Integrating Silent Order Post
1. Getting Access Token OAuth2
When the shopper accesses the checkout, the merchant must generate the AccessToken from Braspag Authentication API (oAuth). On success, the API will return an AccessToken that must be populated in the script to load on the page.
To request AccessToken, send a request (POST) to the following endpoint in the server-to-server template:
| Environment | base URL + endpoint | Authorization |
|---|---|---|
| SANDBOX | https://authsandbox.braspag.com.br/oauth2/token | "Basic {base64}" |
| PRODUCTION | https://auth.braspag.com.br/oauth2/token | "Basic {base64}" |
How to obtain the Base64 value:
- Concatenate "ClientId" and "ClientSecret" (
ClientId:ClientSecret). - Code the result in base64.
- Send a request to the authorization server with the alphanumeric code you just created.
To request your "ClientID" and "ClientSecret", please contact our Support
- MerchantId;
- Describe that you need the credentials "ClientID" e o "ClientSecret" to use Silent Order Post.
Request
POST oauth2/token
--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded"
--data-binary "grant_type=client_credentials"
| Parameters | Format | Where to send |
|---|---|---|
Authorization | "Basic {base64}" | Header. |
Content-Type | "application/x-www-form-urlencoded" | Header. |
grant_type | "client_credentials" | Body. |
Response
{
"access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
"token_type": "bearer",
"expires_in": 599
}
{
"access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
"token_type": "bearer",
"expires_in": 599
}
| Properties | Description |
|---|---|
access_token | The requested authentication token, that will be used in the next step. |
token_type | Indicates the token type value. |
expires_in | Access Token expiration, in seconds. When the token expires, you must request a new one. |
2. Getting the SOP AccessToken
After obtaining AccessToken OAuth2, you should send a new request (POST) to the following URL:
| Environment | base URL + endpoint |
|---|---|
| Sandbox | https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken |
| Production | https://transaction.pagador.com.br/post/api/public/v2/accesstoken |
Request
--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose
| Properties | Description | Type | Size | Required? |
|---|---|---|---|---|
MerchantId | Merchant identifier at Pagador. | GUID | 36 | Yes |
Authorization | Bearer [AccessToken OAuth2] | Text | 36 | Yes |
Response
As a response, you will receive a JSON ("HTTP 201 Created") with the SOP AccessToken and some other data.
{
"MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
"Issued": "2021-05-05T08:50:04",
"ExpiresIn": "2021-05-05T09:10:04"
}
--header "Content-Type: application/json"
--header "RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--data-binary
{
"MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
"Issued": "2021-05-05T08:50:04",
"ExpiresIn": "2021-05-05T09:10:04"
}
| Properties | Description | Type | Size | Format |
|---|---|---|---|---|
MerchantId | Merchant identifier at Pagador. | Guid | 36 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
AccessToken | AccessToken SOP. For safety reasons, this token will allow the merchant to save only one card within the deadline determined in the response, through the attribute Expires In. The default is 20 minutes. Whatever happens first will invalidate the token to prevent it from being used again. | Texto | -- | NjBhMjY1ODktNDk3YS00NGJkLWI5YTQtYmNmNTYxYzhlNjdiLTQwMzgxMjAzMQ== |
Issued | Token creation date and hour. | Texto | -- | AAAA-MM-DDTHH:MM:SS |
ExpiresIn | Token expiration date and hour. | Texto | -- | AAAA-MM-DDTHH:MM:SS |
To see the legacy authentication process, which used the MerchantId and shopper IP address to create the
AccessToken, click here.
3. Implementing the script
Mapping Classes
The merchant must download the script provided by Braspag, and attach it to their checkout page. This script will allow Braspag to process all card information without merchant intervention.
Download the Silent Order Post script at https://www.pagador.com.br/post/scripts/silentorderpost-1.0.min.js
The Merchant must parameterize the form elements with the following classes:
| Property | Class Name |
|---|---|
| Credit/Debit Cardholder Name | bp-sop-cardholdername |
| Credit/Debit Card Number | bp-sop-cardnumber |
| Credit/Debit Card Expiration Date | bp-sop-cardexpirationdate |
| Credit/Debit Card Security Code | bp-sop-cardcvvc |
Setting Parameters
SCRIPT PARAMETERS
| Property | Description |
|---|---|
accessToken | Access Token obtained via Braspag Authentication API |
environment | sandbox or production |
language | PT or EN or ES |
enableBinQuery | true if you want to enable BIN Query (returns card characteristics). false otherwise. |
enableVerifyCard | true if you want to enable ZeroAuth (returns if the card is valid or not). false otherwise. |
enableTokenize | true if you want to save the card directly on your vault in the Cartão Protegido (retorn a 'cardToken' instead of a 'paymentToken'). false otherwise. |
cvvRequired | "false" (unables CVV as required) / "true" (CVV is required). |
SCRIPT RESPONSE
| Property | Description | |
|---|---|---|
PaymentToken | Payment Token in the Format of a GUID (36) | |
CardToken | Permanent token to be used on a payment request on a GUID format (36) Obs.: Only works if 'enableTokenize' is true | |
brand | Returned when enableBinQuery option is true. Card Brand Name (Visa, Master, Bond, Amex, Diners, JCB, Hipercard) | |
forerignCard | Returned when enableBinQuery option is true. The field returns true if it is a card issued outside Brazil. false otherwise | |
binQueryReturnCode | Returned when enableBinQuery option is true. "00" if BIN parsing is successful. | |
binQueryReturnMessage | Returned when enableBinQuery option is true. E.g. “Authorized Transaction” if BIN analysis succeeds | |
VerifyCardStatus | Returned when enableVerifyCard option is true. Invalid Card 0; 1-Valid Card; 99-Unknown Situation | |
VerifyCardReturnCode | Returned when enableVerifyCard option is true. Zero Auth query code returned by the provider. | |
BinQueryReturnMessage | Returned when enableBinQuery option is true. This is the same code returned by the provider during a standard authorization. E.g.: Cielo30 provider code "00" means validation success | |
BinQueryReturnMessage | Returned when enableBinQuery option is true. E.g. “Authorized Transaction” | |
CardBin | Returned when enableBinQuery option is true. E.g. “455187” | |
CardLast4Digits | Returned when enableBinQuery option is true. E.g. “0181” | |
Issuer | Returns the card issuer. | Returned when enableBinQuery is "true". Available for Cielo 3.0 only. |
IssuerCode | Returns the card issuer code. | Returned when enableBinQuery is "true". Available for Cielo 3.0 only. |
CardType | Returns the card type, E.g.: Credit, Debit, Multiple, Voucher etc. | Returned when enableBinQuery is "true". Available for Cielo 3.0 only. |
VerifyCardReturnCode | It is the same code returned by the provider during a standard authorization. E.g.: code "00" for provider Cielo30 means succesful validation. | Returned when enableBinQuery is "true". Available for Cielo 3.0 only. |
VerifyCardReturnMessage | E.g.: “Transacao Autorizada”/"Authorized Transaction". | Returned when enableBinQuery is "true". Available for Cielo 3.0 only. |
VerifyCardStatus | "0"- Invalid Card; "1"- Valid Card; "99"- Unknown Situation. | Returned when enableBinQuery is "true". |
Implementing Events
The script provided by Braspag provides three events for handling and managed by the merchant.
| Event | Description |
|---|---|
| onSuccess | Event on success. PaymentToken will be returned, as well as card details if you have requested to verify the card. For security reasons this PaymentToken may only be used for authorization. After processing it will be invalidated. |
| onError | Event on error. Error code and description will be returned |
| onInvalid | Event in case of incorrect data supply. Error field details will be returned. Messages returned in the validation result are available in the following languages: Portuguese (default), English and Spanish. |
For security reasons this
PaymentTokenmay only be used for authorization. After processing it will be invalidated.
4. Authorizing with PaymentToken
After obtaining PaymentToken through the script, the authorization process is performed by sending PaymentToken in place of card data.
See example below, describing the submission of authentication data from the Gateway API authorization request.
POST /v2/salesPlease refer to the API Reference for the full request and response examples.
Request
{
"MerchantOrderId":"2017051002",
"Customer":
{
(...)
},
"Payment":
{
(...)
"Card":{
"PaymentToken":"eedcb896-40e1-465b-b34c-6d1119dbb6cf"
}
}
}
curl
--request POST "https://apisandbox.braspag.com.br/v2/sales/"
--header "Content-Type: application/json"
--header "MerchantId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--header "MerchantKey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--data-binary
--verbose
{
"MerchantOrderId":"2017051002",
"Customer":
{
(...)
},
"Payment":
{
(...)
"Card":{
"PaymentToken":"eedcb896-40e1-465b-b34c-6d1119dbb6cf"
}
}
}
| Field | Description | Type | Size | Required |
|---|---|---|---|---|
Payment.Card.PaymentToken | Provide the PaymentToken generated through the script. This information replaces the card data | GUID | 36 | Yes |
Updated 18 days ago