Skip to main content

Payment Service API - Detailed Documentation

The Payment Service API enables seamless and secure payment processing through open banking. It provides a redirect URL for hosted payment processing, ensuring compliance with banking regulations and providing a streamlined user experience.

API Playground:

  • /payments/initiate
  • /payments/status
  • /payments/challenge-deposit
You can try the initiate payment endpoint here.

Key Features

  • Redirection Handling: The returned redirect URL should not be embedded in an iframe or an embedded WebView. Instead, a proper browser redirect should be used.
  • Customization: The payment page can be customized in terms of UI/UX, so redirection is not an issue.
  • Webhooks: Webhooks can be called for by our service if required for more complex operations. You will be able to specify your webhook URL to us at the point when we onboard and set you up for the service. We can customize the flows and reduce the number of calls made to the API by enabling webhooks. Please speak to our specialists when signing up for the service so we can design the flow you require. To properly receive incoming webhooks, your server should provide an endpoint supporting:
    • TLS encryption version 1.2
    • POST requests that are either raw in text/plain if encrypted or application/json if no encryption is activated.
    You can use a service like webhook.site to test receiving webhooks from your developer dashboard. For local testing, you can use a CLI tool such as ngrok to forward the requests to your local development server. When you receive an event, your endpoint should return an HTTP 2xx status code indicating that the event has been successfully received. Webhooks are automatically retried for up to 24 hours if no HTTP 200 status code is returned. The call will also be considered failed if your endpoint doesn’t respond within 10 seconds. When a webhook call fails, we’ll retry the call 6 more times. By default, we wait:
    • 10 seconds between the first and second attempt,
    • 100 seconds between the third and the fourth,
    • 1000 seconds between the fourth and the fifth,
    • 10000 seconds for the last attempt.
  • Upcoming Features: Future improvements include a rendered payment button, seamless/modal implementations, and native SDKs.
  • Regular Open Banking Payments and Challenge Deposits: The API supports both regular open banking payments and Challenge Deposits, which include additional verification mechanisms such as name matching. These are handled through a dedicated endpoint described separately.

Complete Payment Flow Sequence

Typical Payment Workflow

1

End-user completes purchase

The end-user completes a purchase and selects the pay-by-bank option.
2

Handling UI Interactions

The merchant (our customer) handles all UI interactions up to this point.
3

Initiating Payment

The merchant sends a payment initiation request (/payments/initiate).
4

Redirecting to Hosted Payment Page

A redirectUrl for the Hosted Payment Page is returned.
5

User completes payment

The user is redirected to the hosted page and completes the payment.
6

Handling Redirect

Upon completion:
  • The user is redirected back to the merchant using the returnUrl specified in the request.
  • If no URL is provided, a message such as “You can now close this window.” is displayed.
7

Checking Payment Status

The merchant sends a retrieve transaction status request (/payments/status) to check the payment status.
8

Pending Status

If the status is still pending, all status queries will return a PENDING status.
9

Displaying Results

Based on the final status, the merchant can display the results to the user.

Endpoints Overview

  1. Initiate Payment: Redirects users to the provider’s hosted payment page and initiates a transaction.
  2. Retrieve Transaction Status: Retrieves the current status of a payment transaction.
  3. Challenge Deposit: Initiates a challenge deposit by sending a small amount to the user’s bank account.

Authentication

To access the Address Verification API, authentication is required. A Bearer Token must be included in every request.
  • Tokens are valid for 60 minutes and must be refreshed after expiration.
  • Refer to the Authentication for detailed steps on obtaining a token.
  • Include the token in the Authorization header as follows:
Authorization: Bearer YOUR_ACCESS_TOKEN

API Base URL

https://api-umbrella.io/api/services

1. Regular A2A Payment

1.1 Initiate Payment

Endpoint

POST /payments/initiate

Description

Initiates a payment by redirecting the user to a hosted payment page.

Required Headers

HeaderValue
Content-Typeapplication/json
AuthorizationBearer yourAccessToken

Request Body Parameters

FieldTypeRequiredDescriptionFormat / Allowed Values
referenceIdstringYesUnique identifier for the transaction generated by your system.Alphanumeric
transactionDescriptionstringYesDescription of the transaction.Free text
returnUrlstringYesURL to redirect after payment completion - back to the calling app or website.URL
storedBICstringNoPre-stored BIC code.BIC format
languagestringNoLanguage codeISO 639-1 (e.g., “DE”)
currencystringYesCurrency codeISO 4217 (e.g., “EUR”)
amountstringYesPayment amount formatted as a decimal string.Decimal (e.g., “12.50”)
countrystringNoCountry codeISO 3166-1 alpha-2 (e.g., “DE”)

Response Structure

FieldTypeDescription
requestIdstringUnique identifier for the request. Will be used to query the transfer status in the Retrieve Transaction Status api call below.
redirectUrlstringURL to redirect the user to the hosted payment page.

Example Request

{
    "amount": "100.50",
    "currency": "EUR",
    "referenceId": "uniqueRefId123",
    "transactionDescription": "Payment for Order #12345",
    "returnUrl": "https://example.com/callback",
    "storedBIC":"BOFIIE2D",
    "language": "DE"
}

Example Response

{
    "requestId": "req123456789",
    "redirectUrl": "https://example.com/app/req_123456789"
}

1.2 Retrieve Transaction Status

Endpoint

GET /payments/status

Description

Retrieves the status of a transaction.

Request Body Parameters

FieldRequiredTypeDescription
requestIdYesstringUnique identifier for the transaction generated from the Initiate Payment API call.

Response Structure

FieldTypeDescription
statusstringTransaction status (PENDING, COMPLETED, FAILED).
statusReasonInformationstringAdditional details about the status.

Example Request

{
    "requestId": "uniqueRefId123"
}

Example Response

{
    "status": "PENDING",
    "statusReasonInformation": "User redirected to bank."
}

Status Response Fields

StatusDescription
PROCESSINGThe transaction is in process; the final status has not yet been received from the bank.
SUCCESSSuccessful payment initiation has been received from the bank. Settlement might not be complete.
INITIATEDThe transaction was initiated but the result is unknown. This status will not be updated further.
PENDINGAuthorization process at the bank is complete; transfer is pending redemption. Relevant for 2-step payment flows.
PENDING_EXTERNAL_AUTHORIZATIONThe user is sent to the bank to complete the authorization process. If not completed, it transitions to FAILURE_EXPIRED.
FAILURE_GENERICIndicates a technical failure with no further details from the bank.
FAILURE_PERMISSION_DENIEDThe user has been denied authorization at the bank. Relevant for 2-step payment flows.
FAILURE_CANCELEDPayment initiation was canceled before execution.
FAILURE_EXPIREDAuthorization process was not completed within the allowed timeframe and the payment expired.
FAILURE_INSUFFICIENT_FUNDSPayment initiation request was rejected due to insufficient funds.
FAILURE_DECLINEDPayment initiation was rejected by the bank.
SETTLEMENT_IN_PROGRESSWaiting for payment to reach the payee bank.
SETTLEMENT_COMPLETEDPayment has reached the payee bank and reconciliation is complete.
SETTLEMENT_INCOMPLETEReconciliation failed; corresponding transaction not found in the settlement account.

Supported Languages

To specify the language for the hosted page, use the language field in the payment initiation request. Supported languages include:
  • EN
  • DE
  • SL
  • PT
  • IT
  • FR
  • CZ
  • PL
  • ES
  • HU
  • NL
  • RO
Example: 
"language": "FR"

Common Errors

Error CodeDescription
400Invalid Request: Missing required fields.
401Unauthorized: Authentication failed.
403Permission to access this endpoint is denied.
404Not Found: Reference ID not recognized.
429Too many requests.
500Internal Server Error: Unexpected server issue.
501The operation was not implemented.
503Service is unavailable.
504Gateway has timed out.

2. Challenge Deposit (Penny Drop)

Introduction

The Challenge Deposit (also known as Penny Drop) is an additional compliance step used for identity verification in regulated markets.

2.1. Initiate Challenge Deposit

Endpoint

POST /payments/challenge-deposit

Description

Initiates a challenge deposit by sending a small amount to the user’s bank account. It verifies whether the provided name and IBAN match and can optionally return PII details.

Required Headers

HeaderValue
Content-Typeapplication/json
AuthorizationBearer yourAccessToken

Request Body Parameters

FieldTypeRequiredDescriptionFormat / Allowed Values
amountstringYesSmall amount sent for verification.Decimal (e.g., "0.10")
currencystringYesCurrency code.ISO 4217 (e.g., "EUR")
descriptionstringYesDescription is mandatory and cannot be blank. It must not contain spaces or special characters, but hyphens (-) are allowed as separators.Alphanumeric
firstNamestringYesFirst name for identity verification.Free text
lastNamestringYesLast name for identity verification.Free text
piiToggleintegerYesDetermines if PII details should be returned.0 (no PII) / 1 (PII)
nameMatchLogicstringYesName matching logic type."exact" or "fuzzy"

Response Structure

FieldTypeDescription
descriptionstringThe description sent in the request.
statusstringStatus of the challenge deposit ("OK", "FAIL").
globalResultobjectContains verification score and assessment result.
globalResult.overallstringOverall assessment ("review", "pass", "fail").
globalResult.totalScoreintegerScore (0-100) indicating verification quality.
nameMatchScoreintegerScore (0-100) indicating how well names matched.
ibanstringVerified IBAN.
returnedFirstNamestringFirst name returned from verification, if piiToggle = 1, otherwise omitted.
returnedLastNamestringLast name returned from verification, if piiToggle = 1, otherwise omitted.

Example Request

{
    "amount": "0.10",
    "currency": "EUR",
    "description": "merchantId19887-65",
    "firstName": "John",
    "lastName": "Doe",
    "piiToggle": 1,
    "nameMatchLogic": "fuzzy"
}

Example Response

{
    "requestId": "e5c81c78-272b-4307-9197-3ace19109fd3",
    "description": "merchantId19887-65",
    "status": "OK",
    "globalResult": {
        "overall": "review",
        "totalScore": 100
    },
    "nameMatchScore": 85,
    "iban": "DE44500105175407324931",
    "returnedFirstName": "John",
    "returnedLastName": "Doe"
}

Best Practices

Security

  • Never store bank credentials - Authentication is handled entirely by banks
  • Use HTTPS only - All API calls and redirects must use secure connections
  • Validate redirect URLs - Ensure returnUrl points to your domain
  • Implement CSRF protection - Validate state tokens on return URLs

User Experience

  • Show clear payment status - Keep customers informed during processing
  • Handle timeouts gracefully - Provide clear messaging if authorization expires
  • Offer alternative payments - Have backup payment methods available
  • Mobile optimization - Ensure redirect flow works on mobile browsers

Operations

  • Monitor settlement times - Track time from SUCCESS to SETTLEMENT_COMPLETED
  • Reconcile daily - Match API statuses with actual bank account credits
  • Set up alerts - Monitor for unusual failure rate spikes
  • Log everything - Maintain audit trail of all transactions and status changes

Performance

  • Use webhooks when possible - Reduces latency vs. polling
  • Implement intelligent polling - Poll frequently initially, then back off
  • Cache status results - Avoid redundant status checks
  • Async processing - Don’t block user requests during status checks
I