Notification is a POST-request (callback). The request's body contains JSON-serialized invoice data encoded by UTF-8.
POST /qiwi-notify.php HTTP/1.1
Accept: application/json
Content-type: application/json
X-Api-Signature-SHA256: J4WNfNZd***V5mv2w=
Host: example.com
{
"bill": {
"bill_id": "a475c739-0561-4a23-9d18-a96934a7d690",
"site_id":270304,
"amount": 1,
"currency": "RUB",
"status": {
"value" : "PAID",
"update_datetime" : "2017-12-27T16:01:00Z" },
"user": {
"phone": "79261234567",
"user_id" : "dsfc2recd123sdadx3dscfewcr234esdcf23",
"email" : "example@gmail.com"
},
"creation_datetime": "2017-08-17T09:56:02.241Z",
"expiration_datetime": "2017-12-27T16:01:00Z",
"version" : "3.0"
}
}HTTP/1.1 200 OK
Content-Type: application/json
{
"error": 0
}-
- X-Api-Signature-SHA256: ***
- Accept: application/json
- Content-type: application/json
- Invoice parameters are in the POST-request's body.
| Parameter | Description | Type |
|---|---|---|
| bill_id | Invoice identifier in the merchant's system | String(30) |
| site_id | Merchant's site identifier in QIWI Kassa | Number |
| amount | The invoice amount. The number is rounded down with two decimal places. | Number(6.2) |
| currency | Currency identifier of the invoice (Alpha-3 ISO 4217 code) | String(3) |
| status | Invoice status data | Object |
| status.value | String representation of the status | String |
| status.update_datetime | Status refresh date | URL-encodedГГГГ-ММ-ДДTЧЧ:ММ:ССZ |
| user | User data | Object |
| user.phone | The user’s phone (if specified in the invoice) | String |
| user.email | The user's e-mail (if specified in the invoice) | String |
| user.user_id | The user's identifier in the merchant's system (if specified in the invoice) | String |
| creation_datetime | System data of the invoice creation | URL-encodedГГГГ-ММ-ДДTЧЧ:ММ:ССZ |
| expiration_datetime | Invoice payment's due date | URL-encodedГГГГ-ММ-ДДTЧЧ:ММ:ССZ |
| comment | Comment to the invoice | String(255) |
| extras | Additional invoice data provided by the merchant (if specified in the invoice) | Object |
| version | Notification service version | String |
Response should be in JSON.
Content-type: application/json
HTTP/1.1 200 OK
Content-Type: application/json
{
"error": 0
}Any response with result code other than 0 ("Success") and/or HTTP status code other than 200 (OK) will be treated as a temporary error.
The QIWI Wallet server repeates the notification request 36 times separated by 15 minutes each.
Then, it continues for 15 times separated by 60 minutes each.
In total, QIWI Wallet server makes 51 attempts within the next 24 hours.
- We recommend that the result codes returned by the merchant be in accordance with Notification codes table.
- To receive notifications merchant must whitelist following IP subnets connected by 80, 443 ports exclusively:
- 91.232.230.0/23
- 79.142.16.0/20
Authorization by signature is used. The HTTP header X-Api-Signature-SHA256 with signature is added to the POST-request. Signature is calculated as HMAC algorithm with SHA256-hash function.
HMAC SHA256-hash is taken on some parameters of the notification with | separator plus secret_key.
Header example:
X-Api-Signature-SHA256: J4WNfNZd***V5mv2w=
- Parameters' separator is
|. - Signed are the following parameters placed in alphabetical order and UTF-8 byte-encoded:
amountbill_idcurrencyemail(if present)phone(if present)site_idstatus.valueuser_id(if present)
- The parameters are placed in alphabetical order and UTF-8 byte-encoded.
- A key for signature is the SECRET_KEY.
Signature verification algorithm is as follows:
-
Prepare a string of all parameters values from the notification POST-request sorted in alphabetical order and separated by
|:{parameter1}|{parameter2}|…where
{parameter1}is the value of the notification parameter. All values should be treated as strings. -
Transform obtained string and signature key into bytes encoded in UTF-8.
-
Apply HMAC-SHA256 function:
hash = HMAС(SHA256, SECRET_KEY_bytes, invoice_parameters_bytes)Where:SECRET_KEY_bytes– bytecoded secret key;invoice_parameters_bytes– bytecoded POST-request body;hash– hash-function result.
-
Transform HMAC-hash value into bytes with UTF-8 and Base64-encode it.
-
Compare
X-Api-Signature-SHA256header's value with the result of step 4.
| Result code | Description |
|---|---|
| 0 | Success |