Developers

API and connection documentation

Interaction between the store and Paybox.money

The exchange of information between the store and Paybox.money can take place in two ways:

1
Directly, by calling specific URLs
2
Through the user's browser

When exchanging data, the parameter naming convention applies: the names of all the parameters that relate to the Paybox.money and store interaction have the prefix pg_, all other parameters do not have it.

When specifying any amount of money, a point is used to separate the fractional part. If a number is integer, then the indication of the fractional part is optional. The number of characters after the point is not more than two. Thousands are not separated by any signs.

Any messages (requests and responses) between Paybox.money and the store are to be signed. A signature is generated by concatenating with a separator ';':

1. The name of the called script (from the last '/' to the end or '?')

2. All fields of the message in alphabetical order, including a random string pg_salt, consisting of an arbitrary number of digits and Latin letters, wherein:

  • a. to nested tags, this rule is applied recursively (only XML)
  • b. fields with the same name are taken in the order in which they appear in the message

3. And the payment password secret_key, which is set in the settings of the store and is known only to the store and PayBox.money.

From the resultant string concatenation, it is necessary to compute md5 and add to the request or response as an additional parameter pg_sig. MD5 hash is written as a hexadecimal string in lower case (32 characters).

Sample call: http://domain.com/path/to/script.php

<?xml version="1.0" encoding="utf-8"?>
<request>
     <pg_salt>9imM909TH820jwk387</pg_salt>
     <pg_t_param>value3</pg_t_param>
     <pg_a_param>value1</pg_a_param>
     <pg_z_param>
          <pg_q_subparam>subvalue2</pg_q_subparam>
          <pg_m_subparam>subvalue1</pg_m_subparam>
     </pg_z_param>
     <pg_b_param>value2</pg_b_param>
     <pg_sig>74aa41a4f425d124a23c3a53a3140bdc15826</pg_sig>
</request>
  9imM909TH820jwk387
  value3
  value1
  
    subvalue2
    subvalue1
  
  value2
  74aa41a4f425d124a23c3a53a3140bdc15826

In the above example, pg_sig is calculated by the formula:

pg_sig = md5(‘script.php’ + ‘;’+ pg_a_param + ‘;’ + pg_b_param + ‘;’ + pg_salt + ‘;’+ pg_t_param + ‘;’ + pg_m_subparam + ‘;’+ pg_q_subparam + ‘;’+ secret_key);

Which unfolds into:

pg_sig = md5('script.php;value1;value2;9imM909TH820jwk387;value3;subvalue1;subvalue2;mypasskey');

if the settings specified that secret_key is equal to mypasskey

Any party can add additional parameters to the request or response that are not specified in the documentation. These parameters also participate in the calculation of the signature.

The message is not signed, and accordingly the pg_salt и pg_sig fields are missing only in one case - when PayBox was unable to identify the merchant and therefore does not know his secret_key. In this case, the pg_error_code field (numeric error code) is set to 101. For a complete list of possible values for the pg_error_code field, see the Error Code Reference.

To debug the formation of signatures, it is recommended to use the page in your personal account https://api.paybox.money/admin/sig_debug_helper.php

Need a consultation?

Send an enquiry and our managers will contact you in 15 minutes.