跳转到主要内容

API 标准与协议

传输与数据格式

项目规格
传输协议HTTPS,TLS 1.2 及以上
数据格式请求体和响应体均为 JSON
Content-类型 Headerapplication/json (required)

签名与验签

项目规格
签名算法HMAC-SHA512
请求签名所有商户请求都必须使用 HMAC-SHA512 算法签名。
回调验签所有 GatePay 回调都必须由商户使用同一算法完成验签。

响应判定

请始终按以下方式判断 API 响应结果:
  1. Check the HTTP status code first
  2. Then examine the status, code, label, and errorMessage fields in the response body
  3. Extract business data from the data field if the request was successful

Unified 响应 Structure

All GatePay API responses follow this standardized structure:
字段类型说明
statusstringResult status: SUCCESS indicates successful execution; FAIL indicates failure.
codestringError code (empty in successful responses).
labelstringError name or identifier (empty in successful responses).
errorMessagestringHuman-readable error description (empty in successful responses).
dataobject / array / string / nullBusiness data returned by the API. Empty in failed responses.

请求 参数 Standards

商户 Order Number (merchantTradeNo)

The 商户 订单 number is a unique identifier you assign to each 交易:
Property规格
Character SetASCII half-width characters only: letters (a-z, A-Z), digits (0-9), hyphen (-), underscore (_)
Maximum Length100 characters
UniquenessMust be unique within your 商户 account
Retry PolicyWhen 重试ing the same business 交易, you must reuse the original merchantTradeNo to ensure 幂等性

Transaction Amount

Property规格
Data 类型String (numeric value as a string)
Decimal PrecisionUp to 6 decimal places
Minimum Per Transaction0.0001
Maximum Per Transaction5,000,000
Maximum QR 收款 Amount10,000 (for personal QR code collections)

Timestamp Format

Property规格
FormatUnix timestamp in milliseconds (UTC timezone)

请求 Headers and Signing

必填 请求 Headers

Every API request must include these headers:
Header说明
X-GatePay-Certificate-ClientIdYour ClientId as assigned when you created your 应用 (see Integration 概述).
X-GatePay-TimestampCurrent UTC timestamp in milliseconds when the request is created. 请求s with a time drift greater than 10 seconds will be rejected.
X-GatePay-NonceA random string to prevent replay attacks. Recommended length is 32 characters or less, containing only letters and digits.
X-GatePay-SignatureThe computed request signature (see Signature Generation steps below).
X-GatePay-On-Behalf-Of(Optional) Institution 子账户 ID if using delegated access.

Signature String Format

The signature is computed from a string containing three lines, each ending with a newline character (\n): 
<request_timestamp>\n<request_nonce>\n<request_body>\n
Where:
  • <request_timestamp> is the value of X-GatePay-Timestamp
  • <request_nonce> is the value of X-GatePay-Nonce
  • <request_body> is the raw JSON body of the request, or an empty string if there is no body

Signature Generation 步骤

Follow these steps to compute the X-GatePay-Signature header value:
  1. Generate a unique X-GatePay-Timestamp (current UTC time in milliseconds)
  2. Generate a random X-GatePay-Nonce (32 characters or less, letters and digits only)
  3. Read the raw JSON request body as request_body; use an empty string if there is no body
  4. Construct the signature string: timestamp\nnonce\nbody\n
  5. Compute HMAC-SHA512 using your Payment API Secret as the key
  6. Encode the result in Base64 (if required by your implementation)
  7. Place the computed signature into the X-GatePay-Signature header

Example 请求 Structure

POST /api/v1/payment/submit HTTP/1.1
Host: openplatform.gateapi.io
Content-Type: application/json
X-GatePay-Certificate-ClientId: your_client_id
X-GatePay-Timestamp: 1234567890000
X-GatePay-Nonce: abc123def456ghi789
X-GatePay-Signature: <computed_hmac_sha512_signature>

{
  "merchantTradeNo": "order_12345",
  "amount": "100.50",
  "currency": "USD"
}

Payment Result 回调

回调 概述

GatePay sends 异步 payment 通知s to your configured 回调 URL via HTTP POST requests. These 通知s inform your system of payment status changes. For comprehensive details on 回调 events and handling, refer to the 通知 回调 guide.

回调 Payload Structure

GatePay will POST a JSON payload with the following structure: 
{
  "bizType": "TRANSFER_ADDRESS",
  "bizId": "329782527190433792",
  "bizStatus": "TRANSFERRED_ADDRESS_DELAY",
  "client_id": "iVNJZdekOCMJIsmV",
  "data": "{\"merchantTradeNo\":\"1894789022551797760\"}"
}
Where:
字段类型说明
bizTypestringThe type of business event (e.g., TRANSFER_ADDRESS, PAYMENT_ORDER).
bizIdstringThe unique identifier for the payment 订单 or business 交易.
bizStatusstringThe current status of the 交易 (e.g., TRANSFERRED_ADDRESS_DELAY, SUCCESS).
client_idstringThe client_id associated with the payment 订单.
datastringBusiness-specific data as a JSON string. The structure depends on bizType.

Expected 回调 响应

Your 回调 endpoint must respond with a JSON object indicating successful processing:
字段Values说明
returnCodeSUCCESS | FAILSUCCESS indicates the 回调 was processed successfully; FAIL indicates processing failed.
returnMessagestringHuman-readable message explaining the result (empty string for success).
Success 响应 Example: 
{
  "returnCode": "SUCCESS",
  "returnMessage": ""
}
Failure 响应 Example: 
{
  "returnCode": "FAIL",
  "returnMessage": "Database connection failed"
}

回调 Verification 步骤

Every 回调 you receive must be verified to ensure it originated from GatePay and has not been tampered with:
  1. Extract the X-GatePay-Timestamp header from the incoming 回调 request
  2. Extract the X-GatePay-Nonce header from the incoming 回调 request
  3. Extract the X-GatePay-Signature header from the incoming 回调 request
  4. Read the raw JSON 回调 request body
  5. Construct the signature string using the format: timestamp\nnonce\nbody\n
  6. Compute HMAC-SHA512 using your Payment API Secret as the key
  7. Compare the computed signature with the X-GatePay-Signature header value
  8. Only process the 回调 if the signatures match exactly
Important: If the signatures do not match, reject the 回调 as it may be fraudulent or corrupted.

回调 请求 Headers

When GatePay sends a 回调 to your endpoint, it includes these headers:
Header说明
X-GatePay-TimestampThe timestamp when GatePay sent the 回调.
X-GatePay-NonceA random string included in the signature.
X-GatePay-SignatureThe HMAC-SHA512 signature computed by GatePay.

Tools and Resources

Signature Verification Tool

GatePay provides an online tool to help you debug and verify signatures during development: GatePay Signature Verification Tool This tool allows you to:
  • Test signature generation with sample data
  • Verify computed signatures match expected values
  • Debug signature-related integration issues

Error 处理方式

For a comprehensive list of error codes and best practices for handling API errors, see the 错误码 and 最佳实践 guide.

Security 最佳实践

  1. Secure Key Storage: Store your Payment API Secret and Authorization Secret securely on your server. Never expose these secrets in 客户端 code or version control.
  2. Nonce Uniqueness: Ensure each request uses a unique nonce to prevent replay attacks.
  3. Timestamp Validation: Always validate that incoming 回调 timestamps are within an acceptable time window (e.g., not older than 5 minutes).
  4. Signature Verification: Always verify 回调 signatures before processing any sensitive operations.
  5. HTTPS Only: All communication with GatePay must use HTTPS with TLS 1.2 or above.
  6. 回调 Idempotency: Design your 回调 handler to be idempotent, as GatePay may 重试 回调 if it does not receive a successful response.
  7. Error Messages: Do not expose sensitive information (such as keys or internal system details) in error messages returned to the client.