Instant Payments API

Accept instant SEPA payments from your customers with zero chargebacks, no rolling reserves, and same-day settlement. This API lets you create checkout sessions and receive payment confirmations.

Overview

The Dapit Instant Payments API enables merchants to accept EUR payments via SEPA Instant Credit Transfer. Instead of credit cards, your customers pay directly from their bank account (Wise, Revolut, or any EUR-enabled bank). Payments settle in under 10 seconds and are irrevocable — no chargebacks.

Key Benefits:Very low Fees · Zero rolling reserves · Same-day settlement · No chargebacks · No card network dependency · Works worldwide via Wise/Revolut

Base URL:

https://www.maxafi.com/api/gateway/gateway.php

Payment Flow

The customer never leaves your website. When they choose "Pay with Instant Payments" at your checkout, your server talks to our API behind the scenes.

Create Session

Your server calls our API with the order amount

Display Payment Info

Show the IBAN, beneficiary name, and reference on YOUR checkout page

Customer Pays

They open Wise/Revolut, send EUR with the reference number

Customer Clicks "I Paid"

Your page calls our API to start payment verification

We Verify & Notify

We find the payment on the custodial IBAN, confirm it, and POST to your webhook

Two integration options:
Option A — API Integration (recommended): Your developer embeds the payment flow directly into your existing checkout page. The customer never leaves your site. You control the look and feel.

Option B — Hosted Checkout: If you don't have a developer, we provide a hosted checkout page. You redirect the customer to our URL and we handle everything. They see your merchant name on a Dapit-branded page.

Authentication

All API requests require your merchant API key. Include it in one of the following request headers:

X-Api-Key: mk_your_api_key_here

or, for legacy integrations:

X-Gateway-Key: your_api_key_here

Keys beginning with mk_ are unified keys that also carry permissions, rate limits, and environment (sandbox/production) metadata. Legacy plaintext keys without a prefix remain accepted.

Your API key is provided during merchant onboarding. Keep it secret — it authenticates all requests to our API on your behalf.

Security: Never expose your API key in client-side code. All API calls should be made from your server (backend), not from the browser.

New integrators: Before you build anything else, call Verify Key. It's a zero-cost health check that confirms your key is active, tells you whether you're in sandbox or production, and lists the permissions attached to the key.

Quick Start — Option A: API Integration

Your developer adds Instant Payments as a payment option on your existing checkout page. The customer never leaves your website.

Step 1: Customer selects "Pay with Instant Payments" on your checkout

Your checkout page already has credit card, ACH, etc. Add an "Instant Payments" button alongside them. When they click it, your server creates a session:

// YOUR SERVER — Create a session when customer chooses Instant Payments
const response = await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=create_session', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-Gateway-Key': 'your_api_key_here'
  },
  body: JSON.stringify({
    amount: 49.99,
    currency: 'EUR',
    items: [
      { name: 'Premium Game Credits', qty: 1, price: 49.99, total: 49.99 }
    ],
    callback_url: 'https://yoursite.com/webhooks/dapit'
  })
});

const session = await response.json();
// session.session_token → save this (you'll need it for polling)
// Now call create_invoice to get the payment details...

Step 2: Get payment details and display on YOUR page

// YOUR SERVER — Get the IBAN, beneficiary, and reference number
const invoice = await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=create_invoice', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ token: session.session_token })
}).then(r => r.json());

// Display these on YOUR checkout page:
// invoice.beneficiary_name → "Longemalle Trustees OU"
// invoice.iban             → "LT913740020058585210"
// invoice.reference_number → "DP-260330-XA6HSX"
// invoice.amount           → 49.99
// invoice.invoice_number   → "INV-260330-04821"
// invoice.qr_url           → scannable EPC QR (drop into <img src>)
//
// Tell the customer:
// 1. Scan the QR with your banking app (most EU banks support this) —
//    OR transfer manually if your app is Wise / Revolut / N26 (no EPC QR support)
// 2. Beneficiary: Longemalle Trustees OU
// 3. IBAN: LT913740020058585210
// 4. Reference: DP-260330-XA6HSX (must include EXACTLY)
// 5. Choose "Instant" or "SEPA Instant" on your bank's confirmation screen
// 6. Click "I've Sent the Payment" button on your page

Step 3: Customer clicks "I Paid" — start polling

// YOUR PAGE (JavaScript) — When customer clicks "I Paid"

// First, tell our API the customer says they paid
await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=confirm_paid', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ token: sessionToken })
});

// Then poll every 7 seconds until payment is confirmed
const pollInterval = setInterval(async () => {
  const check = await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=check_payment', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ token: sessionToken })
  }).then(r => r.json());

  if (check.status === 'confirmed') {
    clearInterval(pollInterval);
    // 🎉 Full payment confirmed!
    showPaymentSuccess(check.total_paid, check.invoice_amount);

  } else if (check.status === 'partial') {
    clearInterval(pollInterval);
    // ⚡ Partial payment — show receipt + remaining balance
    showPartialPayment(check.total_paid, check.amount_remaining, check.payments);
    // When customer sends remaining: call confirm_paid again, restart polling

  } else if (check.status === 'overpaid') {
    clearInterval(pollInterval);
    // 💰 Overpayment — order confirmed, refund will be processed
    showOverpaid(check.total_paid, check.overpaid_amount, check.refund_net, check.refund_fee);

  } else if (check.status === 'timeout') {
    clearInterval(pollInterval);
    showPaymentRetry();
  }
  // 'pending' — keep polling
}, 7000);

Step 4: Receive webhook confirmation (your server)

// YOUR SERVER — Webhook endpoint receives POST when payment is confirmed
// Fires for both exact and overpayments (not for partial — only when fully paid)
app.post('/webhooks/dapit', (req, res) => {
  const { event, merchant_order_id, invoice_amount, amount_paid,
          overpaid_amount, refund_amount, refund_fee } = req.body;

  if (event === 'payment.confirmed') {
    // ✅ Payment confirmed! Update your order database.
    console.log(`Order ${merchant_order_id} paid: €${amount_paid} of €${invoice_amount}`);

    if (overpaid_amount > 0) {
      // Customer overpaid — refund of €(overpaid - fee) will be processed
      console.log(`Overpaid by €${overpaid_amount}. Refund: €${refund_amount} (fee: €${refund_fee})`);
    }

    // Mark order as paid, send confirmation email, trigger fulfillment
  }

  res.status(200).json({ received: true });
});

Quick Start — Option B: Hosted Checkout

If you don't have a developer or want the simplest possible integration, use our hosted checkout page. You just create a session and redirect — we handle the entire payment UI.

// YOUR SERVER — Create session and redirect customer to our hosted page
const session = await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=create_session', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-Gateway-Key': 'your_api_key_here'
  },
  body: JSON.stringify({
    amount: 49.99,
    currency: 'EUR',
    items: [{ name: 'Premium Game Credits', qty: 1, price: 49.99, total: 49.99 }],
    callback_url: 'https://yoursite.com/webhooks/dapit'
  })
}).then(r => r.json());

// Redirect customer to our hosted checkout
res.redirect('https://www.maxafi.com' + session.checkout_url);
// Customer sees: your merchant name, invoice, IBAN, reference, "I Paid" button
// When confirmed, we POST to your callback_url

Option A vs Option B: Option A gives you full control — the payment form matches your brand and the customer never leaves your site. Option B is faster to set up but sends the customer to a Dapit-branded page. Most merchants with a development team should use Option A.

Verify Key

POST ?action=verify_key

Lightweight credential check. Authenticates your API key and returns the merchant identity, environment, and attached permissions. No session is created, nothing is charged, and nothing is written to the database. Safe to call from setup scripts, health checks, and CI.

This should be the first endpoint you hit when wiring up a new integration. If it succeeds, your key is active and configured correctly, and you can proceed to Create Session.

Headers

Name	Value
X-Api-Key	Your merchant API key (`mk_...`) REQUIRED
Content-Type	`application/json` (body can be empty `{}`)

Request Body

None. An empty JSON object {} is fine.

Response — Valid Key

{
  "success": true,
  "merchant_id": 42,
  "merchant_name": "Acme Co.",
  "environment": "stage",
  "permissions": ["write:transactions", "read:transactions"],
  "key_type": "unified",
  "server_time": "2026-04-21T14:22:18Z"
}

Response — Invalid or Missing Key

{
  "success": false,
  "error": "Invalid API key"
}

HTTP status 401 is returned when the key is missing, invalid, or expired. HTTP 403 indicates the key exists but lacks gateway permissions.

Response Fields

Field	Type	Description
merchant_id	number	Internal merchant ID associated with this key.
merchant_name	string	Human-readable merchant / business name.
environment	string	`stage` or `prod`. Confirms whether this key is for sandbox or live traffic.
permissions	array	Scopes attached to the key. Gateway calls require at least `read:transactions` or `write:transactions`.
key_type	string	`unified` for `mk_`-prefixed keys, `legacy` for older plaintext keys.
server_time	string	Current UTC server time. Useful for clock-skew checks.

Example — curl

curl -X POST "https://www.maxafi.com/api/gateway/gateway.php?action=verify_key" \
  -H "X-Api-Key: mk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{}'

Create Session

POST ?action=create_session

Creates a new checkout session. Returns a checkout URL to redirect your customer to.

Headers

Name	Value
X-Gateway-Key	Your merchant API key REQUIRED
Content-Type	application/json

Request Body

Parameter	Type	Description
amount	number	Payment amount in EUR REQUIRED
currency	string	Currency code. Default: `EUR` OPTIONAL
items	array	Array of line items: `[{name, qty, price, total}]` OPTIONAL
order_id	string	Your own order/invoice number (e.g. `ORD-12345`). Returned in webhook so you can match to your system. OPTIONAL
customer_email	string	Customer's email address OPTIONAL
customer_name	string	Customer's name OPTIONAL
callback_url	string	URL we POST to when payment is confirmed OPTIONAL
expires_minutes	number	Session expiry in minutes. Default: `60` OPTIONAL

Response

{
  "success": true,
  "session_id": 42,
  "session_token": "a1b2c3d4e5f6...",
  "checkout_url": "/checkout/pay.html?session=a1b2c3d4e5f6...",
  "expires_at": "2026-03-30 23:30:00",
  "amount": 49.99,
  "currency": "EUR",
  "merchant_order_id": "ORD-12345"
}

Create Invoice

POST ?action=create_invoice

Generates the invoice, reference number, and returns the IBAN + beneficiary details. Call this after create_session to get the payment information to display on your checkout page. This is the key endpoint for Option A integration.

Request Body

Parameter	Type	Description
token	string	The session_token from create_session REQUIRED

Response

{
  "success": true,
  "reference_number": "DP-260330-XA6HSX",
  "invoice_number": "INV-260330-04821",
  "amount": 49.99,
  "currency": "EUR",
  "iban": "LT913740020058585210",
  "beneficiary_name": "Longemalle Trustees OU",
  "account_name": "Dapit Financial Infrastructure",
  "bank_name": "Dapit",
  "qr_url": "https://www.maxafi.com/api/gateway/epc_qr.php?ref=DP-260330-XA6HSX&token=..."
}

Display all of these on your checkout page: the beneficiary name, IBAN, and reference number. The customer must enter all three in their banking app exactly as shown.

New in v10.4.6: qr_url returns an absolute URL to a scannable EPC scan-to-pay QR code (SVG). Drop it directly into an <img src> tag — see the Scan-to-Pay QR section below for details.

Scan-to-Pay QR Code

GET /api/gateway/epc_qr.php?ref=...&token=...

Returns a scannable EPC069-12 v002 QR code (SVG image) that any modern EU banking app can read to pre-fill a SEPA Credit Transfer. Customer scans, banking app fills in beneficiary name, IBAN, amount, and reference automatically — customer just confirms and picks "Instant" or "SEPA Instant" on the rail picker.

You don't normally call this endpoint directly. create_invoice and get_session already return the absolute URL in the qr_url field. Just embed it in your checkout page:

// React / JSX
<img src={invoice.qr_url} alt="Scan to pay" width="240" height="240" />

// Plain HTML / template
<img src="{{ invoice.qr_url }}" alt="Scan to pay" />

Query Parameters

Parameter	Type	Description
ref	string	The reference_number from create_invoice REQUIRED
token	string	The session_token from create_session REQUIRED

Response

Content-Type: image/svg+xml — a scannable QR code, ~320×320 pixels by default. Cached for 30 minutes per session.

EPC Payload Encoded in the QR

BCD                              # service tag (fixed)
002                              # version
1                                # UTF-8
SCT                              # SEPA Credit Transfer
CNUALT21XXX                      # BIC
Longemalle Trustees OU           # beneficiary name
LT913740020058585210             # IBAN
EUR49.99                         # amount
OTHR                             # purpose code
                                 # structured ref (blank — we use unstructured)
DP-260330-XA6HSX                 # the Dapit reference
                                 # B2B info (blank)

About SEPA Instant. The EPC QR format doesn't carry a rail selector — the payer chooses Instant vs. Standard SCT in their banking app at the confirmation screen. Your checkout UI should nudge them: "When confirming, choose Instant or SEPA Instant." Dapit's custodial IBAN is SCT Inst reachable, so once they pick Instant the credit arrives in real time and your webhook fires.

Wise and Revolut don't support EPC QR scanning. Those apps don't parse the EPC format regardless of version. Customers using Wise or Revolut should use manual entry (display the IBAN, beneficiary name, and reference as text alongside the QR). Most traditional EU banks do support EPC QR — Sparkasse, Deutsche Bank, ING, Commerzbank, BNP Paribas, KBC, Belfius, Rabobank, Raiffeisen, Erste, and similar.

Full Example: Custom Checkout with QR

// 1. Create session
const session = await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=create_session', {
    method: 'POST',
    headers: { 'X-Api-Key': 'mk_live_...', 'Content-Type': 'application/json' },
    body: JSON.stringify({ amount: 49.99, currency: 'EUR', items: [...] })
}).then(r => r.json());

// 2. Create invoice — this returns qr_url ready to render
const invoice = await fetch('https://www.maxafi.com/api/gateway/gateway.php?action=create_invoice', {
    method: 'POST',
    headers: { 'X-Api-Key': 'mk_live_...', 'Content-Type': 'application/json' },
    body: JSON.stringify({ token: session.session_token })
}).then(r => r.json());

// 3. Render the QR + manual fallback
document.getElementById('checkout').innerHTML = `
    <h2>Pay €${invoice.amount}</h2>
    <img src="${invoice.qr_url}" alt="Scan with your banking app" />
    <p>Or transfer manually:</p>
    <p><strong>Recipient:</strong> ${invoice.beneficiary_name}</p>
    <p><strong>IBAN:</strong> ${invoice.iban}</p>
    <p><strong>Reference:</strong> ${invoice.reference_number}</p>
`;

Notes

qr_url is only present when a session has a reference number (i.e. after create_invoice). On get_session calls before invoicing, the field is null.
The URL is publicly accessible (no auth header needed) but cryptographically scoped to the session — the QR endpoint validates ref + token against gateway_sessions before emitting. Leaking a qr_url exposes only the EPC payload, no PII or credentials.
Cache the SVG client-side. The endpoint emits Cache-Control: private, max-age=1800 (30 minutes), which is plenty for a typical checkout session.
If you want to render the QR with your own brand colors or add a center logo, you can fetch the raw EPC payload by parsing the SVG, or contact us for a future ?format=text mode.

Confirm Paid (optional)

POST ?action=confirm_paid

This endpoint is OPTIONAL. Reconciliation is automatic. Our server-side reconciler checks the custodial IBAN every 60 seconds for credits matching your reference number, regardless of whether confirm_paid was ever called. You only need this endpoint if you want a faster client-side polling experience for your customer (sub-60-second confirmation).

Call this if you want our system to start a faster polling cycle (every 5-7 seconds) right after the customer signals they sent the wire. If you skip it, the cron will still match the credit and fire your webhook within ~60 seconds of settlement. Most integrators don't need this endpoint.

Request Body

Parameter	Type	Description
token	string	The session_token REQUIRED

Response

{
  "success": true,
  "status": "polling",
  "reference": "DP-260330-XA6HSX",
  "message": "Payment verification started. We are checking for your transfer."
}

Check Payment (Polling) (optional)

POST ?action=check_payment

Also optional. Use this if you want a real-time UI showing the customer "Checking your payment\u2026". If you skip both confirm_paid and check_payment, you'll receive the payment.confirmed webhook automatically when the cron matches the credit \u2014 typically within 60 seconds of SEPA Instant settlement, or up to a business day for SEPA Standard.

Poll this endpoint every 5-7 seconds for an interactive payment-confirmation UX. Handles exact payments, partial payments, and overpayments automatically.

Request Body

Parameter	Type	Description
token	string	The session_token REQUIRED

Response — Full Payment

{
  "success": true,
  "status": "confirmed",
  "paid_at": "2026-03-31 10:05:12",
  "invoice_amount": 7.00,
  "total_paid": 7.00,
  "payment_count": 1,
  "payments": [{ "amount": 7.00, "debtor_name": "John Smith", "debtor_iban": "DE89370400440532013000" }],
  "amount_match": true
}

Response — Partial Payment

If the customer sends less than the invoice amount, you get a partial status. Show the receipt and remaining balance, then let them send the rest using the same reference number. Call confirm_paid again to restart polling.

{
  "success": true,
  "status": "partial",
  "invoice_amount": 7.00,
  "total_paid": 3.00,
  "amount_remaining": 4.00,
  "payment_count": 1,
  "payments": [{ "amount": 3.00, "debtor_name": "John Smith" }],
  "message": "We received €3.00 of your €7.00 payment. Remaining balance: €4.00."
}

Response — Overpayment

If the customer sends more than the invoice amount, the order is confirmed but we flag the overpayment. A refund will be processed minus a €1.00 processing fee.

{
  "success": true,
  "status": "overpaid",
  "paid_at": "2026-03-31 10:05:12",
  "invoice_amount": 5.00,
  "total_paid": 8.00,
  "overpaid_amount": 3.00,
  "refund_fee": 1.00,
  "refund_net": 2.00,
  "message": "Payment received! You overpaid by €3.00. A refund of €2.00 will be processed (€3.00 minus €1.00 processing fee)."
}

Response — Still Searching

{
  "success": true,
  "status": "pending",
  "message": "Payment not yet detected. Checking again...",
  "poll_count": 5,
  "max_polls": 60
}

Response — Timeout

{
  "success": true,
  "status": "timeout",
  "message": "Payment not detected after maximum attempts. Please contact support."
}

Partial Payment Flow: When you receive status: "partial", display the receipt and remaining balance to the customer. They send the remaining amount with the same reference number. The reconciler will detect the additional credit automatically (within 60 seconds) and fire payment.confirmed when the full amount is received. If you want a faster UX, call confirm_paid + poll check_payment after the customer indicates they sent the additional payment.

Get Session

GET ?action=get_session&token=SESSION_TOKEN

Retrieve details about a checkout session including its current status.

Parameters

Parameter	Type	Description
token	string	The session_token from create_session REQUIRED

Response

{
  "success": true,
  "session_id": 42,
  "merchant_name": "Your Store Name",
  "amount": 49.99,
  "currency": "EUR",
  "status": "confirmed",
  "reference_number": "DP-260330-XA6HSX",
  "invoice_number": "INV-260330-04821",
  "qr_url": "https://www.maxafi.com/api/gateway/epc_qr.php?ref=DP-260330-XA6HSX&token=...",
  "paid_at": "2026-03-30 22:05:12"
}

Payment Status

GET ?action=payment_status&reference=DP-XXXXXX-XXXXXX

Check the payment status for a specific reference number. Requires API key authentication.

Headers

Name	Value
X-Gateway-Key	Your merchant API key REQUIRED

Parameters

Parameter	Type	Description
reference	string	The reference number (e.g. DP-260330-XA6HSX) REQUIRED*
session_token	string	Or use the session token instead REQUIRED*

* Provide either reference OR session_token

Response

{
  "success": true,
  "reference_number": "DP-260330-XA6HSX",
  "invoice_number": "INV-260330-04821",
  "amount": 49.99,
  "currency": "EUR",
  "status": "confirmed",
  "confirmed_at": "2026-03-30 22:05:12"
}

List Transactions

GET ?action=list_transactions

List all gateway transactions for your merchant account. Supports filtering by status and pagination.

Headers

Name	Value
X-Gateway-Key	Your merchant API key REQUIRED

Parameters

Parameter	Type	Description
status	string	Filter: pending, polling, confirmed, failed, expired OPTIONAL
limit	number	Results per page (max 200). Default: 50 OPTIONAL
offset	number	Pagination offset. Default: 0 OPTIONAL

Response

{
  "success": true,
  "transactions": [
    {
      "reference_number": "DP-260330-XA6HSX",
      "amount": 49.99,
      "status": "confirmed",
      "confirmed_at": "2026-03-30 22:05:12"
    }
  ],
  "total": 1,
  "limit": 50,
  "offset": 0
}

Webhook: Payment Confirmed

When a payment is confirmed, we send a POST request to your registered callback_url with the payment details.

Set your callback URL either when creating a session (via callback_url parameter) or contact us to set a default URL for all your sessions.

Webhook Payload

{
  "event": "payment.confirmed",
  "reference_number": "DP-260330-XA6HSX",
  "invoice_number": "INV-260330-04821",
  "merchant_order_id": "ORD-12345",
  "invoice_amount": 7.00,
  "amount_paid": 7.00,
  "amount_remaining": 0,
  "overpaid_amount": 0,
  "refund_amount": 0,
  "refund_fee": 0,
  "currency": "EUR",
  "paid_at": "2026-03-31 10:05:12",
  "session_token": "a1b2c3d4e5f6...",
  "customer_email": "john@example.com",
  "customer_name": "John Smith"
}

Overpayment example: If invoice_amount is 5.00 and amount_paid is 8.00, the webhook will include overpaid_amount: 3.00, refund_fee: 1.00, and refund_amount: 2.00. The order is still confirmed — the refund is handled separately.

merchant_order_id is YOUR order number that you passed when creating the session. Use it to match the payment confirmation back to the order in your system — no need to track our reference numbers if you don't want to.

Expected Response

Return a 200 status code to acknowledge receipt. If we don't get a 200, we'll flag the notification as undelivered.

PHP Example

<?php
$payload = json_decode(file_get_contents('php://input'), true);

if ($payload['event'] === 'payment.confirmed') {
    $orderId = $payload['merchant_order_id'];  // YOUR order number
    $ref     = $payload['reference_number'];   // Our reference (DP-XXXXXX-XXXXXX)
    $amount  = $payload['amount'];
    $paidAt  = $payload['paid_at'];
    $email   = $payload['customer_email'];

    // Match to your order and mark as paid
    $db->query("UPDATE orders SET status = 'paid', paid_at = '$paidAt' WHERE order_id = '$orderId'");

    // Send confirmation email to customer
    // Trigger fulfillment / shipping

    error_log("Order $orderId paid: €$amount (ref: $ref)");
}

http_response_code(200);
echo json_encode(['received' => true]);

Webhook Security

Every webhook delivery is signed with HMAC-SHA256 using a secret specific to your merchant account. You verify the signature on your side to confirm the webhook originated from Dapit and the body was not modified in transit.

Your webhook signing secret is shown in Gateway Admin \u2192 Settings \u2192 Webhook Signing Secret. Copy it once during setup. If it ever leaks, rotate it immediately \u2014 the previous value stops working the instant you rotate.

Headers

Every signed webhook delivery includes two extra headers:

Header	Value
X-Dapit-Timestamp	Unix timestamp (seconds) at the moment we signed the payload. Used to guard against replay attacks.
X-Dapit-Signature	`sha256=<hex>` where `<hex>` is the HMAC-SHA256 of `timestamp + "." + raw_body`, keyed with your webhook secret.

Verification algorithm

Read the raw body (do not parse JSON yet).
Read X-Dapit-Timestamp and X-Dapit-Signature.
Reject the request if the timestamp is older than 5 minutes (replay guard).
Compute expected = hmac_sha256(timestamp + "." + raw_body, webhook_secret).
Strip the sha256= prefix from X-Dapit-Signature.
Compare with a constant-time string comparison (crypto.timingSafeEqual in Node, hash_equals in PHP).
If they match, the webhook is authentic. Only then parse the JSON and act on it.

TypeScript verification

// Express / Node 18+ example
import express from "express";
import crypto from "node:crypto";

const WEBHOOK_SECRET = process.env.DAPIT_WEBHOOK_SECRET!;  // whsec_...
const MAX_AGE_SECONDS = 300;  // 5 minutes

// IMPORTANT: capture the raw body for signature verification
const app = express();
app.use("/webhooks/dapit", express.raw({ type: "application/json" }));

app.post("/webhooks/dapit", (req, res) => {
  const timestamp = req.header("X-Dapit-Timestamp");
  const signature = req.header("X-Dapit-Signature");
  const rawBody   = (req.body as Buffer).toString("utf8");

  if (!timestamp || !signature) {
    return res.status(400).send("Missing signature headers");
  }

  // Replay guard
  const age = Math.abs(Date.now() / 1000 - Number(timestamp));
  if (!Number.isFinite(age) || age > MAX_AGE_SECONDS) {
    return res.status(400).send("Timestamp out of range");
  }

  // Compute expected
  const expected = crypto
    .createHmac("sha256", WEBHOOK_SECRET)
    .update(timestamp + "." + rawBody)
    .digest("hex");

  const received = signature.startsWith("sha256=")
    ? signature.slice(7)
    : signature;

  // Constant-time compare
  const a = Buffer.from(expected, "hex");
  const b = Buffer.from(received, "hex");
  if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
    return res.status(401).send("Bad signature");
  }

  // Signature valid \u2014 safe to parse and act
  const event = JSON.parse(rawBody);
  // ... fulfil order (see main webhook section) ...

  res.status(200).json({ received: true });
});

PHP verification

<?php
$secret    = getenv('DAPIT_WEBHOOK_SECRET');
$timestamp = $_SERVER['HTTP_X_DAPIT_TIMESTAMP'] ?? '';
$signature = $_SERVER['HTTP_X_DAPIT_SIGNATURE'] ?? '';
$rawBody   = file_get_contents('php://input');

// Replay guard \u2014 5 minute window
if (!$timestamp || abs(time() - (int)$timestamp) > 300) {
    http_response_code(400);
    exit('Timestamp out of range');
}

$expected = hash_hmac('sha256', $timestamp . '.' . $rawBody, $secret);
$received = str_starts_with($signature, 'sha256=')
    ? substr($signature, 7)
    : $signature;

if (!hash_equals($expected, $received)) {
    http_response_code(401);
    exit('Bad signature');
}

// Signature valid \u2014 parse and act
$event = json_decode($rawBody, true);
// ... fulfil order ...

http_response_code(200);
echo json_encode(['received' => true]);

Important: Verify the signature against the raw request body, not the parsed JSON object. Any reformatting (key reordering, whitespace changes) will change the bytes and the signature won't match. In Express, use express.raw() on the webhook route instead of express.json().

Defense in depth: Even with signatures, good hygiene is to also (1) restrict your webhook endpoint to HTTPS only, (2) treat reference_number as an idempotency key, and (3) for high-value orders, confirm by calling Payment Status back to our API before fulfilling.

Session & Transaction Statuses

Status	Description
`pending`	Session created, customer hasn't reached checkout yet
`invoiced`	Customer is on the checkout page, invoice + reference generated
`polling`	Customer clicked "I've Sent the Payment" — we're checking the custodial IBAN
`partial`	Payment received but less than invoice amount — waiting for remaining balance
`confirmed`	Full payment received and verified ✓
`overpaid`	Payment received but more than invoice amount — refund will be processed (minus €1 fee)
`failed`	Payment not detected after maximum polling attempts
`expired`	Session expired before payment was made

Error Handling

All errors return a JSON object with success: false and an error message:

{
  "success": false,
  "error": "Missing API key"
}

HTTP Code	Meaning
`400`	Bad request — missing or invalid parameters
`401`	Unauthorized — invalid or missing API key
`404`	Not found — session or transaction doesn't exist

Testing & Environments

Every merchant account starts in staging mode. This lets you integrate and test the full payment flow against a sandbox banking environment before going live with real money.

Staging vs Production

Feature	Staging	Production
Real money	No — test transactions only	Yes — real EUR transfers
IBAN	Staging IBAN (provided during onboarding)	Production IBAN
API Key	Same key — environment is set on your merchant account	Same key
Webhook	Fires normally — test your endpoint	Fires normally

How it works: Your API key is the same for both environments. When you're onboarded, your merchant account is set to staging. Once you've tested successfully, contact us and we'll flip your account to production. The create_session response includes an environment field so you always know which mode you're in.

Integration Checklist — Staging

Onboard with Dapit and receive your mk_live_... API key (the same key works for staging and production)
Confirm your account environment is set to staging — check the environment field in any create_session response
Build your checkout flow using Quick Start Option A or Option B
Test end-to-end with the test accounts below — send a small SEPA transfer from one of them to your staging custodial IBAN using your session's reference number
Verify your webhook endpoint receives the payment.confirmed event with valid signature
Once everything works, email us to flip your account to production

Test Accounts for Staging

Use these pre-funded test IBANs to simulate payments in the staging environment. Send EUR from either account to the staging custodial IBAN with the reference number from your checkout session.

Account Name	IBAN	BIC	Currency	Balance
Bank Has No Money	`LT923740020074597273`	CNPALT21XXX	EUR	€100.00
Bank Has Money	`LT223740020032524104`	CNPALT21XXX	EUR	€10,000.00

How to test: Create a checkout session via the API, then send a SEPA transfer from one of these test accounts to your staging custodial IBAN using the reference number. The system will detect the payment and confirm the session — just like production, but with test money.

Note: Test account balances are shared across all staging merchants. Use small amounts (€1–€5) for testing. Balances reset periodically.

Integration Checklist

Call create_session with your API key and verify you get a session_token
Call create_invoice and verify you receive the IBAN, beneficiary name, and reference number
Display the payment details on your checkout page
Send a small EUR payment (€1-5) from Wise/Revolut to the staging IBAN with the reference number
Wait up to 60 seconds for the cron reconciler to match the credit. Optionally, call confirm_paid + poll check_payment for a faster client-side UX.
Verify your webhook endpoint receives the payment.confirmed event with your merchant_order_id
Call payment_status and verify it returns confirmed

Going Live

Contact us to switch your account from staging to production
No code changes needed — same API key, same endpoints, same flow
Verify create_session response shows "environment": "production"
Run one real test transaction (€1) to confirm end-to-end
You're live!

Demo Store: Visit /checkout/ to see a working example of the full checkout flow — from product selection to payment confirmation. View source to see how it integrates.

Create Refund

Initiate a full or partial refund for a completed payment. A €1 processing fee is deducted automatically.

POST /api/gateway/gateway.php?action=create_refund

Parameter	Type	Description
api_key	string required	Your merchant API key
reference	string required	Original payment reference number
amount	number required	Refund amount (must be ≤ original payment amount)
reason	string optional	Reason for refund

Response:

{
  "success": true,
  "refund_id": 42,
  "reference_number": "R7A3F2B1",
  "amount": 25.00,
  "processing_fee": 1.00,
  "status": "pending"
}

Send Refund

Execute a pending refund via SEPA transfer to the customer's IBAN. Triggers an outbound payment from our settlement bank.

POST /api/gateway/gateway.php?action=send_refund

Parameter	Type	Description
api_key	string required	Your merchant API key
refund_id	integer required	Refund ID from create_refund
debtor_iban	string required	Customer's IBAN to send refund to
debtor_name	string required	Customer's name on the bank account

List Refunds

GET /api/gateway/gateway.php?action=list_refunds&api_key=KEY

Returns all refunds for the authenticated merchant. Optionally filter by reference or status.

Settlement Report

Get an aggregated settlement report for a date range — gross volume, refunds, fees, and net settlement amount with daily breakdown.

POST /api/gateway/gateway.php?action=settlement_report

Parameter	Type	Description
api_key	string required	Your merchant API key
date_from	string required	Start date (YYYY-MM-DD)
date_to	string required	End date (YYYY-MM-DD)

Response includes: gross_volume, total_refunds, total_fees, net_settlement, daily_breakdown array, and transaction_count.

Dashboard

GET /api/gateway/gateway.php?action=dashboard&api_key=KEY

Returns merchant dashboard KPIs: today's volume, this month's volume, all-time volume, success rate, average transaction, 7-day trend, and recent transactions.

Recurring Billing — Overview

The recurring billing system sends periodic payment reminders to customers via SMS and/or email. Each cycle generates a new reference number and a link back to the merchant's checkout page. The customer must voluntarily initiate each payment — this is not a direct debit.

Customer opts into recurring at checkout (or merchant creates schedule via API)

System stores order: items, amount, frequency, customer contact info

Cron job runs every 15 min — finds due schedules, generates new reference

Sends SMS (Twilio) and/or email (Gmail SMTP) with payment link

Customer clicks link → merchant checkout → pays with new reference

System detects payment → marks cycle paid → schedules next cycle

Base URL:

https://www.maxafi.com/api/recurring.php

Authentication: Same gateway merchant API key via X-Api-Key header or api_key parameter.

Create Schedule

POST /api/recurring.php

Parameter	Type	Description
action	string required	`create_schedule`
customer_name	string required	Customer's full name
customer_email	string	Email for payment link delivery
customer_phone	string	Phone with country code (e.g. +4712345678) for SMS
delivery_method	string	`email`, `sms`, or `both` (default: email)
frequency	string required	`weekly`, `biweekly`, `bimonthly`, `monthly`
amount	number required	Payment amount per cycle (before discount)
discount_percent	number	Recurring discount (e.g. 5 for 5% off)
currency	string	Currency code (default: EUR)
order_items	array	JSON array of cart items: `[{"name":"...", "qty":1, "price":99}]`
order_description	string	Description shown to customer
payment_url	string	Your checkout URL — customer is sent here each cycle
start_date	string	First billing date (YYYY-MM-DD, default: tomorrow)
total_cycles	integer	Max cycles (0 = unlimited)

Example:

curl -X POST https://www.maxafi.com/api/recurring.php \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "create_schedule",
    "customer_name": "John Smith",
    "customer_email": "john@example.com",
    "customer_phone": "+4712345678",
    "delivery_method": "both",
    "frequency": "monthly",
    "amount": 99.00,
    "discount_percent": 5,
    "currency": "EUR",
    "order_items": [{"name": "Premium Plan", "qty": 1, "price": 99}],
    "payment_url": "https://merchant-site.com/pay"
  }'

Response:

{
  "success": true,
  "schedule_id": 7,
  "amount": 94.05,
  "original_amount": 99.00,
  "discount_percent": 5,
  "frequency": "monthly",
  "next_billing_date": "2026-04-03"
}

List Schedules

GET /api/recurring.php?action=list_schedules&api_key=KEY

Returns all recurring schedules for the merchant. Optionally filter by status (active, paused, cancelled, completed).

Update Schedule

POST /api/recurring.php

Update a schedule: pause, resume, cancel, change amount or frequency.

Parameter	Type	Description
action	string	`update_schedule`
schedule_id	integer required	Schedule to update
status	string	`active`, `paused`, `cancelled`
amount	number	New amount per cycle
frequency	string	New frequency
next_billing_date	string	Override next billing date (YYYY-MM-DD)

Recurring — Configuration

Configure Twilio (SMS) and Gmail SMTP (email) credentials for payment notifications. Stored securely in the database.

POST /api/recurring.php

Parameter	Type	Description
action	string	`set_config`
twilio_sid	string	Twilio Account SID
twilio_token	string	Twilio Auth Token
twilio_phone	string	Twilio phone number (platform default)
smtp_user	string	Gmail address for sending
smtp_pass	string	Gmail App Password
smtp_from_name	string	Sender display name (default: Dapit Payments)

Per-Merchant Override: Each merchant can have their own SMS phone and email sender configured on their gateway_merchants record via the fields sms_phone, email_from, and email_from_name. If set, these override the platform defaults.