Professional Documents
Culture Documents
Mobile Payment System: Web and Mobile Web
Mobile Payment System: Web and Mobile Web
Contents
1.3 Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Change Log 4
3 Introduction 7
5 API Integration 53
2
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
6 Skinability 61
7 Automated start 65
3
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
This document describes how to integrate Onebip Mobile Payment System with your service. Even
though Onebip can be integrated in its simplest form just with basic web development skills, you will
also need to be familiar with the scripting languages if you use a dynamic platform to handle customer
registrations, logins, and transactions, and you would like Onebip to be integrated with it.
This document is written for the merchants and the developers who want to configure and test their
Onebip-based web applications before using them in production.
Onebip is providing the information in this document to you AS-IS with all faults. Onebip makes no
warranties of any kind (whether express, implied or statutory) with respect to the information con-
tained herein. Onebip assumes no liability for damages (whether direct or indirect), caused by errors
or omissions, or resulting from the use of this document or the information contained in this docu-
ment or resulting from the application or use of the product or service described herein.
Onebip reserves the right to make changes to any information herein without further notice.
Onebip does not guarantee that the features described in this document will be announced or made
available to anyone in the future.
1.3 Version
Onebip Integration Guides are updated in time to add new functionalities and to provide the best
features available. Please ensure that you have the latest version to take advantage of the new features
that have been updated and improved which are not available in the previous versions.
• Code fragments, URLs, and paramaters cited inline are rendered with a monospace font.
• Additionally, for the sake of clarity, URLs with lots of parameters use curl extended syntax.
• Parameter names are broken up without the usual ”-” in order to avoid confusion.
4
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
2 Change Log
4.2.0 06/03/2016 Updating country payment page parameter for both one
time/subscription payments; now this field is optional. Remov-
ing command as it is no longer used.
5
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
4.1.8 20/12/2016 Removing BKO sections, updating new logo, updating com-
pany info
4.1.3 24/10/2016 Changed api url with pay.onebip.com for purchases and sub-
scriptions
4.1.0 16/12/2013 Added subscription change status notifications for states be-
fore activation
6
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
4.0.1 25/01/2013 Updated chapter 4 API Integration and updated new examples
in this chapter
7
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
3 Introduction
Onebip Mobile Payment System will allow you to receive payments from mobile phone subscribers
for your services within a PC or Mobile website.
With Onebip, mobile phone subscribers will be able to make payments for your products and services
by debiting their mobile phone bill or pre-paid account.
Onebip is the simplest payment solution that enables users to make payments for your services through
their on-handsets. Onebip makes mobile payments an easy and immediate experience for all the mo-
bile phone users.
By following the steps detailed in the next chapters in this integration guide, it will be easy and quick
to integrate Onebip mobile payment solution.
8
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Onebip Mobile Payment System will allow you to charge your customers both for one-time payments
and subscription-based payments depending on your service offering with a simple technical inte-
gration conducted with HTTP requests.
You can immediately start integrating one-time payments and receiving transactions from your cus-
tomers by following the integration steps detailed in this integration guide. To start receiving trans-
actions for the subscription-based payments also known as ”recurring payments”, due to the country
regulations, Onebip needs to obtain formal carriers’ approval before you launch your services. See
subscription-based payments for more details.
One-time payments means that your customers will be billed only once for the price you are request-
ing for your service. One-time payments are also called single purchases where the price of your
service are deducted from your customer’s mobile phone bill or pre-paid account only once.
The connection with Onebip payment page is achieved by using HTTP GET or POST requests to the
following URL:
http://pay.onebip.com/purchases
Please note that the connection to Onebip payment page can be performed using a standard HTTP
request or using a 128bit SSL encryption on our secure server where the structure of the call will be
identical, apart from the use of HTTPS1 instead of HTTP in the payment page URL.
The following table shows all the case sensitive dynamic parameters you must use in your payment
query string to Onebip:
9
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. USD
e.g. US
10
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
11
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. en
12
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. http://www.yoursite.com/
images/logo109.jpg
e.g. custom[campaign_code]=promo_
oct_10
custom[promo_code]
=googlecampaign
13
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. 447700900999
e.g. US
14
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
If with_content_access_code is omit-
ted Onebip will generate a random nu-
meric access code for you which will be
sent to the user and communicated in the
notifications after a successful payment.
HTML Examples Below you can find the simplest integration examples with Onebip Payment Sys-
tem for one-time payments, using only mandatory parameters and some important ones.
15
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
You can consider the case below as for a web entertainment service with one-time payment model
(associated to the merchant business@webgame.com), which will create a Onebip payment button
on this merchant’s web site, for the merchant’s service which will cost $ 0,99 for 1000 game credits in
United States for its customers.
Username business@webgame.com
curl http://pay.onebip.com/purchases \
-d username=business@webgame.com \
-d description=1000+game+credits \
-d price=99 \
-d country=US \
-d currency=USD \
-d return_url=http://www.webgame.com/thankyou.htm \
-d notify_url=http://www.webgame.com/notify.php
The same result can be performed with an HTTP POST request by using the same parameters:
In the following, an extended and more realistic example of the integration with HTTP POST for the
same operation, using all the optional parameters will give you more complete control and better
tracing of your payment operations.
16
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
In order to avoid any navigation problem we would like to remind you to make sure not to use the
sandbox tag (with its attributes) when including Onebip payment page within an iframe.
Security signature Onebip provides you with a process to enforce the security between you and
Onebip, using a signature process inside the HTTP request.
Signature is not mandatory, but can be used if you would like to be sure to protect in the best way the
connection with Onebip, to prevent any possible type of fraud.
If you introduce the signature in the request, Onebip will accept the request only if the signature check
is OK, and will discard it if the check is not passed. If the signature is not present the control won’t be
performed.
If used, the signature must be inserted as an additional parameter of the request, named signature.
This parameter should always be last one the HTTP request. Onebip will control the signature, accept-
ing the request only if the value check is correct.
The signature encryption is calculated as the HMAC-SHA256 of the URL returned by Onebip, given
your secret key, which you can set via the ”API Key” entry under the ”My Account” section on Onebip
Panel. API key is mandatory to use signature in the request.
Taking the example of the previous chapter, given the following GET request, without signature:
curl http://pay.onebip.com/purchases \
-d username=business@webgame.com \
17
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
-d description=1000+game+credits \
-d price=99 \
-d country=US \
-d currency=USD \
-d return_url=http://www.webgame.com/thankyou.htm \
-d notify_url=http://www.webgame.com/notify.php
with MySecretKey123456 as the value set in ”API Key”, the resulting URL will be:
curl http://pay.onebip.com/purchases \
-d username=business@webgame.com \
-d description=1000+game+credits \
-d price=99 \
-d country=US \
-d currency=USD \
-d return_url=http://www.webgame.com/thankyou.htm \
-d notify_url=http://www.webgame.com/notify.php \
-d signature=\
5afec3299620f2f7983713a84f9e710173c90e01e9bac306fa2c73d7226ad3ef
The same, identical, process may be applied to HTTP POST request, where the signature value is elab-
orated in the same way, and where the final representation of the request would be:
In order to avoid any navigation problem we would like to remind you to make sure not to use the
sandbox tag (with its attributes) when including Onebip payment page within an iframe.
Please consider that for both GET and POST the calculation of the signature will be performed on the
url encoded parameters meaning the signature has to be calculated for both on the URL encoded
query string.
You can also ask to enforce more security, making the signature control mandatory on Onebip side.
This means that the control of the request will be always made by Onebip for every request, and the
request will be accepted only if the check is OK.
18
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Content access credentials Among the various features available on Onebip, we also offer you the
possibility to authenticate on your side (login) a user which access code has been delivered by Onebip
after the completion of a purchase (see HTML Examples) (ex. with_content_access_by=msisdn).
The access code has to be provided during the purchase creation by using the parameter with_
content_access_code (see HTML Examples) or can be randomly generated by Onebip (6 random
numbers) if not provided.
• The user will receive the access code (ex. when using with_content_access_by=msisdn the
access code will be sent by SMS)
• The merchant will receive a BILLING_COMPLETED notification (see Processing One-Time Trans-
action Notifications) with the access code and the encrypted access identity
In this case the user has to be allowed to access the content he paid for by using its identity (ex.
msisdn) and the associated access code.
On your side user’s identity must be compared with the encrypted access identity via bcrypt (see
Processing One-Time Transaction Notifications)
Buyer intention In some cases the payment flow is initiated with a message (command) sent by the
user which content is a message asking to buy a product. Onebip system is able to start a payment
process when receiving a specific message however sometimes this isn’t always possible because
there can be many products that the user wants to purchase or just because we don’t have all the
customer base hence we can’t know if the use already bought that product. In those cases we see the
message sent by the user, his intention to buy something and the content as the instructions, we call
it the BuyerIntention. All the information we can extract from this message are notified through
the BUYER_INTENTION_RECEIVED notification. In this notification two pieces of information are par-
ticularly important:
• The intention.message which represents the command sent by the user that needs to be
interpreted by you. So you will receive the complete unchanged message text sent by the user.
• The intention.id which represents the identification of this intention that needs to be used
to create the purchase so that we can correlate the purchase with the initial buyer intention.
When you receive the notification you can check if the user has already bought the product and send
him a message using the specific API or you can start a purchase with a s2s integration.
Customer account identifier With this parameter Onebip will be able to track the behaviour of a
customer accout, for example Onebip will be able to track the number of unique MSISDNs used by a
specific customer_account_id to buy things from you hence to detect fraudulent behaviours. Once
we detect a fraudulent behaviour we will temporarily block that account, which means that that ac-
count will not be able to create payment transactions on our platform. When a transaction is aborted
because the buyer is using a blocked account the BILLING_ABORTED notification will contain the
why parameter with the value fraudulent-customer-account. This feature needs to be explicitly
enabled and configured by Onebip.
19
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Onebip will send you a proper notification for each one of your one-time payment requests.
The transaction response must be executed by your landing script to ensure that the transaction
is committed on the Onebip system before recording the customer’s payment as successful in your
database. This guarantees no discrepancies between your transaction records and Onebip.
Header <empty>
Body <JSON>
All the important and useful information will be inside the JSON body in order for you to understand
and manage the notification successfully.
The following structure will manage both the successful transaction and billing cases, with all the
relevant information, and the error cases, with the description and coding of the error occurred.
BILLING_COMPLETED
BILLING_ABORTED
to_url No It’s the notify_url given by you in the HTTP request which is
reproposed here only for compatibility and tracing.
You may use this ID to avoid that the same payment is regis-
tered more than once on your side.
business_model Yes For one-time payments and transactions the only one allow-
able value is pull.
country No The country code in ISO 3166 standard. This field is optional
however we strongly recommend to always pass it. When not
passed among the parameters Onebip will lookup the user IP
and will propose the price in local currency by looking for the
closest price found.
price Yes End user price in float (local value added taxes included) as ac-
tual amount.
original_ Yes The original currency set by you before Onebip converts it to
currency the local currency of your customer’s country
original_price Yes The original price set by you before Onebip converts it to the
local price of your customer’s country
e.g. 1.99
The value is one of the error code available, listed in the follow-
ing:
check-pin-failed-too-many-times
mobile-blocked
insufficient-credit
routing-error
21
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
invalid-msisdn
out-of-network
payment-failed
transfer-in-aborted
spending-limit-reached
unable-to-send-messages
connectivity-layer-failure
age-verification
sim-full
subscription-already-exists
unknown-error
unknown-exception
operator-integration-error
syntax-error
considered-lost
not-authorized-by-the-user
routing-error
free-mandatory-message-failed
retry-later
operator-spending-limit-reached
user-unsubscribed
mobile-payment-sim-limitations
billed-with-different-amount
user-already-subscribed-on-operator-side
creation-on-credit-provider-side-failed
22
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
canceled-by-user
invalid-argument-exception
timeout
configuration-problem
container-closing-requested
realtime-billing-is-not-permitted-aggregator-will-bill-shortly
request-exception
subscription-already-exists
subscription-expired
user-already-billed-for-current-period
e.g. purchase/09iuh7549bnn4rdc32h80op4
e.g. 9iou8yy4sd1n43ww3nj887u0
first_ Yes It’s a n an integer having the value of the UNIX timestamp
notification_at of when the notification is performed. In case of retries, this
timestamp is fixed and always points to the instant at which
the first attempt was made.
e.g 1364471150
23
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
mobile_phone_ No The value of the MSISDN of the your customer, who has tried
number_enc the one-time payment on Onebip payment page which is en-
crypted in md5. This field will not be passed for the ISP pur-
chases.
e.g. 88504199e070fc43d2ca1f4896f24b1b
credit_provider Yes The mobile network operator (mop) of the MSISDN of your
customer in case of mobile purchases or the internal service
provider (isp) in case of ISP purchases.
eg. mop/UK/Virgin,
isp/FR/Orange
mobile_phone_ No The MSISDN of your customer. This field will not be passed for
number the ISP purchases.
This value can be shared with you only under proper commer-
cial agreements between parties.
24
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
hash No Hash checksum of your API Key and of the notification URL pa-
rameters.
by What the user will use to identify himself. Right now the only supported value is msisdn
identity The encrypted value of the user identity. Right now it’s the encrypted (bcrypt with 10
iterations) msisdn in E.164 format (e.g. +44254578961)
code The value that the user must use to confirm their identity. This value is communicated by us to
the user after the payment confirmation. This value is not encrypted.
period_id identifies the progressive billing period, it’s meaningful only for subscriptions, for pur-
chases it will always be 1
fraction_id identifies the progressive billing fraction, it will increase after each successful user’s
payment, this is meaningful whenever to accumulate the purchase amount we need to invite
the user to pay multiple time because the credit provider doesn’t support the specific amount
as price point
attempt_id identifies the progressive billing attempt, it will increase after each failed user’s pay-
ment
Notification Examples The JSON body of a notification message sent from Onebip to your notify_
url in case of successful billing will be:
{
"what": "BILLING_COMPLETED",
"payment_id": "23dtle561129ij562jn5tg44",
"transaction_id": "84332uu3b56nwa4398il762r",
"business_model": "pull",
"context": "web",
"country": "US",
"status":"completed",
"currency": "USD",
"lang": "en",
25
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"price": 0.99,
"original_price":20,
"original_currency":"TRY",
"ssb_id":{
"period_id":1,
"fraction_id":1,
"attempt_id":1
},
"container": "purchase/09iuh7549bnn4rdc32h80op4",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"remote_txid": "12666721",
"item_code": "gm427xl"
"notification_id": "9iou8yy4sd1n43ww3nj887u0"
"first_notification_at": "1364471150"
}
In case of billing aborted, the structure of the JSON body will be the following:
{
"what": "BILLING_ABORTED",
"transaction_id": "84332uu3b56nwa4398il762r",
"business_model": "pull",
"context": "web",
"country": "US",
"currency": "USD",
"lang": "en",
"original_price":20,
"original_currency":"TRY",
"business_model": "pull",
"price": 0.99,
"ssb_id":{
"period_id":1,
"fraction_id":1,
"attempt_id":1
},
"container": "purchase/09iuh7549bnn4rdc32h80op4",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"remote_txid": "12666721",
"item_code": "gm427xl"
"why": "insufficient-credit"
"transaction_id":"not_available",
"notification_id": "9iou8yy4sd1n43ww3nj887u0"
"first_notification_at": "1364471150"
}
Obviously the content of the parameter why is dependent on the error with the possible available
values listed in the previous table through which you will be able to store the transaction results in
order to create your own statistics about the failures.
26
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
{
"what":"BUYER_INTENTION_RECEIVED",
"country":"UK",
"credit_provider":"mop/UK/T-Mobile",
"credit_device":"msisdn/449993332438",
"mobile_phone_operator":"UK/T-Mobile",
"mobile_phone_number":"449993332438",
"intention":{
"message":"TEST unlock GAME 001",
"received_at":1510670665,
"kind":"mo",
"id":"5a0b0149df895c12c51ea161"
},
"notification_id":"5a0b0149df895c12c51ea162",
"first_notification_at":1510670665
}
Notification Retry In the notification system, as a consequence of its notifications, Onebip expects
to receive a response with:
If you fail to respond OK, for instance if there is a system error in your web server, Onebip will place the
corresponding notification in a queue and will retry periodically to deliver it, until it will be successful.
During the retry period the payment will be stored in your Onebip account as ”Pending”.
If Onebip receives no outcome after the total retry period, the payment is considered ”Completed”
the same, and like that shown on the panel.
Signature encryption Onebip provides a signature encryption based on hashing, that is an encryp-
tion method that ensures the HTTP body has not been manipulated or changed. This allows the
integrity of the body in a data exchange between two parties to be checked via the HTTP header
X-Onebip-Signature. See Security signature for more details.
27
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
In this case there is the additional requirement of encoding in Base64 the resulting HMAC. So, given
the following raw body:
{
"country":"US",
"container":"purchase/812894dh207c88056d000000",
"mobile_phone_number_enc":"10b23c1039c704f87d7bf3cc1a0b8638",
"status":"completed",
"price":5,
"currency":"USD",
"business_model":"pull",
"transaction_id":"726378172",
"original_price":5,
"original_currency":"USD",
"what":"BILLING_COMPLETED",
"to_url":"https://www.merchant.com/onebip_notification",
"payment_id":2349872834
}
with MySecretKey123456 as the value set in ”API Key”, the value for the X-Onebip-Signature HTTP
header, encoded in Base64, will be:
cZ7OIG5nS5j2t8nqQBpuUWnGWqN7O0A8U1OpesfqfTE=
Please note: HMAC must be calculated in binary mode, not in hexadecimal. The HMAC is always in
binary data.
Onebip will append all the pass-through parameters you have specified in the transaction request to
your return_url.
Pass-through parameters in the return_url page can be used in many ways, for example to pass an
internal user-ID through the payment process and redirect your customer to her account on your site,
or to build customized ”post-payment” also known as ”thank you” pages.
timestamp is the Unix timestamp, given at the exact time of return_url creation. It can be used to
verify that the url has been created recently.
signature is the security signature given by Onebip that is described in more detail in Security signa-
ture.
28
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
curl http://pay.onebip.com/purchases \
-d username=business@webgame.com \
-d description=1000+game+credits \
-d price=99 \
-d country=US \
-d currency=USD \
-d return_url=http://www.webgame.com/thankyou.html \
-d custom[promo_id]=23332
curl http://www.webgame.com/thankyou.html \
-d payment_id=100801483 \
-d original_price=99 \
-d original_currency=USD \
-d promo_id=23332 \
-d whois=msisdn%2Fb667aea7c956ac72ecb6af65e1d9cfec \
-d mobile_phone_operator=US%2FVerizon \
-d mobile_phone_number_enc=b667aea7c956ac72ecb6af65e1d9cfec \
-d timestamp=1366103067
with MySecretKey123456 as the value set in ”API Key”, the resulting URL will be:
curl http://pay.onebip.com/purchases \
-d username=business@webgame.com \
-d description=1000+game+credits \
-d price=99 \
-d country=US \
-d currency=USD \
-d return_url=http://www.webgame.com/thankyou.htm \
-d notify_url=http://www.webgame.com/notify.php \
-d signature=\
5afec3299620f2f7983713a84f9e710173c90e01e9bac306fa2c73d7226ad3ef
In the following example, the URL to be signed with MySecretKey123456 as the value set in ”API
Key” will be:
curl http://www.webgame.com/thankyou.html \
-d payment_id=100801483 \
-d original_price=99 \
-d original_currency=USD \
-d promo_id=23332 \
-d whois=msisdn%2Fb667aea7c956ac72ecb6af65e1d9cfec \
-d mobile_phone_operator=US%2FVerizon \
-d mobile_phone_number_enc=b667aea7c956ac72ecb6af65e1d9cfec \
-d timestamp=1366103067 \
-d signature=\
c56ce063388fdd99683b2b79b8d051cdfd120f296e0769948defa006b3fbb0ce
29
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
The return_url page can also route your customer to a specific download page, using the notify_
url to authorize it. The return_url page could also be used to host the scripts needed to grant the
permissions for the user to access a specific product/service you are offering.
We strongly suggest that permissions or other actions needed to deliver your service or product to
your customers are not to be triggered by the return_url page, but by the notify_url.
Subscription payments also known as ”recurring payments” is a way to charge your users periodically
for a certain time period such as daily, weekly, monthly or even quarterly.
Onebip subscription service is easy and quick to set-up with its 4-step service launch approach which
you should follow as explained below.
Country/the mobile networks You should confirm with your Onebip account manager the country
and the mobile networks that you would like to launch your services with.
Technical Integration The technical integration for the subscription-based payments is very similar
to the one-time payments integration as explained in the previous chapter. If you are already
using Onebip for one-time payments, this integration will be even easier for you.
Mobile network approvals Mobile networks have their own subscription rules and therefore we will
need their approval before the service launch to be compliant with them. Onebip will get these
approvals for you in advance without involving you in this process.
Subscription service ID Your Onebip account manager will give you a 24 characters alphanumeric
subscription service ID for each of your subscription-based service. This ID will contain all the
details of your service such as the price, frequency and the description of your service and will
make the technical integration easier for you.
The connection with Onebip payment page is achieved by using HTTP GET or POST requests to the
following URL:
http://pay.onebip.com/subscriptions
Please note that the connection to Onebip payment page can be performed using a standard HTTP
request or using a 128bit SSL encryption on our secure server where the structure of the call will be
identical, apart from the use of HTTPS1 instead of HTTP in the payment page URL.
The following table shows all the case sensitive dynamic parameters you must use in your payment
query string to Onebip:
30
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
31
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. en
32
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. http://www.yoursite.com/
images/logo109.jpg
e.g. custom[campaign_code]=promo_
oct_10
custom[promo_code]
=googlecampaign
e.g. 447700900999
33
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
If with_content_access_code is omit-
ted Onebip will generate a random nu-
meric access code for you which will be
sent to the user and communicated in the
notifications after a successful payment.
34
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
HTML Examples Below you can find the simplest integration examples with Onebip Payment Sys-
tem for one-time payments, using only mandatory parameters and some important ones.
You can consider the case below as for a web entertainment service with subscription-based pay-
ment model (associated to the merchant business@webgame.com), which will create a Onebip pay-
ment button on this merchant’s web site, for the merchant’s weekly subscription service named ”Su-
pergame” which will cost € 5,00 per week in Spain for its customers.
Service ID 5012b69ca4ee4aa3f3d3r415
Username business@webgame.com
Description Supergame
Frequency weekly
Price 5,00
Currency EUR
Country Spain
Language Spanish
Return URL http://www.webgame.com/thankyou.html
Cancel URL http://www.webgame.com/error.html
Notify URL http://www.webgame.com/notify.php
The sample HTML code below illustrates an HTTP GET request. In the example, apart from the manda-
tory parameters, it is assumed that the merchant has overwritten the return_url and the notify_
url for its particular needs:
curl http://pay.onebip.com/subscriptions \
-d service_id=5012b69ca4ee4aa3f3d3r415 \
-d return_url=http://www.webgame.com/thankyou_new.html \
-d notify_url=http://www.webgame.com/notify.updated.php
The same result can be performed with an HTTP POST request with the same parameters:
35
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Security signatures Taking the example of the previous chapter, given the following GET request,
without signature:
curl http://pay.onebip.com/subscriptions \
-d service_id=5012b69ca4ee4aa3f3d3r415 \
-d return_url=http://www.webgame.com/thankyou_new.html \
-d notify_url=http://www.webgame.com/notify.updated.php
with MySecretKey123456 as the value set in ”API Key”, the resulting URL will be:
curl http://pay.onebip.com/subscriptions \
-d service_id=5012b69ca4ee4aa3f3d3r415 \
-d return_url=http://www.webgame.com/thankyou_new.html \
-d notify_url=http://www.webgame.com/notify.updated.php \
-d signature=\
ba75e32e30ec7af959862cbc973730425d8deac931972cac1f5a4515df0c6622
The same, identical, process may be applied to HTTP POST request, where the signature value is elab-
orated in the same way, and where the final representation of the request would be:
You can also ask to enforce more security, making the signature control mandatory on Onebip side.
This means that the control of the request will be always made by Onebip for every request, and the
request will be accepted only if the check is ok.
Content Access Credentials Among the various features available on Onebip, we also offer you
the possibility on your side to authenticate (login) a user which access code has been delivered by
Onebip after the activation of a subscription, or when the subscription becomes PENDING (see 4.2.1)
(ex. with_content_access_by=msisdn). The access code has to be provided during the subscrip-
tion creation by using the parameter with_content_access_code (see 4.2.1) or can be randomly
generated by Onebip (6 random numbers) if not provided.
36
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
• The user will receive the access code (ex. when using with_content_access_by=msisdn the
access code will be sent by SMS)
• The merchant will receive one or more of the following notifications: SUBSCRIPTION_ACTIVATED,
SUBSCRIPTION_PENDING or SUBSCRIPTION_TRIAL (see 4.2.3) which will contain the access
code and the encrypted access identity
In this case the user has to be allowed to access the content he paid for by using its identity (ex.
msisdn) and the associated access code.
On your side user’s identity must be compared with the encrypted access identity via bcrypt (see 4.2.3)
The transaction response has to be executed by your landing script to ensure the transaction is com-
mitted on the Onebip system before recording your payment as successful in your database.
Change State event change of state related to a subscription, among the existing ones.
• SUBSCRIPTION_WAITING_FOR_APPROVAL a billing request has been started after the user
has expressed the intention to pay.
• SUBSCRIPTION_ACQUIRED the operator has approved the subscription and the user has
entered the customer base.
• SUBSCRIPTION_ACTIVATED the first billing has succeeded and the user has become ac-
tive.
• SUBSCRIPTION_PENDING the first billing has failed and the subscription will be retried
later according to configuration.
• SUBSCRIPTION_ACTIVATION_FAILED it hasn’t been possible to activate the subscription
(which means that all the billing activation attempts resulted in a billing failure).
• SUBSCRIPTION_RENEWED event for every renewal case of every subscription, conditional
to payment completion.
• SUBSCRIPTION_CANCELED subscription becomes canceled without any succesful billing.
• SUBSCRIPTION_TERMINATED existing subscription termination, triggered by you (using
the Unsubscription API), or by Onebip cc, or by operators’ cc.
• SUBSCRIPTION_SUSPENDED reserved for future usage.
• SUBSCRIPTION_REACTIVATED reserved for future usage.
Billing event status of the billing linked to the subscription events of activation and renewal. These
BILLING_COMPLETED and BILLING_ABORTED notifications are identical to the purchase ones.
Header <empty>
37
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Body <JSON>
All the important and useful information will be inside the JSON body in order for you to understand
and manage the notification successfully. Since subscription and billing notifications are events in a
distributed system it is not possibile to guarantee a strict sequence in receiving them.
For every change in the state of the event, a notification is sent to you, containing the following infor-
mation:
SUBSCRIPTION_ACTIVATED
SUBSCRIPTION_TERMINATED
...
to_url No It’s the notify_url given by you in the HTTP request which is
reproposed here only for compatibility and tracing.
e.g. subscription/20332b9ca4er34aa3g3d3r198
service_id Yes It’s the key value that identifies with a unique and not repeat-
able index of the service concerning the operation. Note that
this value will be a 24 chars alphanumeric.
38
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
e.g. 5012b69ca4ee4aa3f3d3r415
e.g. 9iou8yy4sd1n43ww3nj887u0
first_ Yes It’s an integer having the value of the UNIX timestamp of when
notification_at the notification is performed. In case of retries, this timestamp
is fixed and always points to the instant at which the first at-
tempt was made.
e.g 1364471150
mobile_phone_ Yes The value of the MSISDN of the your customer, who has tried
number_enc the one-time payment on Onebip payment page which is en-
crypted in md5.
e.g. 88504199e070fc43d2ca1f4896f24b1b
credit_provider Yes The mobile network operator (mop) of the MSISDN of your
customer in case of mobile purchases or the internal service
provider (isp) in case of ISP purchases.
eg. mop/UK/Virgin,
isp/FR/Orange
mobile_phone_ No The MSISDN of your customer. This value can be shared with
number you only under proper commercial agreements between par-
ties. This field will not be passed for the ISP purchases.
39
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
by What the user will use to identify himself. Right now the only supported value is msisdn
identity The encrypted value of the user identity. Right now it is the encrypted (bcrypt with 10
iterations) msisdn in E.164 format (ex. +44254578961)
code The value that the user must use to confirm their identity. This value is communicated to the
user by us after the payment confirmation. This value is not encrypted
grant Indicates whether the merchant has to allow or not the user to access to the content. Values:
mandatory optional
grant_mandatory_until In case grant parameter is mandatory, this field indicates the expiration
datetime when the grant is no more mandatory, e.g.: 2006-01-15T09:00:00.000Z
For every event regarding billing, you will receive a notification with these information:
BILLING_COMPLETED
BILLING_ABORTED
to_url No It’s the notify_url given by you in the HTTP request which is
reproposed here only for compatibility and tracing.
40
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
You may use this ID to avoid that the same payment is regis-
tered more than once on your side.
subscription_activation
subscription_renewal
e.g. 1.99
original_ Yes The original currency set by you before Onebip converts it to
currency the local currency of your customer’s country
original_price Yes The original price set by you before Onebip converts it to the
local price of your customer’s country
e.g. 1.99
41
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
container Yes The container, in Onebip environment, is the object of the pur-
chase operation, that may be a single purchase or a subscrip-
tion.
e.g. subscription/20332b9ca4er34aa3g3d3r198
mobile_phone_ Yes The value of the MSISDN of the your customer, who has tried
number_enc the subscription-based payment on Onebip payment page
which is encrypted in md5.
e.g. 88504199e070fc43d2ca1f4896f24b1b
credit_provider Yes The mobile network operator (mop) of the MSISDN of your
customer in case of mobile purchases or the internal service
provider (isp) in case of ISP purchases.
eg. mop/UK/Virgin,
isp/FR/Orange
This value can be shared with you only under proper commer-
cial agreements between parties.
42
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
The value is one of the error code available, listed in the follow-
ing:
check-pin-failed-too-many-times
mobile-blocked
insufficient-credit
routing-error
invalid-msisdn
out-of-network
payment-failed
transfer-in-aborted
spending-limit-reached
unable-to-send-messages
connectivity-layer-failure
age-verification
sim-full
subscription-already-exists
unknown-error
unknown-exception
operator-integration-error
syntax-error
43
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
considered-lost
not-authorized-by-the-user
routing-error
free-mandatory-message-failed
retry-later
operator-spending-limit-reached
user-unsubscribed
mobile-payment-sim-limitations
billed-with-different-amount
user-already-subscribed-on-operator-side
creation-on-credit-provider-side-failed
canceled-by-user
invalid-argument-exception
timeout
configuration-problem
container-closing-requested
realtime-billing-is-not-permitted-aggregator-will-bill-shortly
request-exception
subscription-already-exists
subscription-expired
user-already-billed-for-current-period
44
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
hash No Hash checksum of your API Key and of the notification URL pa-
rameters.
by What the user will use to identify himself. Right now the only supported value is msisdn
identity The encrypted value of the user identity. Right now it is the encrypted (bcrypt with 10
iterations) msisdn in E.164 format (e.g. +44254578961)
code The value that the user must use to confirm their identity. This value is communicated by us to
the user after the payment confirmation. This value is not encrypted
period_id identifies the progressive billing period, it’s meaningful only for subscriptions, for pur-
chases it will always be 1
fraction_id identifies the progressive billing fraction, it will increase after each successful user’s
payment, this is meaningful whenever to accumulate the purchase amount we need to invite
the user to pay multiple time because the credit provider doesn’t support the specific amount
as price point
attempt_id identifies the progressive billing attempt, it will increase after each failed user’s pay-
ment
The examples following are the series of examples to represent you all the different business cases
related to a subscription-based service, with the consequent notifications that you will receive.
Subscription activation succeeded Following a specific request received from you, Onebip will
send two notifications to you: the event of activation, the first billing.
{
"what": "SUBSCRIPTION_ACTIVATED",
45
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"country": "US",
"lang": "en",
"context": "mobile",
"container": "subscription/20332b9ca4er34aa3g3d3r19",
"service_id": "5012b69ca4ee4aa3f3d3r415",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"notification_id": "9iou8yy4sd1n43ww3nj887u0" ,
"first_notification_at": "1364498611",
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"remote_txid": "123458679898989898",
"next_action": "renewal",
"next_action_at": "2016-10-20T00:32:41+0000",
}
{
"what": "BILLING_COMPLETED",
"business_model": "subscription_activation",
"container": "subscription/20332b9ca4er34aa3g3d3r19",
"payment_id": "23dtle561129ij562jn5tg44",
"transaction_id": "84332uu3b56nwa4398il762r",
"payment_id": "58989898999342",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"country": "US",
"currency": "USD",
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"lang": "en",
"context": "mobile",
"ssb_id":{
"period_id":1,
"fraction_id":1,
"attempt_id":1
},
"remote_txid": "123458679898989898",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364498612"
}
Subscription activation failed When a subscription process is not completed successfully, in most
cases because it was not possible to charge your customer, or there was a problem with the mobile
network operator, Onebip will send two notifications to you:
{
"what": "SUBSCRIPTION_CANCELED",
46
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"country": "US",
"lang": "en",
"container": "subscription/11132555a4er3faa3g3d3fff",
"context": "mobile",
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"service_id": "5012b69ca4ee4aa3f3d3r415",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364498611",
"remote_txid": "123458679898989898",
}
{
"what": "SUBSCRIPTION_ACTIVATION_FAILED",
"country": "US",
"context": "mobile",
"lang": "en",
"container": "subscription/11132555a4er3faa3g3d3fff",
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"service_id": "5012b69ca4ee4aa3f3d3r415",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364498611",
"next_action": "activation",
"next_action_at": "2016-10-20T00:32:41+0000",
"remote_txid": "123458679898989898",
}
{
"what": "BILLING_ABORTED",
"lang": "en",
"business_model": "subscription_activation",
"container": "subscription/11132555a4er3faa3g3d3fff",
"payment_id": "23dtle561129ij562jn5tg44",
"transaction_id": "84332uu3b56nwa4398il762r",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"country": "US",
"currency": "USD",
"context": "mobile",
"ssb_id":{
"period_id":1,
"fraction_id":1,
"attempt_id":1
47
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
},
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"service_id": "5012b69ca4ee4aa3f3d3r415",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364498676",
"remote_txid": "123458679898989898",
"why": "mobile-blocked",
}
Subscription renewal succeeded This is called a ”push” operation generated by Onebip after a com-
pleted renewal of an active subscription. The notification towards you will be about change state the
payment completed.
{
"what": "SUBSCRIPTION_RENEWED",
"context": "mobile",
"lang": "en",
"container": "subscription/20332b9ca4er34aa3g3d3r19",
"service_id": "5012b69ca4ee4aa3f3d3r415",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b"
"credit_provider":"mop/US/Verizon",
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364498676",
"next_action": "renewal",
"next_action_at": "2016-10-20T00:32:41+0000"
}
{
"what": "BILLING_COMPLETED",
"context": "mobile",
"ssb_id":{
"period_id":1,
"fraction_id":1,
"attempt_id":1
},
"service_id": "5012b69ca4ee4aa3f3d3r415",
"status": "completed",
"business_model": "subscription_renewal",
"container": "subscription/20332b9ca4er34aa3g3d3r19",
"payment_id": "00rtlaa31129inn3y7t5tg21",
"transaction_id": "06312uaa55690op398ilwq30",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"country": "US",
48
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"currency": "USD",
"price": 5
"original_price": 5,
"original_currency": "EUR",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364471150"
}
Subscription renewal failed This notification is sent when the renewal attempt of a subscription
service is failed because it was not possible to charge your customer.
{
"what": "BILLING_ABORTED",
"country": "US",
"context": "mobile",
"lang": "en",
"ssb_id":{
"period_id":1,
"fraction_id":1,
"attempt_id":1
},
"status": "aborted",
"business_model": "subscription_renewal",
"container": "subscription/20332b9ca4er34aa3g3d3r19",
"transaction_id": "00132uuaa56nwa4398il732a",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b",
"credit_provider":"mop/US/Verizon",
"country": "US",
"currency": "USD",
"price": 5,
"original_price": 5,
"original_currency": "EUR",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364471150"
"why": "mobile-blocked",
}
Subscription termination This notification is a result of your request towards ”Unsubscription API”
in this guide or a result of a ”push” notification due to the other termination methods such as inquiries
received to Onebip customer care call centre.
In this case, the same notification for the status change will be sent to you:
{
"what": "SUBSCRIPTION_TERMINATED",
"country": "US",
"created_at": {
"sec" : l23456789,
49
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"usec" : 0,
},
"lang": "en",
"context": "mobile",
"container": "subscription/20332b9ca4er34aa3g3d3r19",
"service_id": "5012b69ca4ee4aa3f3d3r415",
"mobile_phone_number_enc": "88504199e070fc43d2ca1f4896f24b1b"
"credit_provider":"mop/US/Verizon",
"notification_id": "9iou8yy4sd1n43ww3nj887u0",
"first_notification_at": "1364471150",
"original_price": 5,
"original_currency": "EUR",
}
Analogous notifications are provided for the suspension and reactivation of the operations, that more-
over are used only in few special payment flows in some countries, due to specific operators’ regula-
tions.
In the notification system, as a consequence of its notifications, Onebip expects to receive a response
with:
If you fail to respond OK, for instance if there is a system error in your web server, Onebip will place the
corresponding notification in a queue and will retry periodically to deliver it, until it will be successful.
If Onebip receives no outcome after the total retry period, the notification will be automatically can-
celled.
Onebip provides a signature encryption based on hashing, that is an encryption method that ensures
the HTTP body has not been manipulated or changed. This allows the integrity of the body in a data
50
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
exchange between two parties to be checked via the HTTP header X-Onebip-Signature. See Se-
curity signature for more details.
In this case there is the additional requirement of encoding in Base64 the resulting HMAC. So, given
the following raw body:
{
"country":"TR",
"remote_txid":"AB_22022122",
"container":"subscription/562634za43bc76051d003309",
"mobile_phone_number_enc":"10b23c1039c704f87d7bf3cc1a0b8638",
"status":"completed",
"price":8,
"currency":"TRY",
"business_model":"pull",
"transaction_id":"76939310",
"original_price":8,
"original_currency":"TRY",
"what":"BILLING_COMPLETED",
"to_url":"http://merchant.com/vpncontrol/onebip/ipn",
"payment_id":11149219
}
with MySecretKey123456 as the value set in ”API Key”, the value for the X-Onebip-Signature HTTP
header, encoded in Base64, will be:
UsuOSZINqUdDpxkM2/anV5+mtjim0ZPjxWLDPwiPQR4=
Please note: HMAC must be calculated in binary mode, not in hexadecimal. The HMAC is always in
binary data.
Onebip will append all the pass-through parameters you have specified in the transaction request to
your return_url.
Pass-through parameters in the return_url page can be used in many ways, for example to pass an
internal user-ID through the payment process and redirect your customer to her account on your site,
or to build customized ”post-payment” also known as ”thank you” pages.
Onebip provides you with couple of additional parameters for security reasons:
timestamp is the Unix timestamp, given at the exact time of return_url creation. It can be used to
verify that the url has been created recently.
signature is the security signature given by Onebip that is described in more detail in Security signa-
ture.
51
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
In the following example the API key is set on the Onebip Panel so that the signature can be created
with the following data:
Service ID 5012b69ca4ee4aa3f3d3r415
Username business@webgame.com
Description Supergame
Frequency weekly
Price 5,00
Currency EUR
Country Spain
Language Spanish
Return URL http://www.webgame.com/thankyou.html
Cancel URL http://www.webgame.com/error.html
Notify URL http://www.webgame.com/notify.php
The request for the subscription activation will be the following one:
curl http://pay.onebip.com/subscriptions \
-d service_id=5012b69ca4ee4aa3f3d3r415 \
-d return_url=http://www.webgame.com/thankyou_new.html \
-d notify_url=http://www.webgame.com/notify.updated.php
curl http://www.webgame.com/thankyou_new.html \
-d whois=msisdn%2F7edf143f80f2356ae8a200e394bdf2e7 \
-d mobile_phone_operator=ES%2FMovistar \
-d mobile_phone_number_enc=7edf143f80f2356ae8a200e394bdf2e7 \
-d is_subscribed_to=5012b69ca4ee4aa3f3d3r415 \
-d has_paid_for=5012b69ca4ee4aa3f3d3r415 \
-d timestamp=1366102294
with MySecretKey123456 as the value set in ”API Key”, the resulting URL will be:
curl http://www.webgame.com/thankyou_new.html \
-d whois=msisdn%2F7edf143f80f2356ae8a200e394bdf2e7 \
-d mobile_phone_operator=ES%2FMovistar \
-d mobile_phone_number_enc=7edf143f80f2356ae8a200e394bdf2e7 \
-d is_subscribed_to=5012b69ca4ee4aa3f3d3r415 \
-d has_paid_for=5012b69ca4ee4aa3f3d3r415 \
-d timestamp=1366102294 \
-d signature=\
6042d0f9d722a18a67a7876a0032296da3f30c0512c6eeed7fb2e846d726c30f
52
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
In the following example, the URL to be signed with MySecretKey123456 as the value set in ”API
Key” will be:
curl http://www.webgame.com/thankyou.html \
-d payment_id=100801483 \
-d original_price=99 \
-d original_currency=USD \
-d promo_id=23332 \
-d whois=msisdn%2Fb667aea7c956ac72ecb6af65e1d9cfec \
-d mobile_phone_operator=US%2FVerizon \
-d mobile_phone_number_enc=b667aea7c956ac72ecb6af65e1d9cfec \
-d timestamp=1366103067 \
-d signature=\
c56ce063388fdd99683b2b79b8d051cdfd120f296e0769948defa006b3fbb0ce
The return_url page can also route your customer to a specific download, using the notify_url
to authorize it. The return_url page could also be used to host the scripts needed to grant the
permissions for the user to access a specific product/service you offer.
We strongly suggest that permissions or other actions needed to deliver your service or product to
your customers are triggered by the return_url page only when signature is verified or by relying
on the notifications.
A user (msisdn) can have only one active subscription for the same service. When a user lands on
the Onebip subscription page and starts an acquisition process, Onebip verifies whether the user has
already an active subscription for the requested service_id. In case the user is already subscribed,
Onebip automatically redirects the user to the return_url of the already active subscription, by
adding all the return url parameters, including the current timestamp and signing the url with a new
signature. In this way the merchant can give the user the permission to accsess to the contents
without the need to mantain an internal customer base but simply by verifying the signed return_
url.
53
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
5 API Integration
Onebip provides with the opportunity to have the additional features that will allow you to manage
the operations related to the various kind of payments.
You can change the state of a subscription from ”active” to ”in-termination” using an HTTP
DELETE request using the subscription_id created by Onebip at the act of first subscription. The
subscription’s state will appear as ”intermination” until its current period closes and the customer
will no longer by charged. It will then appear as ”terminated”.
You will be allowed to use this action only with the authentication by using your username and pass-
word that you created during your registration process of Onebip.
curl -X DELETE \
-u business@webgame.com:m3rc4nt123 \
https://api.onebip.com/subscriptions/291dd69cr4ee4aa3f1d3rt85
Possible outcomes:
• 202 Accepted
The request has been received and scheduled correctly. The subscription’s state will appear as
”intermination” until its current period closes and the customer will no longer by charged.
• 400 Bad Request
The given id is malformed. See the ”Formats” section.
• 409 Conflict
The subscription is already scheduled for termination.
If authorized to do so you can send a message to the buyer associated to one of your transactions
(payment or subscription) or to a buyer for which you received a buyer intention notification
54
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
After you receive a buyer intention notification you can send a limited number of messages to the
buyer to ex. send him the unlock code to the product he already bought.
The needed information are the buyer_intention_id that you can find in the notification and the
message you want to send
curl -X POST \
-d'message=Your unlock code for XXX is YYY' \
,→ https://api.onebip.com/buyer-intention/5a0c00a25ab9088b8c0955cb/messages
Possible outcomes:
• 200 Ok
The message is on its way
• 400 Bad Request
The message is not valid (ex. empty, missing, too long, ecc…)
• 403 Forbidden
The buyer has been blacklisted and therefore we can’t send him a message
• 404 Not Found
The buyer_intention_id is unknown
• 409 Conflict
The maximum number of messages has already been sent
This section contains all the API through which you can retrieve information related to the available
pricepoints for countries and credit providers and the applied revenue shares for those pricepoints.
List of available countries, meaning all countries with at least one pricepoint with at least one credit
provider
Request example:
Possible outcomes:
55
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
200 OK
{
"countries": [
"BR",
"DE",
"IT",
"UK"
]
}
List of available pricepoints in a country, meaning all pricepoints available through at least one credit
provider
Request template:
curl -u username:password
,→ https://pay.onebip.com/merchant/country/{COUNTRY}/pricepoints
Request example:
curl -u username:password
,→ https://pay.onebip.com/merchant/country/IT/pricepoints
Possible outcomes:
200 OK
{
"pricepoints": [
{
"currency": "EUR",
"amount": "1.0000",
"type": "point"
},
{
"currency": "EUR",
56
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"amount": {
"from": "2.0000",
"to": "10.0000",
"step": "0.0100"
},
"type": "range"
}
]
}
In the example the available pricepoints in Italy are: 1.0000/EUR, 2.0000/EUR, 2.0100/EUR, 2.
0200/EUR, …, 10.0000/EUR
404 Not Found The country you specified doesn’t exists or is not available.
Details about revenue shares in a particular country. For each available pricepoint and for each credit
provider that provides such pricepoint you’ll get the revenue shared. When the pricepoint is a range
then you’ll get the revenue shares of the start and the end of the range.
Request template:
curl -u username:password
,→ https://pay.onebip.com/merchant/country/{COUNTRY}/revenue-shares
57
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Request example:
curl -u username:password
,→ https://pay.onebip.com/merchant/country/IT/revenue-shares
Possible outcomes:
200 OK
{
"revenue_shares": [
{
"revenue_share": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
},
"credit_provider": "mop/IT/X001",
"currency": "EUR",
"amount": "1.0000",
"type": "point"
},
{
"revenue_share": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
},
"credit_provider": "mop/IT/X002",
"currency": "EUR",
"amount": "1.0000",
"type": "point"
},
{
"revenue_share": {
"to": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
},
"from": {
"applied_to": "gross-transaction-value",
58
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"value": [
60,
"%"
]
}
},
"credit_provider": "mop/IT/X003",
"currency": "EUR",
"amount": {
"step": "1.0000",
"to": "10.0000",
"from": "1.0000"
},
"type": "range"
},
{
"revenue_share": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
},
"credit_provider": "mop/IT/X001",
"currency": "EUR",
"amount": "2.0000",
"type": "point"
}
]
}
The revenue shares are specified by pricepoints and credit providers (different pricepoints can have
different revenue shares and different credit providers for the same pricepoint can have different rev-
enue shares).
• gross-transaction-value
• gross-transaction-value-vat-excluded
If the pricepoint is a range then the output will provide the revenue share of start of the range and
the revenue share of the end of the range.
404 Not Found The country you specified doesn’t exists or is not available.
59
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
Details about revenue shares in a particular country for a particular pricepoint. For each credit provider
that provides such pricepoint you’ll get the revenue shared. When the pricepoint is a range then you’ll
get the revenue shares of the start and the end of the range.
Request template:
curl -u username:password
,→ https://pay.onebip.com/merchant/country/{COUNTRY}/pricepoints/{AMOUNT}/{CURRENCY}/revenue-sh
Request example:
curl -u username:password
,→ https://pay.onebip.com/merchant/country/IT/pricepoints/1.0000/EUR/revenue-shares
Possible outcomes:
200 OK
{
"revenue_shares": [
{
"revenue_share": {
"to": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
},
"from": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
}
},
"credit_provider": "mop/IT/X001",
"currency": "EUR",
60
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
"amount": {
"step": "1.0000",
"to": "10.0000",
"from": "1.0000"
},
"type": "range"
},
{
"revenue_share": {
"to": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
},
"from": {
"applied_to": "gross-transaction-value",
"value": [
60,
"%"
]
}
},
"credit_provider": "mop/IT/X002",
"currency": "EUR",
"amount": {
"step": "1.0000",
"to": "10.0000",
"from": "1.0000"
},
"type": "range"
}
]
}
400 Bad Request One or more of the supplied data in the URL is malformed.
404 Not Found The country you specified doesn’t exists or is not available or the pricepoint you
specified doesn’t exists or is not available in the country you specified.
61
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
6 Skinability
Onebip Skinability feature will allow you to customize the look and feel of the Onebip payment pages
and to use your personalized layout and the graphics for their different products, services both for
one-time and subscription payments in any country. To start using your customized payment pages
with the use of a proper ”skin” you should communicate with Onebip business team assigned to you
in Onebip who will check and confirm the skin in terms of codes of conduct published by mobile
network carriers before launching your services.2
The application of a given skin which is previously uploaded on the server will be made by you en-
riching your purchase page request, both with GET and POST methods, with an optional parameter:
skin={skin-name}
The following example, made with an HTTP GET request, a Onebip payment button will be created to
propose 1000 game credits for $ 0,99 in United States, using a page customized with the skin named
colorful.
curl http://pay.onebip.com/purchases \
-d username=business@webgame.com \
-d description=1000+game+credits \
-d price=99 \
-d country=US \
-d currency=USD \
-d skin=colorful \
-d return_url=http://www.webgame.com/thankyou.htm \
-d notify_url=http://www.webgame.com/notify.php
If the skin requested is not applicable (i.e. skin with the name specified is not exist, or you are not
using Skinability feature) the payment page will be shown without any customization, in its standard
Onebip payment page format and a specific feedback will be given to you, using a comment inside
the html code of the page displayed, in which a self-explaining note about the error will be given. A
skin is an aggregate, that may be composed by:
The following example represents the content of a zip file for skinability in which there are default
files and custom files specific only for smartphone and desktop:
• common.css
• logo_company.jpg
2 To prevent any commercial problem, Onebip will have the grant to remove any skin and disable this feature at its sole
62
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
• smartphone
– custom-3.css
– logocustom-31.jpg
• desktop
– custom-DT.css
– logocustom-6.jpg
• tablet
– custom-feature.css
– logocustom-feature-small.jpg
As a result the set for a smartphone in this example will be composed by: common.css + custom-3.
css (loaded in this order), logo_company.jpg, logocustom-31.jpg.
A skin may also specify the customization that must be applied according to the agent type used by
your customer to access the payment page for the payment.
If the skin contains a file such as <PATH>/smartphone/smart.css, this file will be included in the
payment page only if the agent used by your customer is identified as a smartphone.
You can create more than one skin for one of your products, services. Every skin must have a univocal
name, to be specified in the request. In the case that the name of the skin is the same with a skin
already exist, the content will be overwritten.
To complete a skin creation operation, you must perform an HTTP PUT request towards the following
url:
https://api.onebip.com/skins/{skin-name}
This HTTP route is the only point of access to make this operation.
Authentication will be mandatory, with a standard basic access mechanism3 . The skin package will
be always a file with content type equals to zip.
In the following example a new skin called colorful is enabled, by uploading the skin_colorful.
zip file on local file system.
3 I.e. the base64 encoding of <username>:<password>
63
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
The possible response from Onebip for the request for creating a skin will be the following:
200 OK The skin has been successfully created. With empty json.
400 Bad Request Not valid skin. With the error explanation contained in the json attached.
403 Forbidden The merchant is not enabled to use Skinability feature. With empty json.
You have the possibility to cancel a skin already applied using a Sin cancellation API. Please note that
the files related to the skin cancelled will be definitively deleted the roll back will be possible. The
same skin can be created again only with a skin creation operation explained.
To complete a skin cancellation operation, you must perform an HTTP DELETE request towards the
following url:
https://api.onebip.com/ skins/{skin-name}
This HTTP route is the only point of access to make this operation.
Authentication will be mandatory, with a standard basic access mechanism3 . In the following example
the skin called “colorful” is disabled from local file system:
curl -X DELETE -v \
-u merchant@yourcompany.com:secret_password \
https://api.onebip.com/skins/colorful
The possible response from Onebip for the request of the cancellation of a skin will be the following:
200 OK The skin has been successfully disabled. With empty json.
403 Forbidden Merchant not enabled to use Skinability feature. With empty json
64
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
You have the possibility to cancel a skin already applied using a Sin cancellation API. Please note that
the files related to the skin cancelled will be definitively deleted the roll back will be possible. The
same skin can be created again only with a skin creation operation explained.
To complete a skin cancellation operation, you must perform an HTTP DELETE request towards the
following url:
https://api.onebip.com/skins/{skin-name}
This HTTP route is the only point of access to make this operation.
Authentication will be mandatory, with a standard basic access mechanism3 . In the following example
the skin called “colorful” is disabled from local file system:
curl -X DELETE -v \
-u merchant@yourcompany.com:secret_password \
https://api.onebip.com/skins/colorful
The possible response from Onebip for the request of the cancellation of a skin will be the following:
200 OK The skin has been successfully disabled. With empty json.
403 Forbidden Merchant not enabled to use Skinability feature. With empty json
65
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
7 Automated start
The automated start allows a merchant to skip the MSISDN entry page, and go directly to the 2nd
Step, e.g. PIN entry or SMS instruction page. This feature needs to be enabled for your account, please
contact your account manager for more details.
For using this feature, you need to pass the following information’s within the standard start request:
The list of operators can be retrieved over the revenue share API functionality.
66
Mobile Payment System PC and Mobile web Integration Guide 4.3.7
67