VeroPay API Docs

Dokumentasi endpoint checkout, payment link, transaksi, dan webhook untuk integrasi payment gateway.

Base URL

https://your-domain.com

Semua endpoint API memerlukan header x-api-key kecuali webhook receiver.

1) Create Checkout QR

POST /api/v1/checkout

curl -X POST https://your-domain.com/api/v1/checkout \
  -H "content-type: application/json" \
  -H "x-api-key: pk_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -d '{
    "nominal": 10000,
    "external_ref": "INV-1001",
    "feePercent": 2.5,
    "feeFixed": 500
  }'

Response sukses:

{
  "ok": true,
  "app_package": "com.example.app",
  "transaction_id": "uuid",
  "provider_ref": "A120260308...",
  "status": "pending",
  "nominal": 10000,
  "fee_amount": 750,
  "total_amount": 10750,
  "qr_string": "000201...",
  "expires_in_seconds": 300
}

2) Create Payment Link

POST /api/v1/payment-links

curl -X POST https://your-domain.com/api/v1/payment-links \
  -H "content-type: application/json" \
  -H "x-api-key: pk_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -d '{
    "nominal": 20000,
    "title": "Bayar Paket Pro",
    "description": "Order #ABCD",
    "feePercent": 1,
    "expiresInSeconds": 1800
  }'

Response sukses:

{
  "ok": true,
  "payment_link_id": "pl_xxx",
  "payment_url": "https://your-domain.com/pay/pl_xxx",
  "transaction_id": "uuid",
  "provider_ref": "A120260308...",
  "nominal": 20000,
  "fee_amount": 200,
  "total_amount": 20200,
  "qr_string": "000201...",
  "expires_at": "2026-03-08T12:00:00.000Z",
  "status": "active"
}

3) Get Payment Link by Slug

GET /api/v1/payment-links/:slug

curl https://your-domain.com/api/v1/payment-links/pl_xxx

Mengembalikan detail payment link dan qr_string terbaru.

4) Get Transaction Status

GET /api/v1/transactions/:id

curl https://your-domain.com/api/v1/transactions/TX_ID \
  -H "x-api-key: pk_xxxxxxxxxxxxxxxxxxxxxxxx"

Response sukses:

{
  "ok": true,
  "app_package": "com.example.app",
  "transaction_id": "TX_ID",
  "provider_ref": "A120260308...",
  "external_ref": "INV-1001",
  "status": "paid",
  "nominal": 10750,
  "content": "A120260308...",
  "paid_at": "2026-03-08T12:10:00.000Z",
  "created_at": "2026-03-08T12:00:00.000Z"
}

Webhook Receiver

POST /api/webhook/payment

Header wajib:

authorization: Bearer your_auth_token
content-type: application/json

Body webhook:

{
  "app_package": "com.example.app",
  "content": "A120260308133927PQvbDCBErMID",
  "raw_nominal": 10750,
  "timestamp": "2026-03-08 19:40:58",
  "signature": "sha256_hex"
}

Formula signature:

sha256("${nominal}|${timestamp}|${SECRET_KEY}")

Validasi yang dilakukan server:

Token bearer cocok dengan AUTH_TOKEN
Nominal ada di raw_nominal atau amount
Timestamp valid dan tidak melewati batas ALLOWED_DRIFT_SECONDS (default 300 detik)
Signature valid dengan SECRET_KEY

Error Codes Umum

Code	HTTP	Keterangan
`missing_api_key`	401	Header `x-api-key` kosong
`invalid_api_key`	401	API key tidak valid / aplikasi nonaktif
`invalid_payload`	400	Body JSON tidak valid
`transaction_not_found`	404	Transaksi tidak ditemukan
`invalid_token`	401	Bearer token webhook salah
`invalid_signature`	401	Signature webhook tidak cocok