This collection contains all endpoints for the PayEra Payments API v1.
\nLog in to your PayEra Merchant Portal
\nGo to API Keys in the sidebar
\nClick Generate New Key
\nSave your credentials securely:
\npk_live_... — Publishable key (used in API requests)
sk_live_... — Secret key (used for signature generation)
Go to Checkouts in the sidebar
\nCopy your Checkout ID (format: PPPP-XXXX-XXXX-XXXX)
Go to Webhooks in the sidebar
\nClick Add Endpoint
\nEnter your webhook URL (e.g., https://your-server.com/webhooks/payera)
Save and copy your webhook signing secret (whsec_...)
Set collection variables:
\nbaseUrl — https://api.payera.global/v1
apiKey — Your publishable key (pk_live_...)
secretKey — Your secret key (sk_live_...)
checkoutId — Your checkout configuration ID
Signature auto-generation:
This collection includes a pre-request script that automatically generates:
X-Timestamp header
X-Signature header
The X-Signature header is computed as follows:
Parse the JSON request body into key-value pairs
\nAdd timestamp as an extra key (value = the X-Timestamp header, RFC3339 without milliseconds)
Sort all keys alphabetically
\nFlatten each value to a string (strings as-is, numbers to string, booleans to true/false, objects to JSON with sorted keys)
Hash your secret key: SHA256(sk_live_xxx) → lowercase hex (64 characters)
Append the hashed secret key as the last value
\nJoin all values with :
Compute: Base64(SHA256(joined_string))
Example:
\nGiven body {\"amount\": 5000, \"checkout_id\": \"RZPY-A1B2\", \"currency\": \"EUR\"} and timestamp 2026-03-07T20:00:00Z:
Sorted keys: amount, checkout_id, currency, timestamp
Values: 5000, RZPY-A1B2, EUR, 2026-03-07T20:00:00Z
Append: SHA256(your_secret_key) as hex
Join: 5000:RZPY-A1B2:EUR:2026-03-07T20:00:00Z:
Signature: Base64(SHA256(joined_string))
Note: The timestamp must be within ±5 minutes of server time or the request will be rejected.
\nImportant: This is NOT HMAC. It is a plain SHA256 hash encoded as Base64. Webhooks use a separate HMAC-SHA256 scheme with your whsec_ secret.
Creates a new payment through the provider associated with the given checkout_id.
The checkout_id determines WHICH payment method will be used.
You may have multiple checkout configurations in your Merchant Dashboard, each linked to a different payment provider:
\nHow to find your checkout_id:
\nLog in to your PayEra Merchant Dashboard
\nGo to Checkouts in the sidebar
\nYou will see all your checkout configurations listed
\nCopy the Checkout ID for the payment method you want to use
\nExample:
\nWant to accept card payments? → Use your Card checkout_id
\nWant to accept bank transfers? → Use your Open Banking checkout_id
\nEach checkout_id is tied to ONE payment method. If you pass a Card checkout_id, the customer pays by card. If you pass an Open Banking checkout_id, the customer pays via bank transfer.
\nRequired Fields:
\ncheckout_id - YOUR checkout configuration ID (find it in Merchant Dashboard → Checkouts). Format: PPPP-XXXX-XXXX-XXXX
amount - Amount in smallest currency unit (cents). Example: 5000 = €50.00
currency - ISO 4217 currency code. Must be supported by your checkout_id!
Card checkouts: EUR, USD
Bank Transfer checkouts: EUR, GBP
customer_email - Customer email address
redirect_url - URL where customer returns after payment
payment_id - Your unique reference for this payment (e.g., your order ID)
customer_details - Customer information object:
first_name - Customer's first name
last_name - Customer's last name
phone - Phone number (E.164 format: +442002001234)
country_of_residence - ISO 3166-1 alpha-2 country code (GB, US, DE)
date_of_birth - Date of birth (YYYY-MM-DD format)
state_of_residence - 2-letter US state code — required only for US customers
metadata - Key-value data for your own tracking (returned in webhooks)
Important Fields:
\nsuccess_url - Specific URL for successful payment redirect
cancel_url - URL if customer cancels
Response:
\nReturns a payment_url — redirect the customer to this URL to complete payment.
The customer will see the appropriate payment form (card entry OR bank selection) based on which checkout_id you used.
Creates a card payment via the server-to-server (S2S) flow. Submit raw card data in the request and PayEra charges the card directly — no hosted checkout page involved.
\ncard (object, required) — raw card data
number — PAN (digits only; spaces and dashes are stripped automatically)
expiry_month — 01–12
expiry_year — 4-digit (e.g. 2099); 2-digit also accepted (99 → 2099)
cvv — 3 or 4 digits
holder_name (optional) — printed cardholder name
browser (object, recommended) — device fingerprint passed to the issuing bank's ACS when a 3DS challenge is required. Without it, low-risk 3DS frictionless flows may fall back to a full challenge or be declined.
card_token (string, reserved) — placeholder for a future hosted-fields tokenization flow. Sending it today returns 501 Not Implemented.
All other fields (amount, currency, customer_email, customer_details, redirect_url, success_url, cancel_url, payment_id, metadata) match the standard Create Payment request.
PayEra never persists raw cardholder data. Full PAN, CVV, and full card tokens are redacted at every persistence boundary before any data is written to disk, database, or external log sink.
\nThe only card-related data PayEra retains for reference (eg. issuer/BIN lookup, brand identification, chargeback dispute handling, customer support PAN matching) is the first six digits (BIN) and the last four digits of the PAN, with all middle digits replaced by \\*. Example: 4242424242424242 is stored as 424242******4242.
For sandbox test card details (3DS challenge cards and non-3DS approve / decline edge cases), please contact PayEra support — they will share the appropriate test set for your assigned checkout(s).
\nDirect capture (no 3DS challenge):
\n{\n \"success\": true,\n \"payment_id\": \"<intent-uuid>\",\n \"checkout_id\": \"XXXX-XXXX-XXXX-XXXX\",\n \"status\": \"succeeded\"\n}\n\nCard decline:
\n{\n \"success\": false,\n \"payment_id\": \"<intent-uuid>\",\n \"checkout_id\": \"XXXX-XXXX-XXXX-XXXX\",\n \"status\": \"failed\",\n \"error\": \"Card declined\",\n \"error_code\": \"DECLINED\"\n}\n\n3DS challenge required:
\n{\n \"success\": true,\n \"payment_id\": \"<intent-uuid>\",\n \"checkout_id\": \"XXXX-XXXX-XXXX-XXXX\",\n \"status\": \"requires_action\",\n \"next_action\": {\n \"type\": \"redirect_to_url\",\n \"redirect_url\": \"https://api.payera.global/v1/payments/<intent-uuid>/3ds-challenge\",\n \"return_url\": \"https://merchant.com/payment/result\"\n }\n}\n\nWhen status=requires_action, redirect the customer's browser to next_action.redirect_url. After the customer completes the challenge, they're redirected back to your redirect_url / success_url / cancel_url. The final status is also delivered asynchronously via the standard webhook (payment.succeeded / payment.failed).
Create and manage payments
\n","_postman_id":"57c723c4-9271-4f95-ac8a-ff87c0b23a07","auth":{"type":"apikey","apikey":{"basicConfig":[{"key":"key","value":"X-API-Key"},{"key":"value","value":"pk_live_your_api_key"}]},"isInherited":true,"source":{"_postman_id":"ec017cbc-7752-409f-8794-9c1dd1dae732","id":"ec017cbc-7752-409f-8794-9c1dd1dae732","name":"PayEra API v1","type":"collection"}}},{"name":"Webhooks","item":[{"name":"Webhook Payload Example (payment.succeeded)","id":"733a6d4b-a55c-46d1-b57e-e00b7539f0c4","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"},{"key":"X-PayEra-Signature","value":"example_signature_hex","description":"HMAC-SHA256 signature (hex-encoded)
\n"},{"key":"X-PayEra-Timestamp","value":"1709312345","description":"Unix timestamp (seconds)
\n"},{"key":"X-PayEra-Event","value":"payment.succeeded"},{"key":"User-Agent","value":"PayEra-Webhook/1.0"}],"body":{"mode":"raw","raw":"{\n \"id\": \"evt_01234567-89ab-cdef-0123-456789abcdef\",\n \"type\": \"payment.succeeded\",\n \"timestamp\": \"2026-03-01T15:30:45Z\",\n \"data\": {\n \"payment_id\": \"e08794dd-aaaf-4b32-9f70-0b65f4756472\",\n \"merchant_payment_id\": \"order-12345-67890\",\n \"checkout_id\": \"ABCD-1234-EFGH-5678\",\n \"amount\": 5000,\n \"currency\": \"EUR\",\n \"status\": \"succeeded\",\n \"provider_ref\": \"019ca9dd-33d7-70ab-bb84-c47415b1b113\",\n \"customer_email\": \"customer@example.com\",\n \"metadata\": {\n \"order_id\": \"12345\",\n \"user_id\": \"67890\"\n }\n },\n \"api_version\": \"v1\"\n}","options":{"raw":{"language":"json"}}},"url":"https://your-server.com/webhooks/payera","description":"Example of a payment.succeeded webhook payload sent by PayEra.
Webhook Headers:
\nX-PayEra-Signature — HMAC-SHA256 signature (hex-encoded)X-PayEra-Timestamp — Unix timestamp (seconds, e.g. 1709312345)X-PayEra-Event — Event type (e.g. payment.succeeded)Payload Fields:
\nid — Unique event ID (use for idempotency / deduplication)type — Event type (payment.succeeded, payment.failed, etc.)timestamp — ISO 8601 timestampapi_version — API version (v1)data.payment_id — PayEra's internal payment UUIDdata.merchant_payment_id — Your custom payment_id from the original requestdata.checkout_id — Checkout configuration IDdata.provider_ref — Provider's reference ID for this paymentdata.customer_email — Customer email (see note below)data.metadata — Your metadata object echoed back from the original requestdata.amount — Amount in smallest currency unit (cents)data.currency — ISO currency codedata.status — Payment statusdata.test — true for test callbacks only (not present in production)Signature Verification:
\n{X-PayEra-Timestamp}.{raw_json_body}whsec_ prefix, hex-decode to bytesX-PayEra-SignatureImportant:
\nid field)Customer Email Behavior:\nThe customer_email field returns the email the customer entered on the PayEra checkout form, which may differ from the customer_email sent in your original payment request (due to KYC/compliance requirements). For reliable user identification, use the metadata object to pass your internal user identifiers (e.g., user_id, user_uuid) which will be returned unchanged.
Example of a payment.failed webhook payload sent by PayEra.
Payload Fields (same as payment.succeeded):
\ndata.error_code — Machine-readable error codedata.error_message — Human-readable error descriptionpayment.succeeded webhookBoth test callbacks and production webhooks use this exact same format.
\n","auth":{"type":"apikey","apikey":{"basicConfig":[{"key":"key","value":"X-API-Key"},{"key":"value","value":"pk_live_your_api_key"}]},"isInherited":true,"source":{"_postman_id":"ec017cbc-7752-409f-8794-9c1dd1dae732","id":"ec017cbc-7752-409f-8794-9c1dd1dae732","name":"PayEra API v1","type":"collection"}},"urlObject":{"protocol":"https","path":["webhooks","payera"],"host":["your-server","com"],"query":[],"variable":[]}},"response":[],"_postman_id":"e8af9c58-1325-4792-9918-d5e512e9777c"}],"id":"ebc5f2b3-8dca-48e2-9d14-a0ceb632dfd8","description":"Examples of webhook payloads sent by PayEra to your server. Use these examples to test your webhook handler implementation and signature verification.
\n","_postman_id":"ebc5f2b3-8dca-48e2-9d14-a0ceb632dfd8","auth":{"type":"apikey","apikey":{"basicConfig":[{"key":"key","value":"X-API-Key"},{"key":"value","value":"pk_live_your_api_key"}]},"isInherited":true,"source":{"_postman_id":"ec017cbc-7752-409f-8794-9c1dd1dae732","id":"ec017cbc-7752-409f-8794-9c1dd1dae732","name":"PayEra API v1","type":"collection"}}}],"auth":{"type":"apikey","apikey":{"basicConfig":[{"key":"key","value":"X-API-Key"},{"key":"value","value":"pk_live_your_api_key"}]}},"event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":["// PayEra Signature Generation Pre-request Script","// Algorithm: Base64(SHA256(sorted_values : SHA256(secret_key)))","","const secretKey = pm.environment.get('secretKey') || pm.collectionVariables.get('secretKey');","","if (!secretKey) {"," console.warn('No secretKey found in environment or collection variables');"," return;","}","","// Step 1: Generate timestamp without milliseconds","const timestamp = new Date().toISOString().replace(/\\.\\d{3}Z$/, 'Z');","pm.request.headers.upsert({ key: 'X-Timestamp', value: timestamp });","","// Step 2: Parse request body","let bodyParams = {};","try {"," if (pm.request.body && pm.request.body.raw) {"," bodyParams = JSON.parse(pm.request.body.raw);"," }","} catch (e) {"," console.error('Failed to parse request body:', e);"," return;","}","","// Step 3: Hash secret key (lowercase hex)","const secretKeyHash = CryptoJS.SHA256(secretKey).toString(CryptoJS.enc.Hex);","","// Step 4: Add timestamp to params","const paramsWithTimestamp = { ...bodyParams, timestamp };","","// Step 5: Sort keys alphabetically","const sortedKeys = Object.keys(paramsWithTimestamp).sort();","","// Step 6: Flatten values (handle nested objects with sorted keys)","function flattenValue(value) {"," if (typeof value === 'string') return value;"," if (typeof value === 'number') return value.toString();"," if (typeof value === 'boolean') return value ? 'true' : 'false';"," if (value === null || value === undefined) return '';"," // Sort nested object keys before stringifying"," const sortedObj = {};"," Object.keys(value).sort().forEach(k => { sortedObj[k] = value[k]; });"," return JSON.stringify(sortedObj);","}","","const values = sortedKeys.map(key => flattenValue(paramsWithTimestamp[key]));","","// Step 7: Append hashed secret key","values.push(secretKeyHash);","const signatureString = values.join(':');","","// Step 8: SHA256 + Base64","const signature = CryptoJS.SHA256(signatureString).toString(CryptoJS.enc.Base64);","","pm.request.headers.upsert({ key: 'X-Signature', value: signature });","","console.log('Generated signature for request');","console.log('Timestamp:', timestamp);","console.log('Sorted keys:', sortedKeys.join(', '));"],"id":"ea91992e-0aab-4ee6-9bc0-7e3d576dabf6"}}],"variable":[{"key":"baseUrl","value":"https://api.payera.global/v1"},{"key":"apiKey","value":"pk_live_your_api_key"},{"key":"secretKey","value":"sk_live_your_secret_key"},{"key":"checkoutId","value":"XXXX-XXXX-XXXX-XXXX"}]}