TabaPay's Unified API

You can utilize the Create Transaction request for both payment acceptance and to payout funds. At TabaPay we may refer to this as to push (payouts) or pull (payment acceptance) funds. Move funds with various payment methods, and discover support for cross-border or domestic transactions.

Example JSON

Here are a couple request body parameters for a push and pull payment.

For example, type:pull $100:

{
   "accounts": {
         "sourceAccountID": "zxc4123412341234123412",
         "destinationAccountID": "1234123412341234abc412"
    },
    "referenceID": "abc123",
    "type": "pull",
    "amount": "100.00"
}

Or type:push $50:

{
   "accounts": {
         "sourceAccountID": "zxc4123412341234123412",
         "destinationAccountID": "1234123412341234abc412"
    },
    "referenceID": "zxcv456",
    "type": "push",
    "amount": "50.00"
}

📘
Payload Should Be Compact
API examples are shown in a human-readable format for clarity. Actual API request bodies must use compact JSON.

Compact JSON

The previous request should look like the following when sending with any whitespaces removed.

{"accounts":{"sourceAccountID":"zxc4123412341234123412","destinationAccountID":"1234123412341234abc412"},"referenceID":"abc123","type":"pull","amount":"100.00"}

Complementary APIs

All our other APIs are built to support our a unified payment flow. Here is a quick preview:

Card APIs for AVS, check eligibility for push/pull, retrieve BIN attributes.
Bank APIs to retrieve the attributes of a bank such as RTP eligibility.
Account APIs to store and manage cards with TabaPay. The output of this API is a TabaPay Token (account ID) that can be used in lieu of a payment instrument in our unified API.
Transaction APIs that corresponds to our Unified API for push and pull payments.
3D Secure APIs that allows you to perform 3DS. For a full guide, click here.
Sub-client APIs that allow you to automatically onboard sub-clients, set their fees, configuration, etc.

Integrating with TabaPay

TabaPay Web Service (API) is organized around REST. It uses standard HTTPS response codes, authentication, and verbs, and requests and responses are formatted using standard JSON. Before you Make Your First API Call, you will want to complete the following steps with TabaPay to secure your Sandbox credentials.

Steps to integrate with TabaPay
1. Say Hello - Email [email protected] to get started with access to our APIs. Our APIs are not publicly available. We will require your IP address(es) to be whitelisted in order to provide access to our secure sandbox environment.
2. Authentication - TabaPay API uses API keys to authenticate requests. Your API credentials carry many privileges, so be sure to keep them secure! Do not share your secret API credentials in publicly accessible areas.
3. Headers - All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail. HTTP Headers must be formatted as follows: Authorization: Bearer `<TokenValue>` Content-type: application/json
4. IP Whitelisting - Before you begin, please ensure you provide us with the IP Addresses you want us to whitelist. Our Firewalls will block all non-whitelisted IP Addresses.

Steps to integrate with TabaPay

1. Say Hello - Email [email protected] to get started with access to our APIs. Our APIs are not publicly available.

We will require your IP address(es) to be whitelisted in order to provide access to our secure sandbox environment.

**2. Authentication **- TabaPay API uses API keys to authenticate requests.

Your API credentials carry many privileges, so be sure to keep them secure! Do not share your secret API credentials in publicly accessible areas.

3. Headers - All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

HTTP Headers must be formatted as follows: Authorization: Bearer <TokenValue> Content-type: application/json

**4. IP Whitelisting **- Before you begin, please ensure you provide us with the IP Addresses you want us to whitelist. Our Firewalls will block all non-whitelisted IP Addresses.

Important Notices

⚠️
API Request Recommendation in Production
Requests per second are recommended at 1 transaction per second (1 txn/second)and a maximum of 3-5 transactions per second (3-5 txns/second) .

iFrame Tokens will expire after 5-10 minutes.

RetrieveAccount by ReferenceID should only be used in the case of a HTTP Communications Error (i.e. An AccountID was not returned back).

RetrieveTransaction by ReferenceID should only be used in the case of a HTTP Communications Error (i.e. A TransactionID was not returned back).

If you continue to use RetrieveAccount / RetrieveTransaction by ReferenceID, the API will return a Status Code of 421 (Misdirected Request):

For RetrieveAccount by ReferenceID if the Account was created over 24 hours ago
For RetrieveTransaction by ReferenceID if the Transaction was created over 24 hours ago

📘
Rate Limiting in Sandbox
We have Rate Limiting on the Sandbox Environment. Sandbox is a Shared Environment used by many Clients and meant only for Development purposes

What about PCI compliance?

Please look at our PCI How to Guide for all of the information your need regarding PCI compliance.

Configurations for Value Added Services

Before you proceed with your launch plan, please email [email protected] to ensure you have configured value added services required for your business case. Whether it is enabling 3DS or Apple Pay, Google Pay, or ensuring you have turned ON TabaPay Shield Controls to eliminate fraud, L2 and L3 interchange benefits, it will be important for you to let us know so we can enable them for you.

👍
Configurations can be on your side or ours
In order to fully ensure all your features are enabled for your business case, various configurations on our side or yours have to be set. Please let us know via [email protected] in case you need any help.

API Formatting Rules

To avoid unnecessary API errors, refer to Data for detailed formatting rules.

❗️
Please Follow Formatting Rules
TabaPay APIs can accept any UTF-8 character; however, to be safe for other processes that may be using this data, we recommend the use of only the Base64 URL-Safe Character Set.

We will explicitly restrict the use of these characters:

, Comma (used in csv files) " Double Quotes (used in csv files) ~ Tilde ^ Caret | Pipe

We do recommend the use of only the Base64 URL-Safe Character Set.

Format of text in Free Form Fields (Name, address, etc):

No resemblance of SQL statements or code
No characters in set: ; | ^ ~ , "
No consecutive .
Best character set to use: URL Safe Base 64
- Includes: A-Z a-z 0-9 - _ [space]
- If you deviate from this character set, some networks will reject the transaction entirely, solely based on the characters in the message (i.e. the text in the "city" field "T√ourin" will be rejected by certain networks.
- Avoid using consecutive characters that_are not_ in the URL-Safe Base 64 character set, as our Web Application Firewall (WAF) will block anything that looks suspicious.

Network codes

When using the Create Transaction API, you will receive a network code in your response. In the example below, a networkRCcode of 00means the transaction was approved or completed successfully.

Note: not all networks may return this Network Response Code .

{
  "SC": 200,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "Visa",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000"
}

For more potential response codes:

For other error, and status codes: