Introduction

HitPay’s Static QR feature enables businesses to create multiple “Static” QR codes that will facilitate QR payments. This solution is particularly beneficial for small and micro businesses, donation drives, and businesses with multiple locations.

What is a Static QR Code ?

A Static QR Code for payments contains fixed payment information, such as the merchant account or business name. Once generated, the code does not change and can be reused indefinitely by any number of customers.

Learn more about HitPay Static QRs here

Because the payment amount is not embedded in the QR code, customers must enter the correct amount during payment. Consider using Embedded QR codes for automated billing and precise transaction tracking.

Core Concept

At a high level, integrating Static QR codes into your system involves a 4-step process:

Create a Static QR

The first step is to create a static QR code. You can name the QR & assign it to a HitPay location.

Present the Static QR code to the customer

Once the Static QR is created, get the QR value and present the QR code to the end-user.

Client Scans and Initiates Payment

The client scans the QR code and initiates the payment through their banking app.

Handle Webhooks and Server Communication

After the payment is processed, handle webhooks to receive payment notifications and manage server-client communication.

Supported Methods

Please note that Static QR Codes is supported only for some payment methods and countries. Here is the list of methods that support QR Codes:

Payment MethodCodeCountry
PayNowpaynow_onlineSG
QRPHqprh_netbankPH

Authentication

Before integration, it’s essential to understand how Hitpay APIs are authenticated. Hitpay utilizes API keys to grant access to the API. You can locate this key in your dashboard under “API keys.”

Hitpay requires the API key to be included in all API requests to the server. This key should be placed in a header that follows the format shown below:

X-BUSINESS-API-KEY: meowmeowmeow

$request->setHeaders(array(
  'X-BUSINESS-API-KEY' => 'meowmeowmeow',
  'Content-Type' => 'application/x-www-form-urlencoded',
  'X-Requested-With' => 'XMLHttpRequest'
));
API keys should be kept confidential and only stored on your servers. Do not store it on your mobile or web client

Step 1: Create a Static QR

Endpoint

POST /v1/static_qr

Creates a payment request and generates a QR code for the paynow_online payment method.

Request Parameters

ParameterTypeDescription
namestringRequired. The amount to be paid.
payment_provider_methodstringRequired. Eg. Specify paynow_online as the payment method.
location_idstringOptional. The HitPay location_id to be tagged under all transactions made thorugh this Static QR

Example Request

{
  "name": "My First Static QR",
  "payment_provider_method": ["paynow_online"],
  "location_id": "96e2163c-d9bb-4f36-8bbd-09ca1381d3e6"
}

Response

The response will include a qr_value object, which contains the data to be converted into a scannable QR code (qr_code).

Step 2: Print / Present the QR Code

Once the Static QR code value is obtained, you can display the QR code using the qr_value data and present it to the user.

Step 3: Client Scans and Initiates Payment

The client scans the presented QR code with their banking app, enters the amount and initiates the payment process.

Step 4: Handle Webhooks and Server Communication

After the payment is processed, handle webhooks to receive payment notifications and manage server-client communication to update the payment status in your system.

What is a Webhook?

Webhook is a POST request sent from HitPay’s server to your server about the payment confirmation. If you are using hitpay APIs to integrate into your e-commerce checkout you must mark your order as paid ONLY after the webhook is received and validated.

Handling the webhook

  • Create an endpoint (E.g. /payment-confirmation/webhook) in your server that accepts POST requests. This request is application/x-www-form-urlencoded.
  • Validate the webhook data using your salt value
  • Return HTTP status code 200 to Hitpay
  • Mark your order as paid
  • Sample webhook payload data

Sample Webhook Payload

payment_id=92965a2d-ece3-4ace-1245-494050c9a3c1&payment_request_id=92965a20-dae5-4d89-a452-5fdfa382dbe1&reference_number=ABC123&phone=&amount=599.00&currency=SGD&status=completed&hmac=330c34a6a8fb9ddb75833620dedb94bf4d4c2e51399d346cbc2b08c381a1399c

Webhook fields

Following fields are sent with the webhook request:

ParameterDescription
payment_idPayment ID
payment_request_idPayment request ID
phoneBuyer’s phone number
amountAmount related to the payment
currencyCurrency related to the payment
statusPayment status (completed / failed)
reference_numberArbitrary reference number mapped during payment request creation
hmacMessage Authentication code of this webhook request

Validating a Webhook

To validate a webhook payload from HitPay, follow these steps:

  1. Payload Extraction: Extract the key-value pairs from the webhook payload. For example:
payment_id=92965a2d-ece3-4ace-1245-494050c9a3c1&payment_request_id=92965a20-dae5-4d89-a452-5fdfa382dbe1&reference_number=ABC123&phone=&amount=599.00&currency=SGD&status=completed&hmac=330c34a6a8fb9ddb75833620dedb94bf4d4c2e51399d346cbc2b08c381a1399c

  1. Exclude HMAC and Values: Remove the "hmac" key and its corresponding value from the extracted payload. For example:

  2. Concatenation and Sorting: Concatenate the keys and values from the remaining key-value pairs without using "&" and "=", and arrange them in alphabetical order of the keys. For example:

amount1.00currencySGDpayment_id91d94138-b0b5-4ba0-b78c-babc59776876payment_request_id91d94124-0d1c-4fb4-921e-51953793106cphonereference_number201000000Dstatuscompleted

  1. Signature Generation: Use the HMAC-SHA256 algorithm along with the secret salt from your dashboard to generate a signature for the concatenated string. This signature will be unique to this payload.

  2. Comparison and Validation: Compare the generated signature with the HMAC value present in the original payload, both values must match.

By following these steps, you can ensure the authenticity and integrity of the webhook payload received from HitPay. This process guarantees that the payload can be trusted and processed securely.

Sample Code

function generateSignatureArray($secret, array $args) {   
  $hmacSource = [];        
  foreach ($args as $key => $val) {
    $hmacSource[$key] = "{$key}{$val}";
  }
  ksort($hmacSource);
  $sig            = implode("", array_values($hmacSource));
  $calculatedHmac = hash_hmac('sha256', $sig, $secret); 

  return $calculatedHmac;
}