTP 201 Created") containing, among other information, the SOP AccessToken.
{
"MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
"Issued": "2023-08-05T08:50:04",
"ExpiresIn": "2023-08-05T09:10:04"
}
| Property | Description | Type | Size | Format |
|---|---|---|---|---|
MerchantId | Store identifier in the Payment Gateway | GUID | 36 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
AccessToken | Silent Order Post access token (AccessToken SOP). For security reasons, this token will allow the establishment to save only one card within a stipulated period in the response, through the ExpiresIn attribute (by default, 20 minutes). Whichever occurs first will invalidate this token to prevent future use. | text | -- | NjBhMjY1ODktNDk3YS00NGJkLWI5YTQtYmNmNTYxYzhlNjdiLTQwMzgxMjAzMQ== |
Issued | Date and time of AccessToken generation. | text | -- | YYYY-MM-DDTHH:MM:SS |
ExpiresIn | Date and time of AccessToken expiration. | text | -- | YYYY-MM-DDTHH:MM:SS |
3. Implementing the script
Mapping classes
Download the Silent Order Post script and insert the script in JavaScript format on your checkout page. This script will allow our system to process all card information without store intervention.
Parameterize the form elements with the following classes:
| Property | Class Name | Mandatory? |
|---|---|---|
| Credit/debit cardholder name | bp-sop-cardholdername | Yes |
| Credit/debit card number | bp-sop-cardnumber | Yes |
| Credit/debit card expiration date | bp-sop-cardexpirationdate | Yes |
| Credit/debit card security code | bp-sop-cardcvvc | Yes |
| Card type to be verified ("debitCard" or "creditCard"). | bp-sop-cardtype | No* |
| Control card alias | bp-sop-cardalias | No |
*If the bp-sop-cardtype class is not provided, the script will assume that the card used in the purchase is a credit card.
Defining parameters
Script parameters
The script parameters must be inserted in the HTML of the checkout page to reference the script.
| Property | Description |
|---|---|
accessToken | Silent Order Post access token (AccessToken SOP). |
environment | Environment type: "sandbox" for testing / "production" for production. |
language | Language: "pt" for Portuguese/ "en" for English/ "es" for Spanish. |
enableBinQuery | “true” (enables BIN Query, returning the card's characteristics) / ‘false’ (otherwise). Find out more about BIN Query in the VerifyCard. Note: Only available for Cielo 3.0.* |
enableVerifyCard | “true” (enables ZeroAuth, returning whether the card is valid or not) / ‘false’ (otherwise).* Find out more in the manual VerifyCard |
enableTokenize | "true" (saves the card directly in the Protected Card, returning a CardToken instead of a PaymentToken) / "false" (otherwise).* |
cvvRequired | "false" (disables the requirement to send the CVV) / "true" (otherwise). The store needs authorization from the acquirer to transact without the CVV. |
cardType | Use "creditCard" or "debitCard" to force card type verification. Important for validating multiple cards. If nothing is sent, the issuer will consider only the "Credit" type. |
* The corresponding service needs to be enabled.
To enable Consulta BIN, VerifyCard or the Cartão protegido, please contact Customer Service.
Using Silent Order Post with Cartão protegido (Card vault)
Cartão protegido is the encrypted card storage service. You can use Silent Order Post to transmit card data and Protected Card to securely and encryptedly store the card, which is PCI DSS certified.Learn more at Cartão protegido (Card vault)
Script Returns
The script will return a JSON with the PaymentToken (tokenized card that should be sent in the authorization) and card information.
Example of script return JSON
{
"PaymentToken": "366f8470-54d0-43cb-95f5-c80a502afc27",
"ForeignCard": false,
"BinQueryReturnCode": "00",
"BinQueryReturnMessage": "Analise autorizada",
"Brand": "Visa",
"VerifyCardStatus": 1,
"VerifyCardReturnCode": "00",
"VerifyCardReturnMessage": "Transacao autorizada",
"CardBin": "453202",
"CardLast4Digits": "4044",
"CardType": "Multiple",
"Issuer": "Banco Santander",
"IssuerCode": "033",
"Prepaid": false
}
Script return properties
| Property | Description | Condition |
|---|---|---|
PaymentToken* | Ephemeral token used for payment in the format of a GUID (36). It lasts for 20 minutes and can only be used once. It is the value that must be sent in the authorization request. | *** |
CardToken | Permanent token used for payment in the format of a GUID (36). | When enableTokenize is "true". |
Brand | Name of the card brand (Visa, Master, Elo, Amex, Diners, JCB, Hipercard). | When enableBinQuery is "true". Available only for Cielo 3.0. |
BinQueryReturnCode | "00" if the BIN analysis is successful. | When enableBinQuery is "true". Available only for Cielo 3.0. |
BinQueryReturnMessage | E.g.: "Transaction Authorized" if the BIN analysis is successful. | When enableBinQuery is "true". Available only for Cielo 3.0. |
CardBin | E.g.: "455187". | When enableBinQuery is "true". Available only for Cielo 3.0. |
CardLast4Digits | E.g.: "0181". | When enableBinQuery is "true". Available only for Cielo 3.0. |
ForeignCard | The field returns "true" if it is a card issued outside Brazil. "false" otherwise. | When enableBinQuery is "true". Available only for Cielo 3.0. |
Issuer | The field returns the name of the card issuer. | When enableBinQuery is "true". Available only for Cielo 3.0. |
IssuerCode | The field returns the code of the card issuer. | When enableBinQuery is "true". Available only for Cielo 3.0. |
CardType | Returns the type of card, for example: Credit, Debit, Multiple, Voucher, etc. | When enableBinQuery is "true". Available only for Cielo 3.0. |
VerifyCardReturnCode | This is the same code returned by the provider during a standard authorization. E.g.: provider Cielo30 code "00" means success in validation. | When enableBinQuery is "true". Available only for Cielo 3.0. |
VerifyCardReturnMessage | E.g.: "Transaction Authorized". | When enableBinQuery is "true". Available only for Cielo 3.0. |
VerifyCardStatus | "0"- Invalid Card; "1"- Valid Card; "99"- Unknown Situation. | When enableVerifyCard is "true". |
Prepaid | Returns "true" if it is a prepaid card and "false" if it is not a prepaid card. | *** |
_In Script Parameters, if enableTokenize is _true*, the script will return the CardToken instead of the PaymentToken. Learn more about CardToken in the Cartão protegido manual.
Implementing events
The provided script offers the following three events for store handling and processing:
| Event | Description |
|---|---|
| onSuccess | Event in case of success. Returns the PaymentToken and also the card data, if card verification was requested. For security reasons, this PaymentToken can be used for a single authorization. After processing, it will be invalidated. |
| onError | Event in case of error. Returns the error code and description. |
| onInvalid | Event in case of incorrect data provision. Returns details of fields with errors. The messages returned in the validation result are available in the following languages: Portuguese (default), English, and Spanish. |
Characteristics of the
PaymentToken:
For security reasons, thePaymentTokencan be used for a single authorization and/or within the period of 20 minutes. After processing, thePaymentTokenwill be invalidated.
4. Authorizing with PaymentToken
After obtaining the PaymentToken through the script, execute the authorization process, sending the PaymentToken instead of card data.
To submit a credit transaction, send the
Payment.CreditCard.PaymentTokenparameter instead ofPayment.CreditCard. Learn more in the Gateway de Pagamento;
To submit a debit transaction, send thePayment.DebitCard.PaymentTokenparameter instead ofPayment.DebitCard. Learn more in the Gateway de Pagamento .
See the example below, describing the sending of authentication data for the authorization request to Gateway de Pagamento.
Request
{
"MerchantOrderId":"2017051002",
"Customer":
{
(...)
},
"Payment":
{
(...)
"CreditCard":{
"PaymentToken":"eedcb896-40e1-465b-b34c-6d1119dbb6cf"
}
}
}
| Field | Description | Type/Size | Mandatory? |
|---|---|---|---|
Payment.CreditCard.PaymentToken | Provides the PaymentToken generated through the script. This information replaces the card data. Replace with DebitCard if using a debit card. | GUID / 36 | Yes |
Response
Refer to the Gateway de Pagamento for examples of authorization request responses.
Integration Example
We share a practical example on our GitHub of how you should map the classes and integrate Silent Order Post into your checkout.
Updated about 13 hours ago