The documentation contains two parts - integration guide and API reference. You can also use one of our SDKs:

PHP

• PHP >= 8.1
• GitHub: https://github.com/gopaycommunity/gopay-php-api
• Packagist: https://packagist.org/packages/gopay/payments-sdk-php
• Instalation: composer require gopay/payments-sdk-php

Python

• Python >= 3.6
• GitHub: https://github.com/gopaycommunity/gopay-python-api
• PyPi: https://pypi.org/project/gopay/
• Instalation: pip install gopay

.NET (C#)

• .NET Standard >= 2.0
• GitHub: https://github.com/gopaycommunity/gopay-dotnet-api
• NuGet: https://www.nuget.org/packages/GoPay.NET
• Instalation: dotnet add package GoPay.NET

Java

• Java >= 11
• GitHub: https://github.com/gopaycommunity/gopay-java-api.git
• Maven: https://mvnrepository.com/artifact/cz.gopay
• Instalace:

git clone https://github.com/gopaycommunity/gopay-java-api.git
cd gopay-java-api
mvn package

The first step is obtaining an access token using the API calls. Some SDKs get the token automatically in the background.

The next step is actually creating a payment. The order and customer data are sent in the body of the payment creation API call. This includes the return_url and notification_url which are used to redirect the customer back to your website and to deliver you the HTTP notification respectively. The API call can also be used to limit or specify the available payment methods.

The reponse is a JSON with the payment information, the most important being:

• Payment ID - the unique identifier of the payment. It is used mainly to get the details of the payment and react to status changes
• Payment gateway URL - in the gw_url parameter, used for redirecting the customer to the gateway or initiating the inline gateway

Aside from that it contains other details about the payment. See Payments for more info.

Using the gw_url of the payment, the gateway can be initiated in one of 3 versions:

• Redirect The customer is redirected to the gw_url (using a HTTP redirect, HTML form, etc.). The customer leaves the merchant website and is redirected to the secured environment of the payment gateway on gate.gopay.cz.
• Inline In order to inititate the inline gateway, it is required to implement it via JavaScript on the merchant website. The website needs to be secured with HTTPS. The payment gateway opens as an overlay over the website. If at any point a redirect is made (3DS, online banking etc), the customer is then returned to the Redirect variant.
• Mobile version. On mobile devices, the mobile version of the redirect gateway is always invoked, even if you have the inline version implemented in your website. The mobile gateway is optimized for display and control on mobile devices.

Detailed information about the variant and instructions on implementing them can be found in Payment gateway inititation

After initiating the payment gateway, the customer chooses a payment method. Available payment methods can be specified when creating the payment. The customer can see either a list of available payment methods, or can be redirected directly to a specific payment method, see Setting the payment methods.

After the customer tries to make a payment by clicking the confirmation button, the payment state changes to PAYMENT_METHOD_CHOSEN. If the customer sees the payment method details (like the card input form) but has not clicked on the confirmation button, the payment method is not chosen yet.

When a payment method is chosen, the payment authorization process starts. This process is different for each payment method. It can lead into one of the following situations:

• Payment is authorized. The authorization was successful and merchant’s business account balance is increased by the payment amount. The payment state is PAID (or AUTHORIZED if a preauthorized payment was used).
• Payment is declined. At some point during the authorization the payment was declined by a partner (e.g. customer’s bank, 3DS centre etc.). The payment state is CANCELED
• The payment is pending. We don’t have the result of the authorization yet. This can even be the case when the customer has already returned back to merchant’s website. As soon as we know the payment result, a notification for the payment will be sent.

If the payment is in any of these states, the payment method cannot be changed anymore.

Customer is redirected to merchant’s website automatically after finishing a payment. They can also manually close the payment gateway and be redirected to merchant’s website. The URL they’re redirected to was specified by the merchant when creating the payment. One to two query parameters are appended to the URL:

• id - the ID of the payment is sent in this parameter. It can be used to access the state of the payment
• parent_id - only if the payment is recurring. It contains the ID of the initating payment.

The website then uses these parameters to inquire the status of the payment and informs the customer about the result.

When the status of the payment changes, a HTTP notification is sent. The URL was passed by the merchant when creating the payment. One to two query parameters are appended to the URL:

• id - the ID of the payment is sent in this parameter. It can be used to access the state of the payment
• parent_id - only if the payment is recurring. It contains the ID of the initating payment.

A HTTP GET request is sent to this URL. Only when the state of the payment changes from CREATED to PAYMENT_METHOD_CHOSEN the notification is not sent. The notification only carries the ID of the payment, no additional info. The merchant’s website then needs to do a payment status inquiry to get the actual details. The state of the payment can change multiple times (e.g. when a payment gets refunded, it changes from PAID to REFUNDED).

The payment can be in one of these states:

• CREATED - payment created
• PAYMENT_METHOD_CHOSEN - awaiting the result of the payment
• TIMEOUTED - the payment is expired
• PAID - the payment was paid
• CANCELED - the payment was declined
• AUTHORIZED - a preauthorized payment was authorized
• PARTIALLY_REFUNDED - a part of the payment amount was refunded
• REFUNDED - the entire payment amount was refunded

During the payment there are two expirations:

• Expiration 1 - starts when the payment is created and lasts until the payment method is chosen (or the payment expires) - always the same for all payments
• Expiration 2 - starts when the payment method is chosen and last until the result of the payment is known (or the payment expires) - can differ for each payment method

In order to create a standard payment, use the corresponding API call. Only the required body parameters are needed. A customer interaction is always required.

Most other types of payments use the same API call with some additional parameters.

The payment types can be combined. For example, a payment can be both preauthorized and recurring.

More detailed examples can be found in the API reference for payment creation

In order to create an automatically recurring payment, use the payment creation API call. In the request body, send the recurrence object. The following parameters need to be sent:

• recurrence_cycle sets the cycle, meaning that the charge will be carried out each Nth day, week or month. The possible values are specified in Recurrence cycle
• recurrence_period sets the period (not frequency) of the recurrence, meaning how many days, weeks or months are there between two consequent charges
• recurrence_date_to sets the expiration of the recurring payment. The customer will be automatically charged until this date. The date needs to be in the future and it needs to be further than the last day the customer is going to be charged.

The object sets the recurrence period and not the frequency. For example:

{
    "recurrence_cycle": "MONTH",
    "recurrence_period": 2,
    "recurrence_date_to": "2025-12-31"
}

Using this object, the customer will be charged every 2 months and not twice a month.

If you need to charge the customer yearly, set the recurrence_cycle to MONTH and the recurrence_period to 12. The customer will be charged each 12 months, so yearly

The subsequent charges have the same amount and other parameters as the initial payment. If a payment is declined, the next attempt will be the following payment.

See Payment creation for the description of the API call and recurrence for the description of the mandatory object.

In order to create an on-demand recurring payment, use the payment creation API call. You need to pass the recurrence object in the request body. The following parameters are mandatory:

• recurrence_cycle - always set to ON_DEMAND
• recurrence_date_to sets the expiration of the recurring payment. The customer will be automatically charged until this date. The date needs to be in the future and it needs to be further than the last day the customer is going to be charged.

The recurrence_period parameter is not used. Subsequent charges are done using a dedicated API call. That’s how you specify the amount, order ID and other payment parameters.

The charge is done asynchronously so upon receiving the response to the API call, the payment is usually CREATED. When the payment is completed, a HTTP notification is sent that you can use to check the payment status.

See payment creation, creating a recurrence and recurrence in the API reference section for technical details.

Recurrence can be canceled by one of the following:

• By the merchant using the Void recurrence API call
• By the merchant using the GoPay administration
• By the customer using a link in the payment confirmation email
• By GoPay (usually when the customer requests it)
• Automatically when the recurrence_date_to comes
• Automatically when the payment card expires

If you use try to use the API call to cancel a recurrence that has been canceled previously, the API call will result in an error.

By default, we don’t send a HTTP notification when a recurrence is canceled. If you wish to receive HTTP notifications for this case, please contact our techsupport

For technical details of the API call, see voiding a recurring payment

In the response to payment inquiry of an initial recurring payment, the recurrence object is also returned. It contains the recurrence_state parameter which desribes the state of the recurrence. The possible values are specified in recurrence state. You can use this to verify whether you can make subsequent charges to this payment.

In order to create a preauthorized payment, use the payment creation API call. In this case, it is required to pass the preauthorization parameter set to true.

After the customer authorizes the payment, its state will change to AUTHORIZED and a HTTP notification is sent. At this point, the authorized amount is booked on the customer’s account.

The authorized payment can be captured in two ways:

• Full capture. Use the Capturing a preauthorized payment API call, no body is sent in this request. This API call will charge the preauthorization amount on the customer’s account and transfer it to merchant’s business account.
• Partial capture. Use the Partially capturing a preauthorized payment API call. In the body specify the required amount in the amount parameter. The amount can’t be higher than the preauthorization amount. If the capture amount is lower than the preauthorization amount, the payment details will be updated so the amount reflects this. The rest of the funds will be released back to cusomer’s account.

The state of the payment then changes to PAID

Preauthorized funds can also be released back to the customer using the Voiding a preauthorized payment API call. After releasing the funds, it is impossible to capture them and the state of the payment changes to CANCELED

It is also possible to do authorization of a zero amount. The customer’s card will be authorized but no amount will be blocked. This can be combined with e.g. on-demand recurring payment - you can provide for example a trial period.

A zero amount cannot be captured (the API call will result in an error) but it can be voided.

The combination of a zero amount preauthorization and a recurring payment is currently not supported by Raiffeisenbank!

It is possible to receive a unique card fingerprint with card payments. You can use it to compare whether two payments were carrried out using the same payment card. If the card was used via Apple Pay or Click To Pay, the fingerprint will be different.

card_fingerprint is always generated for cards saved using a card token, see Card token payment.

It is also possible to receive the fingerprint for each card payment, in which case it will be included in the payment-card object in the response to payment inquiry.

By default the card fingerprints are not created. If you want to have this feature activated, please contact our techsupport

In order to get a card token, use the payment creation API call, in the payer object send the request_card_token parameter set to true. In the allowed_payment_instruments send PAYMENT_CARD as the only value (see examples).

After the payment is finished, inquire the payment details and the card_id will be present in the payer object. You can then use this identifier to inquire the payment card details, including the token.

Using a dedicated API call and the card_id, you can get the details of a saved card. These contain:

• Card details like masked PAN and expiration
• card_fingerprint which you can use to verify if this card has already been saved
• card_token which you can use for subsequent payments

Before accessing the card details, first check the status parameter to make sure the card is active. If not, the other parameters will not be present.

In order to use a card token, use the payment creation API call. In the payer set the allowed_card_token parameter to a formerly acquired card_token. This way, the customer will not have to input the card details themselves. 3DS authentication may still be required. In the payer object, in the allowed_payment_instruments array send PAYMENT_CARD as the only value (see examples).

The saved card can be deleted by the merchant using a dedicated API call. It can also be deleted by GoPay (for example if it expires or is not used for a long time). In any case, the card_status changes to deleted and the payment card details will not be available anymore. A HTTP notification is sent to the merchant whenever a card gets updated or deleted.

In order to use card tokens, it is necessary to register a HTTP notification URL. Card HTTP notifications are sent whenever:

• A saved card has been deleted by the merchant or GoPay
• Some card details were updated (for example an old card expires)

The notification is a GET request with card_id query parameter appended, for example: GET https://example.com/card-notify?card_id=123456 Using the Card ID it is possible to check the status and details of the card using the payment card inquiry API call.

Without account data

After going through the consent authorization step, the payment gateway lists all of their accounts. The customer chooses which account to use and goes on to payment authorization.

Use the payment creation API call and in the payer object send the following:

• allowed_payment_instruments - only send the BANK_ACCOUNT value in the array
• allowed_swifts - send only the SWIFT code of the customer’s bank
• PSD2 payments need to be enabled for this bank

With account data

If you already know the customer’s account data and want to get a token of a specific account, you can send the account data in the API call. After going through the consent authorization step, the gateway lists the customer’s accounts. If no account matches the account data sent by the merchant, the payment gets declined. Otherwise the customer goes on to the payment authorization step.

Use the payment creation API call and in the payer object send the following:

• allowed_payment_instruments - only send the BANK_ACCOUNT value in the array
• allowed_swifts - send only the SWIFT code of the customer’s bank
• send the bank account object in which you send the account data either in the Czech format or the international format
• PSD2 payments need to be enabled for this bank

When the initial payment is PAID, the merchant receive a HTTP notification (see Receiving the HTTP notification ), which contains the payment ID. Using the ID, do a payment inquiry, extract the bank_account object from the payer object in the response - it contains the token.

Use the payment creation API request and in the payer object send the bank account object with the account token. The customer will not go through the consent authorization step, they will be sent directly to the payment authorization step.

It is also required to send the allowed_payment_instruments array containing only the BANK_ACCOUNT value.

Allowed payment methods

• Case 1: The allowed_payment_instruments array is omitted entirely. The payment gateway will list all payment methods that are enabled
• Case 2: The array contains two or more values. The payment gateway will list these payment methods and the customer can choose one
• Case 3: The array contains exacly on value. The payment gateway will open directly on the detail of this payment method, skipping the listing.

Payment methods that are disabled will be removed from the array.

Pre-selected payment method

You can use the default_payment_instrument parameter to specify one payment method to be preselected. This only works with cases 1 and 2 from above, it has no impact on case 3. If you omit this parameter, the customer will see a listing of available payment methods upon opening the payment gateway. Using this parameter you can redirect the customer directly on a specific payment method. They will still be able to choose a different payment method. The pre-selected payment method must be one of the available payment methods.

In order to utilize this functionality, BANK_ACCOUNT must be included in the allowed_payment_instruments array.

Online vs. Offline

GoPay provides two types of bank account transfers. An Offline transfer displays the bank account details to the customer on the gateway, including the account number, amount, etc. The customer can pay from any bank, but they must initiate the transfer manually using the provided details (or QR code).

An Online transfer, on the other hand, redirects the customer directly to their online banking site with a pre-filled bank transfer form. This method forces the customer to use a specific bank.

Allowed SWIFTs

You can restrict which banks may be used for payments with the allowed_swifts array.

• Case 1: If the allowed_swifts field is omitted, the customer will have the option to use any bank to complete their payment.
• Case 2: If one or more SWIFT codes are included in the allowed_swifts array, only the banks that were specified in the allowed_swifts array will be accessible.
• Case 3: If only one SWIFT code is included in the allowed_swifts array, and BANK_ACCOUNT is the sole entry in the allowed_payment_instruments array, the customer will be redirected directly to their bank, assuming online transfers are supported by the specified bank.

Pre-selected Swift

By using the default_swift parameter, you can pre-select a bank for your customer. The pre-selected bank will be elevated to the top of the available banks list and will be highlighted for easy identification.

GoPay offers BNPL (Buy Now Pay Later) payments, also known as deferred payments. Currently, there are two such methods available - TWISTO and SKIPPAY - see the PaymentInstrument enumeration. These payments are available in two modes:

• Deferred Payment - The customer pays the supplier the full amount later (in API DEFERRED_PAYMENT)
• Payment in Thirds - The customer pays one-third of the amount during the payment, and the remaining amount is paid to the supplier in two additional installments (in API PAY_IN_THREE)

When creating a payment, these modes can be influenced. In the Payer object, the following parameters can be set:

• allowed_bnpl_types - The types of BNPL payments that will be available
• default_bnpl_type - The default selected type of BNPL payment

These parameters make sense to pass if you have at least one of these payment methods enabled in your e-shop and you are passing it in the allowed_payment_instruments parameter. The settings will apply to all suppliers. Possible values are listed in the BNPL Types enumeration.

The display or non-display of individual methods and BNPL types is also determined by the payment amount, as each provider sets limits for which the payment method is available:

• Twisto Deferred Payment - no limit
• Twisto Payment in Thirds - From 1,500 CZK upwards
• Skip Pay Deferred Payment - 0 to 50,000 CZK
• Skip Pay Payment in Thirds - 3,000 to 100,000 CZK

The Apple Pay payment method is connected to the Payment Card payment method. To use it, you need to have card payments enabled.

Apple Pay is only available on supported web browsers and devices (typically Apple devices that support Touch ID or Face ID). We advise offering this payment method only to customers who have the capability to use it. You can use JavaScript to confirm that your customer meets these requirements. For more information, visit the Apple developer site.

The first condition to check is window.ApplePaySession, which confirms that the Apple Pay JS API is accessible in the customer’s browser. This check works even if your site does not have TLS security (HTTP). If your website lacks TLS, this is the recommended method.

The second condition to check is window.ApplePaySession.canMakePayments(), which verifies that the current device is capable of making Apple Pay payments. This check requires a HTTPS connection, so it can only be used if your website has TLS security. This check is more reliable, so we recommend using both checks if possible.

The official Apple developer portal also provides information on:

• Using Apple Pay marks and artwork in their Marketing section.
• Customizing the Apple Pay button in their guide on Styling the Apple Pay Button using CSS.

You can find all downloadable logos in our article, Which Logos and Names of the Payment Methods Should I Prefer?

The redirect version of the payment gateway is initiated simply by redirecting the customer to the gw_url. This action takes the customer to the secure GoPay site where the payment gateway is displayed and the customer can complete the payment. The gw_url address is obtained from the API response to a successful payment creation request. The next step is to use this URL to redirect the customer. This can be achieved in several ways:

1. Using a link
2. Using an HTTP redirection
3. Using JavaScript

Description of using a link:

• An HTML form is sent to the server using POST.
• The server communicates with GoPay to obtain the gw_url.
• The server responds with a new page with the gw_url embedded (for example, using PHP or a template system).
• The customer clicks the link to be redirected.

Description of using an HTTP redirection:

• An HTML form is sent to the server using POST.
• The server communicates with GoPay to obtain the gw_url.
• The server returns an HTTP Redirection (e.g., 302 Found) and sets the gw_url as the Location header.
• The customer’s browser automatically redirects the customer.

Description of using JavaScript:

• An event listener is attached to the form, listening for the submit event. When triggered, it calls a function which:
  • Prevents the default action to avoid page reload.
  • Serializes the form content as JSON (if necessary).
  • Sends an AJAX request with the form data to the server.
• The server communicates with GoPay to obtain the gw_url.
• The server responds to the AJAX request with the gw_url.
• Finally, the customer is redirected using JavaScript (e.g., using window.location).

We omit exception handling in the examples for the sake of simplicity. In a production environment, the developer should manage this.

The inline version of the payment gateway is launched as an overlay over the online shop. The customer is not redirected, and the URL of the shop remains displayed in the URL bar. More information and screenshots can be found in our article, Basic Features of the Inline Payment Gateway. If the customer is redirected to a third-party website (like 3DS or online banking) during the payment process, they will return to the redirect version of the gateway.

Your website must have a TLS certificate (support HTTPS). If HTTPS is not available, the customer will always be directed to the redirect gateway.

The first step is to obtain the gw_url using the API for payment creation. This URL is then used to instantiate the payment gateway:

1. Using a form
2. Using JavaScript

The JavaScript approach has the advantage of creating the payment and instantiating the gateway in one step, requiring only one click from the customer. The form approach involves two steps.

Description of using a form:

• An HTML form with the order data is sent to the server using POST.
• The server communicates with GoPay to obtain the gw_url.
• The server responds with a new page where the gw_url is placed as the action attribute of another HTML form. This can be done using PHP or a template system, for example. Use https://gw.sandbox.gopay.com/gp-gw/js/embed.js for sandbox or https://gate.gopay.cz/gp-gw/js/embed.js for production.
• The method should be set to POST, the id attribute should be gopay-payment-button, and a script tag should be placed inside the form (see the example).
• By submitting the form, the inline payment gateway is instantiated.

Description of using JavaScript:

• Inside the HTML head, place the link to our JavaScript (https://gw.sandbox.gopay.com/gp-gw/js/embed.js for sandbox or https://gate.gopay.cz/gp-gw/js/embed.js for production).
• An event listener is attached to the form, listening for the submit event. When triggered, it calls a function which:
  • Prevents the default action to avoid page reload.
  • Serializes the form content as JSON (if necessary).
  • Sends an AJAX request with the form data to the server.
• The server communicates with GoPay to obtain the gw_url.
• The server responds to the AJAX request with the gw_url.
• The _gopay.checkout() method is called, which accepts a configuration object as a parameter.
• The gw_url is passed in the gatewayUrl field while true is passed as the inline field (see the example).

We omit exception handling in the examples for the sake of simplicity. In a production environment, the developer should manage this.

At present, we provide our payment gateway exclusively as a web application. If you intend to integrate it into a mobile app, this is an important consideration. This applies to all payment methods, including Apple Pay and Google Pay. Currently, these payment methods cannot be used natively within a mobile app without the payment gateway; customer interaction with the web gateway is always required.

Do not use WebView. WebView does not support the full functionality of a web browser, which can cause issues with the proper operation of the payment gateway. Apple Pay and Google Pay are not supported. This includes technologies like WebView for Android and WKWebView for Apple devices.

Do use technologies that function as fully-fledged web browsers, such as Chrome Custom Tabs for Android and SFSafariViewController for Apple devices.

The body of the payment creation API call contains the callback. Inside of this object, the return_url is sent. When the customer is redirected from the payment gateway (automatically when the payment is finished or by manually clicking the “Back to eshop” button) with a GET request and the ID of the payment in a query parameter id.

You can use this parameter to check the payment state using the payment inquiry API call. See Processing the state of the payment for information how to handle the individual payment states.

When initializing the inline payment gateway using JavaScript, it’s possible to provide a callback function as the second argument to the _gopay.checkout method. In this scenario, the customer isn’t redirected to the return_url. Instead, the callback function is invoked directly on the original page from which the payment gateway was initialized. This function receives an object as an argument, containing the id of the payment and the original return_url.

Note: If any redirect (to 3DS, online banking, or similar) occurs during the payment process, the customer will be taken back to the redirect gateway and from there to the return_url. The callback function will only execute if no redirects occur during the payment process.

The payment id can be extracted from the object passed to the callback function, or you may already have it stored from the payment creation request.

We omit exception handling in the examples for the sake of simplicity. In a production environment, the developer should manage this.

When the customer returns to the online shop, you can interpret the state of the payment to understand one of four possible scenarios:

1. The payment was successful (PAID or AUTHORIZED state)
2. The payment failed (CANCELED or TIMEOUTED state)
3. There was no attempt to complete the payment (CREATED state)
4. We’re still awaiting the payment result (PAYMENT_METHOD_CHOSEN state)

For more details about these states and their progression, refer to Lifecycle of a Payment.

The AUTHORIZED state is specific to the Preauthorized payment, indicating that the authorization was successful and it’s possible to capture the payment.

If the payment state is CREATED, it means the customer hasn’t attempted to complete the payment. They may want to select a different payment method. In this case, we suggest redirecting them to the checkout page and offering the option to change the payment method.

If the payment state is PAYMENT_METHOD_CHOSEN, it indicates that the customer attempted to complete the payment, but we have not yet received the payment result. This can occur, for example, with offline bank payments, where we wait until the funds have been credited to GoPay’s bank account. As this type of payment might still be completed in the future, we advise against encouraging the customer to initiate a new payment. You will be informed via the HTTP notification when the payment result is available.