API Documentation
Integrate Pakhi Pay's powerful payment processing into your application with our simple and secure REST API.
🔒 Recent Security Updates (May 2026)
- Added HMAC-SHA256 signature verification for webhook callbacks
- Enhanced input validation and sanitization
- Removed deprecated fields (
token) from webhook payload - Updated WordPress plugin with enterprise-grade security
Action Required: Update your webhook handlers to verify signatures and remove references to the token field.
Authentication
To use our API, you need an api-key. You can find your API key in your Brand settings. This key must be included in the header of every request.
api-key: YOUR_BRAND_API_KEY
Create Payment
Create a new payment link to initiate a transaction.
POST
/api/request/payment/create/
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
cus_name | string | Yes | Customer full name |
cus_email | string | Yes | Customer email address |
amount | decimal | Yes | Transaction amount (e.g. 100.00) |
success_url | url | Yes | Redirect after successful payment |
cancel_url | url | Yes | Redirect after cancelled payment |
order_id | string | No | Your internal order reference |
callback_url | url | No | URL for webhook notification |
<?php
$api_url = "https://pakhipay.com/api/request/payment/create/";
$api_key = "YOUR_API_KEY";
$data = [
"cus_name" => "John Doe",
"cus_email" => "john@example.com",
"amount" => 100.00,
"success_url" => "https://yourwebsite.com/success",
"cancel_url" => "https://yourwebsite.com/cancel",
"order_id" => "ORDER123",
"callback_url" => "https://yourwebsite.com/webhook"
];
$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Content-Type: application/json",
"api-key: $api_key"
]);
$response = curl_exec($ch);
$result = json_decode($response, true);
if ($result['status'] == 1) {
header("Location: " . $result['payment_url']);
} else {
echo "Error: " . $result['message'];
}
?>import requests
api_url = "https://pakhipay.com/api/request/payment/create/"
headers = {
"api-key": "YOUR_API_KEY",
"Content-Type": "application/json"
}
data = {
"cus_name": "John Doe",
"cus_email": "john@example.com",
"amount": 100.00,
"success_url": "https://yourwebsite.com/success",
"cancel_url": "https://yourwebsite.com/cancel",
"order_id": "ORDER123",
"callback_url": "https://yourwebsite.com/webhook"
}
response = requests.post(api_url, json=data, headers=headers)
result = response.json()
if result['status'] == 1:
print(f"Payment URL: {result['payment_url']}")
else:
print(f"Error: {result['message']}")const axios = require('axios');
const data = {
cus_name: "John Doe",
cus_email: "john@example.com",
amount: 100.00,
success_url: "https://yourwebsite.com/success",
cancel_url: "https://yourwebsite.com/cancel",
order_id: "ORDER123",
callback_url: "https://yourwebsite.com/webhook"
};
axios.post('https://pakhipay.com/api/request/payment/create/', data, {
headers: {
'api-key': 'YOUR_API_KEY',
'Content-Type': 'application/json'
}
})
.then(response => {
if (response.data.status === 1) {
console.log('Payment URL:', response.data.payment_url);
} else {
console.error('Error:', response.data.message);
}
})
.catch(error => console.error(error));Verify Payment
Verify a transaction using the Transaction ID and amount.
POST
/api/request/payment/verify/
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
transaction_id | string | Yes | Transaction ID from payment |
amount | decimal | Yes | Exact transaction amount |
<?php
$api_url = "https://pakhipay.com/api/request/payment/verify/";
$api_key = "YOUR_API_KEY";
$data = [
"transaction_id" => "TRX123456",
"amount" => 100.00
];
$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Content-Type: application/json",
"api-key: $api_key"
]);
$response = curl_exec($ch);
$result = json_decode($response, true);
if ($result['status'] == 1 && $result['message'] == 'completed') {
echo "Payment Verified Successfully!";
} else {
echo "Payment Verification Failed.";
}
?>import requests
api_url = "https://pakhipay.com/api/request/payment/verify/"
headers = {"api-key": "YOUR_API_KEY"}
data = {
"transaction_id": "TRX123456",
"amount": 100.00
}
response = requests.post(api_url, json=data, headers=headers)
result = response.json()
if result.get('status') == 1 and result.get('message') == 'completed':
print("Success")
else:
print("Failed")const axios = require('axios');
axios.post('https://pakhipay.com/api/request/payment/verify/', {
transaction_id: "TRX123456",
amount: 100.00
}, {
headers: { 'api-key': 'YOUR_API_KEY' }
})
.then(response => {
if (response.data.status === 1 && response.data.message === 'completed') {
console.log("Verified");
} else {
console.log("Failed");
}
});Webhooks (Callback)
If a callback_url was provided during payment creation, our server will send a POST request once the payment is completed.
Example Payload
This is the JSON data you will receive at your callback URL. The payload includes a signature field for security verification.
{
"status": "completed",
"transaction_id": "TRX123456789",
"amount": "100.00",
"order_id": "your-order-id",
"signature": "a1b2c3d4e5f6..."
}
Security Note: The
signature field contains an HMAC-SHA256 hash of the JSON payload using your API key. Always verify this signature to ensure the callback is authentic.
Signature Verification
To ensure webhook authenticity, always verify the signature field. The signature is calculated using HMAC-SHA256 with your API key.
How Signature Works:
- Take the raw JSON payload received in the webhook
- Calculate HMAC-SHA256 hash using your API key
- Compare with the
signaturefield in the payload - If they match, the webhook is authentic
Important: Never process webhook data without signature verification in production. This prevents unauthorized payment confirmations.
How to Receive Webhook
Use the following examples to capture the payment notification on your server:
<?php
// Get the JSON payload
$json = file_get_contents('php://input');
$data = json_decode($json, true);
// Verify signature (recommended for security)
$api_key = 'YOUR_API_KEY'; // Your brand API key
$expected_signature = hash_hmac('sha256', $json, $api_key);
if (!hash_equals($expected_signature, $data['signature'])) {
http_response_code(403);
echo "Invalid signature";
exit;
}
if ($data['status'] == 'completed') {
$trx_id = $data['transaction_id'];
$amount = $data['amount'];
$order_id = $data['order_id'];
// 1. Verify the transaction in your database
// 2. Update order status to 'Paid'
http_response_code(200);
echo "OK";
} else {
http_response_code(400);
echo "Invalid Status";
}
?># Example using Django
from django.http import JsonResponse
from django.views.decorators.csrf import csrf_exempt
import json
import hmac
import hashlib
@csrf_exempt
def payment_webhook(request):
if request.method == 'POST':
data = json.loads(request.body)
# Verify signature for security
api_key = 'YOUR_API_KEY' # Your brand API key
expected_signature = hmac.new(
api_key.encode('utf-8'),
request.body,
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(expected_signature, data.get('signature', '')):
return JsonResponse({'status': 'invalid_signature'}, status=403)
if data.get('status') == 'completed':
trx_id = data.get('transaction_id')
order_id = data.get('order_id')
# Process your order logic here
return JsonResponse({'status': 'received'}, status=200)
return JsonResponse({'status': 'error'}, status=400)// Example using Express.js
const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.json());
app.post('/webhook', (req, res) => {
const data = req.body;
const rawBody = JSON.stringify(req.body);
// Verify signature for security
const apiKey = 'YOUR_API_KEY'; // Your brand API key
const expectedSignature = crypto
.createHmac('sha256', apiKey)
.update(rawBody, 'utf8')
.digest('hex');
if (expectedSignature !== data.signature) {
return res.status(403).send('Invalid signature');
}
if (data.status === 'completed') {
const trxId = data.transaction_id;
const orderId = data.order_id;
console.log(`Payment received for Order: ${orderId}`);
// Update your database here
res.status(200).send('OK');
} else {
res.status(400).send('Invalid Status');
}
});Hosted Checkout SDK
Our Hosted Checkout SDK allows you to accept payments without redirecting users away from your website. It opens a secure payment modal over your site.
1. Include the SDK
Add the following script tag to your website's <head> or before the closing </body> tag.
<!-- Pakhi Pay SDK -->
<script src="https://pakhipay.com/static/js/pakhipay-sdk.js"></script>2. Initialize and Call Checkout
Use the PakhiPay object to initialize with your API key and call the checkout method.
// Initialize the SDK
const pp = PakhiPay({
apiKey: 'YOUR_BRAND_API_KEY',
baseUrl: 'https://pakhipay.com' // Base URL of Pakhi Pay
});
// Function to trigger checkout
function startPayment() {
pp.checkout({
amount: 100.00,
customerName: 'John Doe',
customerEmail: 'john@example.com',
orderId: 'ORD-998877', // Your internal Order ID
successUrl: 'https://yourwebsite.com/success',
cancelUrl: 'https://yourwebsite.com/cancel',
callbackUrl: 'https://yourwebsite.com/webhook'
});
}3. Add a Payment Button
Simply call your function from any button or link.
<button onclick="startPayment()">Pay with Pakhi Pay</button>Module Downloads
Quickly integrate Pakhi Pay into your CMS or Framework using our official modules.