Initiating The Payment

Managed Form integration type is suitable for merchants with SAQ A-EP level. To know more about the Hosted Payment Page PCI DSS merchant requirements, please check this article .

In this manual, we will walk you through how to initiate a payment request via this integration type. You will be introduced to the required parameters that need to be passed to initiate the request, along with all the possible optional parameters as well. We highly recommend that you and your team check the "Payment Workflow" solution article first to understand the business/logic this configuration option relay on.

Using Managed Form. your website will display its own card entry form. However, key fields will be managed by the PayTabs gateway. You will need to include a script that replaces the sensitive card data with a payment token. Hence, there are two main parts to initiating the payment

The Usage

The Frontend Side

Frontend Request Requirements

These are the requirement required from the website (The origin requester) using the managed form:

• Should be a valid passable URL
• Should be an HTTPS scheme
• The hostname should contain a domain that has at least one dot in it (so not localhost)
• Should not contain ".." or "/"
• Should not be any path component

info

Not fulfilling the above requirements may result facing the error 'Access to XMLHttpRequest has been blocked by CORS policy'

Implementing the Payment Form

Most probably, you will have a payment form that looks like the following form, which we will use for the purpose of this manual.

<form action="https://yourserver.com/payment" id="payform" method="post">
  <span id="paymentErrors"></span>
  <div class="row">
      <label>Card Number</label>
      <input type="text" name="number" size="20">
  </div>
  <div class="row">
      <label>Expiry Date (MM/YYYY)</label>
      <input type="text" name="expmonth" size="2">
      <input type="text" name="expyear" size="4">
  </div>
  <div class="row">
      <label>Security Code</label>
      <input type="text" name="cvv" size="4">
  </div>
  <input type="submit" value="Place order">
</form>

To modify this typical payment form to one that uses the PayTabs managed form, there are three simple steps:

1. Include the paylib.js library within the page.

POST	{{domain}}/payment/js/paylib.js

Be Aware Of

Please note that not using the proper endpoint URL {domain} will lead to authentication issues within your responses. To find the your proper domain you can read ourWhat is my (Region)/(endpoint URL)?tutorial article.

KSA

https://secure.paytabs.sa/payment/js/paylib.js

UAE

https://secure.paytabs.com/payment/js/paylib.js

Egypt

https://secure-egypt.paytabs.com/payment/js/paylib.js

Oman

https://secure-oman.paytabs.com/payment/js/paylib.js

Jordan

https://secure-jordan.paytabs.com/payment/js/paylib.js

Kuwait

https://secure-kuwait.paytabs.com/payment/js/paylib.js

Global

https://secure-global.paytabs.com/payment/js/paylib.js

<script src="https://secure.paytabs.sa/payment/js/paylib.js"></script>

<form action="https://yourserver.com/payment" id="payform" method="post">
  <span id="paymentErrors"></span>
  <div class="row">
      <label>Card Number</label>
      <input type="text" name="number" size="20">
  </div>
  <div class="row">
      <label>Expiry Date (MM/YYYY)</label>
      <input type="text" name="expmonth" size="2">
      <input type="text" name="expyear" size="4">
  </div>
  <div class="row">
      <label>Security Code</label>
      <input type="text" name="cvv" size="4">
  </div>
  <input type="submit" value="Place order">
</form>

2. Change the input fields for the sensitive card data to use 'data-paylib' instead of 'name'.

info

By removing the name from fields holding sensitive card data (card number, expiry data and security code) it means they will NOT be submitted to your server. Instead they must have a 'data-paylib' attribute, which allows the PayTabs systems to identify and manage them.

<script src="https://secure.paytabs.sa/payment/js/paylib.js"></script>

<form action="https://yourserver.com/payment" id="payform" method="post">
<span id="paymentErrors"></span>
<div class="row">
  <label>Card Number</label>
  <input type="text" data-paylib="number" size="20">
</div>
<div class="row">
  <label>Expiry Date (MM/YYYY)</label>
  <input type="text" data-paylib="expmonth" size="2">
  <input type="text" data-paylib="expyear" size="4">
</div>
<div class="row">
  <label>Security Code</label>
  <input type="text" data-paylib="cvv" size="4">
</div>
<input type="submit" value="Place order">
</form>

3. Attach the paylib.js library to the form. You will need your client key as part of this.

info

To get your client key check the article How to get my Authentication/Integration/API Key

<script src="https://secure.paytabs.sa/payment/js/paylib.js"></script>

<form action="https://yourserver.com/payment" id="payform" method="post">
<span id="paymentErrors"></span>
<div class="row">
  <label>Card Number</label>
  <input type="text" data-paylib="number" size="20">
</div>
<div class="row">
  <label>Expiry Date (MM/YYYY)</label>
  <input type="text" data-paylib="expmonth" size="2">
  <input type="text" data-paylib="expyear" size="4">
</div>
<div class="row">
  <label>Security Code</label>
  <input type="text" data-paylib="cvv" size="4">
</div>
<input type="submit" value="Place order">
</form>

<script type="text/javascript">
var myform = document.getElementById('payform');
paylib.inlineForm({
'key': 'CP****-****6M-6V****-****NM',
'form': myform,
'autoSubmit': true,
'callback': function(response) {
  document.getElementById('paymentErrors').innerHTML = '';
  if (response.error) {
    paylib.handleError(document.getElementById('paymentErrors'), response);
  }
}
});
</script>

When the form is submitted, paylib.js first sends the card details to the PayTabs server for storage and to create a temporary payment token. This token is then inserted into the form data before it is submitted to your server.

info

Your server will not receive the sensitive card details, these will be removed from the form.

At the end of these steps, your server would receive a "token", which would be a part of the initiate the request that would be sent from your server side to PayTabs, which would be used in the next step.

The Backend Side

The Endpoint and Related Postman Collection

In this tutorial, we will rely on the PayTabs Hosted Payment Page API Endpoint, mentioned on PayTabs API endpoints postman collection, which you can access from po_link. The endpoint will need to be accessed with a POST request on the below-mentioned URL

POST	{{domain}}/payment/request

Be Aware Of

Please note that not using the proper endpoint URL {domain} will lead to authentication issues within your responses. To find the your proper domain you can read ourWhat is my (Region)/(endpoint URL)?tutorial article.

KSA

https://secure.paytabs.sa/payment/request

UAE

https://secure.paytabs.com/payment/request

Egypt

https://secure-egypt.paytabs.com/payment/request

Oman

https://secure-oman.paytabs.com/payment/request

Jordan

https://secure-jordan.paytabs.com/payment/request

Kuwait

https://secure-kuwait.paytabs.com/payment/request

Global

https://secure-global.paytabs.com/payment/request

Request Parameters

To initiate a payment request using this integration type, there are minimum required parameters that need to be passed with valid information. The specification of these required parameters is clarified below:

The Minimum Required Parameters

Parameter	Data Type	Min	Max	Required
profile_id	INT	Accept only valid profile number		✔
	The merchant Profile ID you can get from your PayTabs dashboard. For more information please check ourHow to get your account information from PT2 Dashboard?tutorial article. To know more about this parameter pleaseclick here.
	{ "profile_id": 987654 }
tran_type	STRING	Valid string from this enum list: sale auth refund register void		✔
	the identification of the type of the transaction. To know more about these types please check ourWhat is the "tran_type" (transaction type)?solution article. To know more about this parameter pleaseclick here.
	{ "tran_type": "sale" }
tran_class	STRING	Valid string from this list ecom recurringmoto		✔
	the identification of the category/class this transaction will follow, such as eCommerce, Recurring, etc. To know more about these types please check ourWhat is the "tran_class" (transaction class)?solution article. To know more about this parameter pleaseclick here.
	{ "tran_class": "ecom" }
cart_id	STRING	1	64	✔
	Indicates the cart/order id at the merchant end to easily relate the transaction to. To know more about this parameter pleaseclick here.
	{ "cart_id": "CART#10001" }
cart_description	STRING	1	128	✔
	Indicates the cart/order description at the merchant end to easily relate the transaction to. To know more about this parameter pleaseclick here.
	{ "cart_description": "Description of the items/services" }
cart_currency	STRING	Valid string from the following list: SAR AED BHDEGP EUR GBP HKD IDR INR IQD JOD JPY KWD MAD OMR PKR QAR USD Accepts both upper- and lower-case characters		✔
	Indicates the transaction currency, which the customer will be charged with. To know more about this parameter pleaseclick here.
	{ "cart_currency": "SAR" }
cart_amount	DECIMAL	0.01	9999999999.99	✔
	Indicates the amount of the transaction the customer is about to be charged Both min and max values are subjected to the merchant transaction limits. To know more about this parameter pleaseclick here.
	{ "cart_amount": 500 }

Now in order to create a payment request through the Own Form, you need - in addition to the general required above parameters - to include new parameters required specifically for the Own Form. Find below the Additional required parameters for Own Form:

Parameter	Data Type	Min	Max	Required
card_details	OBJECT	Accept only valid card details.		✔
	{ "card_details": { "pan": "4111111111111111", "cvv": "123", "expiry_month": 12, "expiry_year": 2032 } }
card_details.pan	STRING	16	-	✔
	{ "card_details": { "pan": "4111111111111111" } }
card_details.cvv	STRING	Valid CVV/CVC		✔
	{ "card_details": { "cvv": "123", } }
card_details.expiry_month	INT	Valid expiry month between 01-12		✔
	{ "card_details": { "expiry_month": 12 } }
card_details.expiry_year	INT	Valid expiry year	✔
	{ "card_details": { "expiry_year": 2022 } }
customer_details	OBJECT	-	-	✔
	Indicates the customer details for this payment. To know more about this parameter pleaseclick here.
	{ "customer_details": { "name": "Technical Support", "email": "demo@paytabs.com", "phone": "+966 55 xxxxxx6", "street1": "address street", "city": "Jeddah", "state": "Makkah", "country": "SA", "zip": "12345" } }
customer_details.name	STRING	3	128	✔
	{ "customer_details": { "name": "Technical Support" } }
customer_details.email	STRING	Valid email format		✔
	{ "customer_details": { "email": "demo@paytabs.com", } }
customer_details.phone	STRING	Valid number + country code prefix		✔
	{ "customer_details": { "phone":"+966 55 xxxxxx6", } }
customer_details.street1	STRING	3	128	✔
	{ "customer_details": { "street1": "address street", } }
customer_details.city	STRING	City Code or City name		✔
	{ "customer_details": { "city": "Riyadh", } }
customer_details.state	STRING	State/Province Code or State/Province name		✔
	{ "customer_details": { "state": "Makkah", } }
customer_details.country	STRING	ISO 3166-1 alpha-2 codes (two-letter country codes)		✔
	{ "customer_details": { "country": "SA", } }
customer_details.zip	STRING	Valid zip code		✔
	{ "customer_details": { "zip": "12345" } }
customer_details.ip	STRING	Valid IP Address		✔
	{ "customer_details": { "ip": "37.104.xxx.xxx" } }

The Available Optional Parameters

Parameter	Data Type	Min	Max	Required
callback	STRING	-	255 Characters (Valid URL)	❌
	The callback response is a server-to-server POST response that is sent (to a pre-defined HTTPS URL) with the full detailed transaction information once the payment process has ended (whether the customer cancels, paid, or failed to pay). It does not depend on the customer's actions; the response will be sent anyway.What is the Return URL vs the Callback URL? To know more about this parameter pleaseclick here.
	{ "callback": "https://www.example.com/notifications" }
shipping_details	OBJECT	-		❌
	Indicates the shipping details for this payment. If provided, the payment page will be prefilled with the provided data. To know more about this parameter pleaseclick here.
	{ "shipping_details": { "name": "Technical Support", "email": "demo@paytabs.com, "phone":"+966 55 xxxxxx6", "street1": "address street", "city": "Jeddah", "state": "Makkah", "country": "SA", "zip": "12345" } }
shipping_details.name	STRING	3	128	❌
	{ "shipping_details": { "name": "Technical Support", } }
shipping_details.email	STRING	Valid email format		❌
	{ "shipping_details": { "email": "demo@paytabs.com, } }
shipping_details.phone	STRING	Valid number + country code prefix		❌
	{ "shipping_details": { "phone":"+966 55 xxxxxx6", } }
shipping_details.street1	STRING	3	128	❌
	{ "shipping_details": { "street1": "address street", } }
shipping_details.city	STRING	3	128	❌
	{ "shipping_details": { "city": "Riyadh", } }
shipping_details.state	STRING	2	2	❌
	{ "shipping_details": { "state": "Makkah", } }
shipping_details.country	STRING	ISO 3166-1 alpha-2 codes (two-letter country codes)		❌
	{ "shipping_details": { "country": "SA", } }
shipping_details.zip	STRING	Valid zip code		❌
	{ "shipping_details": { "zip": "12345" } }
tokenise	STRING	Pass one of the following list: 2 - Hex32 3 - AlphaNum20 4 - Digit22 5 - Digit16 6 - AlphaNum32		❌
	The tokenization format the generated token should follow.Token Based Transactions (Recurring). To know more about this parameter pleaseclick here.
	{ "tokenise": 2, }
user_defined	OBJECT	-		❌
	For more customizations, you can pass to the Transaction API request your own "user-defined fields" up to 9 fields, and accordingly, you would receive those fields in the callback response. To know more about this parameter pleaseclick here.
	{ "user_defined": { "udf1": "UDF1 Test", "udf2": "UDF2 Test", "udf3": "UDF3 Test", "udf4": "UDF4 Test", "udf5": "UDF5 Test", "udf6": "UDF6 Test", "udf7": "UDF7 Test", "udf8": "UDF8 Test", "udf9": "UDF9 Test" } }
user_defined.udf1	STRING	1	255	❌
	{ "user_defined": { "udf1": "UDF1 Test" } }
user_defined.udf2	STRING	1	255	❌
	{ "user_defined": { "udf2": "udf2 Test" } }
user_defined.udf3	STRING	1	255	❌
	{ "user_defined": { "udf3": "udf3 Test" } }
user_defined.udf4	STRING	1	255	❌
	{ "user_defined": { "udf4": "udf4 Test" } }
user_defined.udf5	STRING	1	255	❌
	{ "user_defined": { "udf5": "udf5 Test" } }
user_defined.udf6	STRING	1	255	❌
	{ "user_defined": { "udf6": "udf6 Test" } }
user_defined.udf7	STRING	1	255	❌
	{ "user_defined": { "udf7": "udf7 Test" } }
user_defined.udf8	STRING	1	255	❌
	{ "user_defined": { "udf8": "udf8 Test" } }
user_defined.udf9	STRING	1	255	❌
	{ "user_defined": { "udf9": "udf9 Test" } }

Request & Response Payload Samples

The below sample request payload will show you how you can pass the above-mentioned parameters, which are needed to be passed with valid values to perform a request.

The Request Payloads

The below sample request payload will show you how you can pass the above-mentioned parameters, which are needed to be passed with valid values to perform a request.

The Request Payload

{
    "profile_id": "987654",
    "tran_type": "sale",
    "tran_class": "ecom",
    "cart_id": "CART#1001",
    "cart_currency": "USD",
    "cart_amount": 500,
    "cart_description": "Description of the items/services",
    "customer_details":
    {
        "name": "Technical Support Team",
        "email": "demo@payTabs.com",
        "phone": "+201234567890",
        "street1": "address street",
        "city": "Cairo",
        "state": "CAI",
        "country": "EG",
        "zip": "45555",
        "ip": "1.1.1.1"
    },
    "payment_token": "Dh4r8Jwt7x6tPMVzKgtk"
}

The Response Payloads

Once the managed form request is validated and initiated, you will receive the following response, There are two scenarios that would change the workflow, as shown below:

Via Non-3DSecure Cards

If the card does NOT require 3DSecure authentication from the cardholder and issuer side, You will receive a response like the following:

{
    "tran_ref": "TST2233401397769",
    "tran_type": "Sale",
    "cart_id": "CART#1001",
    "cart_description": "Description of the items/services",
    "cart_currency": "USD",
    "cart_amount": "500.00",
    "tran_currency": "USD",
    "tran_total": "500.00",
    "return": "none",

    "customer_details": {
        "name": "Technical Support Team",
        "email": "demo@payTabs.com",
        "phone": "+201234567890",
        "street1": "address street",
        "city": "Cairo",
        "state": "C",
        "country": "EG",
        "zip": "45555",
        "ip": "1.1.1.1"
},
    "payment_result": {
    "response_status": "A",
    "response_code": "G17534",
    "response_message": "Authorised",
    "transaction_time": "2022-11-30T14:12:14Z"
},
    "payment_info": {
    "payment_method": "Visa",
    "card_type": "Credit",
    "card_scheme": "Visa",
    "payment_description": "4111 11## #### 1111",
    "expiryMonth": 12,
    "expiryYear": 2022
},
    "serviceId": 8,
    "profileId": 81784,
    "merchantId": 31237,
    "trace": "PMNT0403.638764BE.000037CC"
}

You can notice that the payment is already made, A transaction has been created, and you are already receiving the payment results, unlike the following scenario, since the issuer required no 3DSecure, the transaction had been created.

Via 3DSecured Cards

If the card does require the 3DSecure authentication from the cardholder and issuer side, You will receive a response like the following:

{
    "tran_ref": "TST2233401397780",
    "tran_type": "Sale",
    "cart_id": "CART#1001",
    "cart_description": "Description of the items/services",
    "cart_currency": "USD",
    "cart_amount": "500.00",
    "tran_currency": "USD",
    "tran_total": "500.00",
    "return": "none",
    "redirect_url": "https://secure-egypt.PayTabs.com/payment/page/5974A26182E411E56CCD5245D4EBC0787AF379E9E450E3D8B8E555CF/redirect",
    "customer_details": {
    "name": "Technical Support Team",
    "email": "demo@payTabs.com",
    "phone": "+201234567890",
    "street1": "address street",
    "city": "Cairo",
    "state": "C",
    "country": "EG",
    "zip": "45555",
    "ip": "1.1.1.1"
},
    "payment_info": {
    "payment_method": "Visa",
    "card_type": "Credit",
    "card_scheme": "Visa",
    "payment_description": "4000 00## #### 0002",
    "expiryMonth": 12,
    "expiryYear": 2022
},
    "serviceId": 8,
    "profileId": 81784,
    "merchantId": 31237,
    "trace": "PMNT0404.63876778.00003813"
}

Regarding Managed Form | Payment Workflow, by initiating the payment, and if the card is 3DSecured, you will receive the redirect URL (redirect_url) within the response. Use this URL to redirect your client browser to the issuer 3DSecure page.

Once the cardholder authenticates using the card (E.G., via OTP), the customer will be redirected back to the return page if it had been set or to the PayTabs default transaction result page if no return page was set. To check more about this, you can navigate to the return URL parameter manual.

---

Expected Payment Flow Behavior

1. As mentioned above in the How to use? section, As a merchant you would initiate a payment request per the above Specifications, same as the sample codes mentioned in the samples section above.

2. Then, you will receive a response that includes redirect URL. This means you have initiated a correct payment request/page successfully.

   "redirect_url": "https://secure.paytabs.com/payment/page/599458B182E5B6B********************B4818688",
3. Then, your customer will be redirected to his issuer bank 3DS/OTP page to authenticate the used card

4. Finally, he would be redirect to a success/error page accordingly. And now, you will be able to see his transaction on your merchant dashboard, whether it's accepted/authorized or not.