Embedded QR Code Payments allow seamless integration of QR payments directly into your platform without redirecting the users away.

Core Concept

At a high level, integrating payments into your system involves a 4-step process:

Supported Methods

Please note that not all payment methods support embedded QR Codes. Here is the list of methods that support QR Codes:

Payment MethodCode
ShopBackComing Soon
GrabPayComing Soon
ShopeePayComing Soon


Before integration, it’s essential to understand how Hitpay APIs are authenticated. Hitpay utilizes API keys to grant access to the API. You can locate this key in your dashboard under “API keys.”

Hitpay requires the API key to be included in all API requests to the server. This key should be placed in a header that follows the format shown below:

X-BUSINESS-API-KEY: meowmeowmeow

  'X-BUSINESS-API-KEY' => 'meowmeowmeow',
  'Content-Type' => 'application/x-www-form-urlencoded',
  'X-Requested-With' => 'XMLHttpRequest'
API keys should be kept confidential and only stored on your servers. Do not store it on your mobile or web client

Step 1: Create a Payment Request

This is the first step of the payment flow. Once you have all the details from the user and are ready to collect payments, use this API to create a payment request.


POST /v1/payment-requests

Creates a payment request and generates a QR code for the paynow_online payment method.

Request Parameters

amountstringRequired. The amount to be paid.
currencystringRequired. The currency of the payment (e.g., “sgd”).
payment_methods[]arrayRequired. Specify paynow_online as the payment method.
generate_qrbooleanRequired. Set to true to generate the QR code.
namestringOptional. The name of the customer.
emailstringOptional. The email of the customer.
phonestringOptional. The phone number of the customer.
purposestringOptional. The purpose of the payment.
reference_numberstringOptional. A reference number for the payment.

Example Request

  "amount": "123.00",
  "currency": "sgd",
  "payment_methods": ["paynow_online"],
  "generate_qr": true,
  "expiry_date": "2024-06-01T14:37:11"


The response will include a qr_code_data object, which contains the data to be converted into a scannable QR code (qr_code).

Step 2: Generate and Present the QR Code

Once the payment request is created, generate the QR code using the response data and present it to the user.

Step 3: Client Scans and Initiates Payment

The client scans the presented QR code with their banking app and initiates the payment process.

Step 4: Handle Webhooks and Server Communication

After the payment is processed, handle webhooks to receive payment notifications and manage server-client communication to update the payment status in your system.

What is a Webhook?

Webhook is a POST request sent from HitPay’s server to your server about the payment confirmation. If you are using hitpay APIs to integrate into your e-commerce checkout you must mark your order as paid ONLY after the webhook is received and validated.

Handling the webhook

  • Create an endpoint (E.g. /payment-confirmation/webhook) in your server that accepts POST requests. This request is application/x-www-form-urlencoded.
  • Validate the webhook data using your salt value
  • Return HTTP status code 200 to Hitpay
  • Mark your order as paid
  • Sample webhook payload data

Sample Webhook Payload


Webhook fields

Following fields are sent with the webhook request:

payment_idPayment ID
payment_request_idPayment request ID
phoneBuyer’s phone number
amountAmount related to the payment
currencyCurrency related to the payment
statusPayment status (completed / failed)
reference_numberArbitrary reference number mapped during payment request creation
hmacMessage Authentication code of this webhook request

Validating a Webhook

To validate a webhook payload from HitPay, follow these steps:

  1. Payload Extraction: Extract the key-value pairs from the webhook payload. For example:
  1. Exclude HMAC and Values: Remove the "hmac" key and its corresponding value from the extracted payload. For example:

  2. Concatenation and Sorting: Concatenate the keys and values from the remaining key-value pairs without using "&" and "=", and arrange them in alphabetical order of the keys. For example:

  1. Signature Generation: Use the HMAC-SHA256 algorithm along with the secret salt from your dashboard to generate a signature for the concatenated string. This signature will be unique to this payload.

  2. Comparison and Validation: Compare the generated signature with the HMAC value present in the original payload, both values must match.

By following these steps, you can ensure the authenticity and integrity of the webhook payload received from HitPay. This process guarantees that the payload can be trusted and processed securely.

Sample Code

function generateSignatureArray($secret, array $args) {   
  $hmacSource = [];        
  foreach ($args as $key => $val) {
    $hmacSource[$key] = "{$key}{$val}";
  $sig            = implode("", array_values($hmacSource));
  $calculatedHmac = hash_hmac('sha256', $sig, $secret); 

  return $calculatedHmac;