Get Started with ShopeePay

Get Started

An overview of the steps to start accepting payments using ShopeePay

  1. Start by contacting ShopeePay’s integration team to sign the NDA (Non-Disclosure Agreement) and commercial agreement.
  2. Choose your integration to match your business needs:
    • In-Person Payments
    • Online Payments
    • Please refer to the ShopeePay/SPayLater Branding Guideline for In-Person Payment and Online Payment here to showcase the use of ShopeePay/SPayLater in the payment flow
  3. You will be assigned onboarding credentials to start integration testing purposes.
  4. Develop according to the stated API rules to interact with ShopeePay Payment APIs.
  5. Follow the steps provided in the Signature Generation to perform the signature verification.
  6. Visit API Documentations to understand the structure of each API and follow the instructions to send request to the API.

Prerequisite

Merchant should fulfil the following requirements to interact with ShopeePay APIs:

  • To be compatible with OAuth 2.0 protocol and HMAC used by ShopeePay to authorize calls.
  • Merchants should use TLSv1.2 or TLSv1.3 for TLS handshake.
  • Merchants should integrate directly with ShopeePay endpoints without the use of a SDK.

Onboarding

Once the commercial agreement between merchant and ShopeePay is finalized, each merchant will be assigned the following credentials for integration testing purposes.

CredentialsDescription
Client IDClient refers to the party that integrate with ShopeePay APIs. Each client is assigned a unique identifier known as the Client ID, and this Client ID must be included in the request header of every API call made to ShopeePay's services.
Secret KeyA secret key that is shared between ShopeePay Server and Merchant. This key is used to generate the Signature to authenticate the Merchant.
When handling sensitive information such as merchant ID and secret key, please do not hard code the secret key in a frontend application. All API calls should only be made from the Merchant’s servers.

Access Nodes

ShopeePay access nodes are country specific, each country will have their own API domains to be called.

RegionAbbreviationRegion Code
IndonesiaIDco.id
MalaysiaMYcom.my
PhilippinesPHcom.ph
SingaporeSGsg
ThailandTHco.th
VietnamVNvn

Append the region code to the end of the domain.

EnvironmentDomain
Stagingapi.uat.wallet.airpay.<region code>
Productionapi.wallet.airpay.<region code>

API Protocol Rules

This specifies the rules for calling ShopeePay APIs.

ComponentFormat/Method
Transfer ModeHTTPS
Submit ModePOST Method
Date FormatUNIX (seconds)
Char EncodingUTF-8
SignatureHMAC, SHA-256, Base64

API Parameters Specifications

Request Header

All requests will require the following parameters in the header:

NameDescription
Client IDClient refers to the party that integrate with ShopeePay APIs. Each client is assigned a unique identifier known as the Client ID, and this Client ID must be included in the request header of every API call made to ShopeePay's services.
SignatureGenerated using the shared secret that is given by Shopee to authenticate the API caller.

Response Body

The ShopeePay API response body is in JSON format.

Considerations to take note of in the response body:

  • Parameters can be returned in a random sequence.
  • Empty parameters may be returned in the following format by default, unless stated otherwise.
  • Additional parameters may be returned in future without advance notice from ShopeePay.
  • Merchant system’s logic must not assume that the order of arrangement of response parameters or the total number of parameters returned will remain constant throughout time.
TypeEmpty Response
Integer0
StringEmpty string, or "0" if the field represents a numerical value (e.g. amount, timestamp)
ObjectNull
ArrayEmpty array
BooleanFalse

URL Query Parameters

  • The URL query parameters can be returned in a random sequence.
  • Additional query parameters may be added in the future without advance notice from ShopeePay.
  • Query parameters are case-sensitive.

Security Specifications

Generate HMAC Signatures

Signature generation is essential for authenticating API requests between ShopeePay and the merchant. The signature is generated using a confidential shared secret key and algorithm, provided by ShopeePay. Merchants may use the common signature modes such as hash-based message authentication code (HMAC), SHA-256, and Base64.

GO EXAMPLE

import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
)
// Sign - sign the `payload` with `key`
func Sign(payload, key []byte) string {
mac := hmac.New(sha256.New, key)
// Cannot return error
if _, err := mac.Write(payload); err != nil {
return ""
}
return base64.StdEncoding.EncodeToString(mac.Sum(nil))
}
arrow-svg

Copy

JS EXAMPLE

let hash = CryptoJS.HmacSHA256(body, secret)
let sig = CryptoJS.enc.Base64.stringify(hash).replace(/\n+$/, '')
arrow-svg

Copy

Steps to Generate HMAC Signatures

If the request has a body, the request body must be hashed using the SHA-256 algorithm and represented as a base-64 encoded value. To generate a signature, the HTTP request body is hashed using HMAC with the SHA-256 algorithm and the shared secret key, operated on the request JSON to ensure authenticity of the request.

Secret: pz148x0gXyPCLHxnlhEydNLg55jni91i

  1. Extract the request body to be signed. For example:
    {"request_id": "","store_ext_id": "externalstore","merchant_ext_id": "externalmerchant","amount": 1000,"terminal_id": "terminal","convenience_fee_percentage": 0,"convenience_fee_fixed": 0,"convenience_fee_indicator": "","additional_info": "","currency": "IDR","qr_validity_period": 1000,"payment_reference_id": "testreference"}
    arrow-svg

    Copy

  2. Hash the JSON content by using the SHA256 algorithm.
    5f5532bf23018674788770f43743522dff1af5782243fab06b1e8677a7391d4c
    arrow-svg

    Copy

  3. Encode to Base64
    X1UyvyMBhnR4h3D0N0NSLf8a9XgiQ/qwax6Gd6c5HUw=
    arrow-svg

    Copy

Signature Validate

Upon receiving the API response, the Merchant should validate the signature of the response:

  1. Use the shared secret to sign the response body to obtain the response signature.
  2. Compare the generated signature to the signature in the header of the API response.
  3. Signatures from steps #1 and #2 must be identical. If they are different, the response should not be trusted.

To assist with signature validation, you can use online tools such as base64encode.org. These tools provide a convenient way to decode and verify signatures during the API integration process.

Request Header

Include the signature in the request

The signature should be added in the HTTP header in the following format:

SH EXAMPLE

X-Airpay-MerchantId: <merchantid>
X-Airpay-Req-H: <request_signature>
arrow-svg

Copy

Backward Compatible Changes

Backward compatible or non-breaking changes refer to API changes that allow the integration to continue using the API without any additional changes required at Merchant’s side. ShopeePay may make such changes on their sole discretion without informing the existing Merchants in advance, as such changes are deemed to not break any integration implemented by the Merchant.

ShopeePay considers the following changes as non-breaking:

  • Add new API resource or new types of server callback to a new endpoint.
  • Add new or remove optional field to existing API request parameters.
  • Add new fields to existing API response/server callback parameters.
  • Increase or decrease the max length limit of existing fields on existing API response / server callback parameters.
  • Change the order of fields in existing API responses or server callback parameters.
  • Increase the max length limit of request fields on existing API request parameters.