OnlinePay API
V2
V1
V2
V1
  1. Introduction
  • Introduction
    • Introduction
    • How to Start
    • Country Code
    • Country Info
    • Currency Code
    • Error Code
    • Transfer Order Info Type
    • Transfer Order File Type
    • Per Bank
    • Spei Bank
    • Vietnam Bank
    • V2 Signature Specification
  • Payin
    • SEPA
      • SEPA Master Account API
      • SEPA Virtual Account API
      • SEPA Upload Kyc Files API
      • SEPA Submit EDD Files API
    • Credit Card API
      POST
    • Alipay API
      POST
    • GCash API
      POST
    • WeChat API
      POST
    • PIX API
      POST
    • Crypto API
      POST
    • Union Pay API
      POST
    • SPEI API
      POST
    • Per Transfer API
      POST
    • Cash App API
      POST
    • Google Pay API
      POST
    • Apple Pay API
      POST
    • MONO API
      POST
    • Vietnam Bank API
      POST
    • CheckOut API
      POST
    • CheckOut Payment API
      POST
    • OnRamps API
      GET
  • Payout
    • PER Transfer Payout API
    • Checkout Payout API
    • Card Payout API
    • Bank Account Payout API
    • PIX Payout API
    • PER Transfer Payout API
    • SPEI Payout API
    • CashApp Payout API
    • Checkout Payout API
    • Query Payout Order API
    • Supplement Payee Info API
  • Recharge
    • SEPA
      • Account
      • Virtual Account
  • Refund
    • Refund API
  • Card
    • Create Cardholder API
    • Create Card API
    • Active Card API
    • Freeze Card API
    • UnFreeze Card API
    • Cancel Card API
    • TopUp Card API
    • Card Withdraw API
    • Query Card Balance API
    • Query Card Info API
    • Query Card Transaction API
    • Add VPA Scene API
  • Query
    • Query Payout Order API
    • Query Order API
    • QueryOrderList API
    • QueryBalance API
    • QueryOrderAmount API
  • Notify
    • SEPA EDD KYC Notify Webhook API
    • Pay Notify WebHook API
    • Refund Notify WebHook API
    • Card Notify WebHook API
    • Chargeback Notify WebHook API
  • File
    • UploadFile API
  • Schemas
    • ApiResponse
    • V2EncryptedEnvelope
    • CreateAccountRequest
    • UserArray
    • V2EncryptedNotification
    • QueryPayOutV2Request
    • PayoutCheckStandV2Request
    • CheckStandV2Request
    • PayoutCheckStandV2Response
    • CreateAccountResponse
    • QueryPayOutV2Response
    • ProductParams
    • PaymentNotification
    • PaymentNotificationPayload
    • Category
    • RefundNotificationPayload
    • CreateAccountInfo
    • Pet
    • OrderQueryV2Data
    • PayoutQueryResult
    • CheckStandV2Response
    • PayoutCheckStandV2Data
    • Tag
    • ChargebackNotificationPayload
    • RechargeRequest
    • CheckStandV2Data
    • OrderQueryV2Request
    • OrderQueryV2Response
    • Order
    • RechargeResponse
    • User
    • RechargeAccountInfo
  1. Introduction

How to Start

Payment Acquiring
Card Issuing
SDK Integration (Java)
SDK Integration (Go)
SDK Integration (PHP)
ChatGPT Image 2026年6月17日 下午07_06_23.png

1. Apply for Test Merchant Id and Key#

1.1 Complete registration on the Test OnlinePay Portal
1.2 Obtain your Test API keys:
Log in to the Test OnlinePay Portal.
Navigate to Personal Center > Developer Center > View your API keys.

2. Parameter Signature#

V2 uses RSA256 sihow-to-start-sdk-integration.mdgning for all APIs. The SDK handles signing automatically — you do not need to pass sign, signType, or version in the request body.
:::

2.1 Key Preparation#

RSA Key Pair
Generate Your RSA Key Pair using KeyPairExample:
Your Private Key: This key is highly sensitive and must be kept secret and secure within your system.
Your Public Key: This key is intended to be shared. You will upload this public key to our Developer Center.
Upload Your RSA Public Key to the Developer Center:
image.png
Log in to the Developer Center. Locate the field "User Publickey".
Click on the Edit button to upload your RSA public key.
Retrieve the OnlinePay Public Key:
image.png
Locate the field "OnlinePay Publickey" in the Developer Center.
Click the "View" button to obtain the OnlinePay public key.
You will use this key to verify response signatures and verify notification payloads.

2.2 Sign String Construction#

All V2 APIs use the same sign string construction:
1.
Take all request parameters
2.
Exclude: sign, signType, version, authorization, referer, paymentType, serverName, userAgent, protocolId, isfunction
3.
Skip null or empty values
4.
Sort remaining fields alphabetically by key
5.
For nested objects and arrays: serialize as sorted JSON
6.
Join as key1=value1&key2=value2
Example:
Request fields:
  merNo=104001001, merOrderNo=ORD123, currencyCode=USD,
  sourceAmount=100.00, notifyUrl=https://example.com/notify,
  sign=abc...

Sign string (sorted, exclude sign/signType/version):
  currencyCode=USD&merNo=104001001&merOrderNo=ORD123&notifyUrl=https://example.com/notify&sourceAmount=100.00

2.3 Request Signature#

Calculate the sign value using RSA256:
sign = Base64(SHA256WithRSA(signString, yourPrivateKey))
Include the calculated sign in the request body. The signType and version fields are not required in V2 — they are never sent in the request body.

2.4 Response Verification#

Responses contain a sign field. Verify using the same sign string construction:
{
  "code": "00000",
  "message": "SUCCESS",
  "data": { ... },
  "sign": "A1B2C3..."
}
Build the sign string from code, data (as JSON string), and message:
signString = code=<code>&data=<json-string-of-data>&message=<message>
Verify sign with OnlinePay Public Key using RSA256

2.5 Notification Decryption & Verification#

V2 notifications use RSA+AES hybrid encryption. You will receive:
{
  "encryptedData": "SFOs0qSAGLs6kHLf...",
  "encryptedKey": "Vfn2M+u4uG7nWklk..."
}
Step 1: Decrypt
1. RSA decrypt encryptedKey with Your Private Key → AES key
2. AES decrypt encryptedData with AES key → plaintext JSON
Step 2: Verify Signature
1. Parse decrypted JSON
2. Build sign string (same rules: sorted key=value, exclude sign/signType)
3. RSA-SHA256-Verify(signString, sign, OnlinePay_PublicKey)
Step 3: Respond HTTP 200

3. Add Your Website URL to the Whitelist#

3.1 Navigate to the Developer Center
3.2 Access the URL Whitelist Tab
image.png
3.3 Submit Your Website URL:
On the "URL Whitelist" page, click the add button.
A pop-up window will appear, enter your website URL into the designated field.
Please submit your URL without the https:// prefix.
For example, if your website is https://example.com, you should enter example.com.
3.4 Wait for Review and Approval:
Once your URL is approved and whitelisted, your website will be authorized to interact with our platform's services as intended.

4. Calling the payment interface#

Call the interface using the RESTful method.
VersionEndpointDescription
V2/v2/paymentUnified RSA256 signing

5. Support#

Jumpstart your integration with our API demos and code samples.
Payment demo

6. Pre-Go-Live Review#

Confirm all Sandbox test cases have passed.
Modified at 2026-06-17 10:09:43
Previous
Introduction
Next
Country Code
Built with