Purchase
POST/v1/orders/purchase
Submit an authorization and immediately capture it in a single scheme message. Purchase is the right choice when goods are delivered (or the service is rendered) at the moment of payment.
The transaction can be submitted in three modes via
transaction_type:
internet— cardholder-initiated e-commerce. A 3DS authentication performed via the/v1/3dsendpoints is required and must be carried insource.auth.moto— mail order / telephone order.merchant— merchant-initiated against a stored agreement. Passagreement_idand omitsource.auth.
If new_agreement is supplied, this call both processes the
purchase and creates a stored agreement off of this card that
can be used on future merchant-initiated transactions.
Required permission: orders_create.
Idempotency field: order_id.
Request
- application/json
Body
required
1.00 SARis sent as1001.00 KWDis sent as10001 JPYis sent as1internet: customer-facing e-commerce transaction (card not present, authenticated by 3DS).merchant: merchant-initiated transaction on a stored agreement (unscheduled, recurring, installment, etc.). Authentication is carried on the linked agreement, not the current transaction.moto: mail-order / telephone-order transaction where card details are collected by the merchant out of band.- CardSource
- ApplePaySource
- GooglePaySource
- SamsungPaySource
Y: Authenticated successfully.N: Not authenticated / denied.U: Authentication could not be performed.A: Attempt performed. Not authenticated but a CAVV was provided.R: Rejected by issuer.unscheduled: Card-on-file, charged when the customer takes an action (e.g. top-up wallets).recurring: Fixed-cadence subscriptions (e.g. monthly).registered: Card stored for future consented purchases.installment: Fixed-count, fixed-amount instalment plan.
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
Possible values: <= 100000000
A non-negative integer representing a monetary value in the smallest
currency unit for the associated currency (minor units).
Examples:
For most order-creating endpoints the minimum is 100
(one full major unit). Endpoints that support zero-value operations
(such as /v1/orders/verify and /v1/orders/:id/extend) allow 0.
Possible values: Value must match regular expression ^[A-Z]{3}$
ISO 4217 three-letter currency code in uppercase.
The currency must match the currency configured for the merchant's scheme-level terminals. Once an order is created, its currency is immutable: every subsequent capture, void, refund and extension is denominated in the same currency.
Possible values: <= 1024 characters
Free-text description shown in dashboards and reports.
Possible values: [internet, merchant, moto]
How the transaction was initiated:
source
object
required
Payment source submitted with a new order. type selects the variant.
oneOf
Raw card details. The PAN is tokenised server-side and never returned in responses.
Possible values: [card]
Possible values: <= 255 characters
Cardholder name as embossed on the card.
Possible values: Value must match regular expression ^\d{13,19}$
Primary Account Number (PAN) as a continuous digit string, no
separators. Sent in request bodies only — PAN is never returned in
full in responses; only first_digits and last_digits are echoed.
Possible values: >= 1 and <= 12
Possible values: >= 2000
Four-digit expiry year.
Possible values: Value must match regular expression ^\d{3,4}$
CVV / CVC / CSC printed on the card. 3 digits for Visa, Mastercard
and mada; 4 digits for Amex. Required when opening a new agreement
(new_agreement) so the card can be initially validated.
auth
object
3DS authentication values carried alongside a card authorization.
Required on transaction_type: internet and when establishing a
new_agreement against a card source. Obtain these values by
completing a /v1/3ds flow and copying them from the authenticated
CardAuth.
Possible values: [visa, mastercard, mada, amex]
The card scheme (network) associated with the card. mada is detected from the issuing BIN and takes precedence over Visa / Mastercard co-branding for Saudi-issued cards.
Possible values: <= 256 characters
CAVV / 3DS server transaction value issued by the ACS.
Possible values: [Y, N, U, A, R]
Transaction status from the 3DS authentication response:
Possible values: [00, 01, 02, 05, 06, 07]
Electronic Commerce Indicator returned by the directory server / issuer ACS. Identifies the authentication strength and is required when submitting a 3DS-authenticated transaction.
Possible values: [2.0.0, 2.1.0, 2.2.0, 2.3.0]
EMV 3-D Secure protocol version the authentication was performed under.
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
Possible values: <= 32 characters
Possible values: <= 32 characters
Possible values: Value must match regular expression ^\d{12}$
Purchase date in YYYYMMDDHHMM format (UTC). Generated by the 3DS
server during authentication. Must be echoed back verbatim when the
authorization is submitted, otherwise authentication values are
rejected by the scheme.
Decrypted Apple Pay payment data. For new-agreement establishment
the eci, cryptogram and device_identifier fields are
mandatory.
Possible values: [apple_pay]
Possible values: Value must match regular expression ^\d{13,19}$
Primary Account Number (PAN) as a continuous digit string, no
separators. Sent in request bodies only — PAN is never returned in
full in responses; only first_digits and last_digits are echoed.
Possible values: >= 1 and <= 12
Possible values: >= 2000
Possible values: [00, 01, 02, 05, 06, 07]
Electronic Commerce Indicator returned by the directory server / issuer ACS. Identifies the authentication strength and is required when submitting a 3DS-authenticated transaction.
Possible values: <= 256 characters
Decrypted Google Pay payment data.
Possible values: [google_pay]
Possible values: Value must match regular expression ^\d{13,19}$
Primary Account Number (PAN) as a continuous digit string, no
separators. Sent in request bodies only — PAN is never returned in
full in responses; only first_digits and last_digits are echoed.
Possible values: >= 1 and <= 12
Possible values: >= 2000
Possible values: [00, 01, 02, 05, 06, 07]
Electronic Commerce Indicator returned by the directory server / issuer ACS. Identifies the authentication strength and is required when submitting a 3DS-authenticated transaction.
Possible values: <= 256 characters
Decrypted Samsung Pay payment data.
Possible values: [samsung_pay]
Possible values: Value must match regular expression ^\d{13,19}$
Primary Account Number (PAN) as a continuous digit string, no
separators. Sent in request bodies only — PAN is never returned in
full in responses; only first_digits and last_digits are echoed.
Possible values: >= 1 and <= 12
Possible values: >= 2000
Possible values: [00, 01, 02, 05, 06, 07]
Electronic Commerce Indicator returned by the directory server / issuer ACS. Identifies the authentication strength and is required when submitting a 3DS-authenticated transaction.
Possible values: <= 256 characters
device
object
End-user device metadata collected at the point the payment was initiated. Used for risk scoring and scheme-specific reporting.
Possible values: <= 1024 characters
Public IPv4 or IPv6 address of the customer.
airline
object
Airline Addendum data. When present the transaction will be tagged for the scheme's airline data programme, which may affect interchange category.
Possible values: >= 6 characters and <= 15 characters, Value must match regular expression ^[A-Za-z0-9]+$
Passenger Name Record (PNR) locator.
new_agreement
object
Creates a stored cardholder agreement in the same request that
submits the initial authorization. Once the agreement is
established, subsequent merchant-initiated transactions can be
submitted by referencing agreement_id instead of new_agreement.
When new_agreement is sent, source.security_code is required
and, for card sources, source.auth must contain the 3DS
authentication values for the initial transaction.
Possible values: [unscheduled, recurring, registered, installment]
Possible values: non-empty and <= 36 characters, Value must match regular expression ^[A-Za-z0-9-]+$
Merchant-chosen identifier for the agreement. Must be unique
per merchant. This value is what is passed as agreement_id on
subsequent transactions.
Optional end-of-life date after which the agreement will not accept new transactions.
Possible values: >= 1 and <= 999
Maximum number of transactions the agreement will accept.
Possible values: [fixed, variable]
Default value: variable
Whether each transaction amount is fixed (e.g. a locked-in subscription price) or variable (e.g. metered usage).
Possible values: <= 64 characters
ID of a pre-existing stored agreement to submit this
transaction against. Mutually exclusive with new_agreement.
additional_data
object
Scheme-specific indicators carried in the authorization request. Provide only the sub-object for the scheme(s) you are sending; keys for other schemes are ignored.
visa
object
Visa Authorization Characteristics Indicator. Identifies special processing characteristics for this authorization (e.g. Visa Debt Repayment, Deferred Authorization).
Visa Market Specific Data Indicator identifying the originating market segment (e.g. hospitality, car rental, transit).
mastercard
object
Mastercard Transaction Type Indicator.
Mastercard promotion code when the authorization is part of a promo.
sub_merchant
object
Sub-merchant data for payment facilitators ("payfacs") that settle on behalf of multiple retail businesses. When present, scheme reports will attribute the transaction to this sub-merchant rather than the primary merchant of record.
Possible values: non-empty and <= 15 characters, Value must match regular expression ^[A-Za-z0-9-]+$
Sub-merchant identifier assigned by the payfac.
Possible values: non-empty and <= 100 characters
Possible values: non-empty and <= 100 characters
statement_descriptors
object
Narrative text that appears on the cardholder's statement. The English descriptor is mandatory; the Arabic descriptor is rendered on statements for cardholders whose issuers support it.
Possible values: non-empty and <= 22 characters
Possible values: non-empty and <= 22 characters
Responses
- 201
- 400
- 401
- 403
- 422
- 503
Purchase processed. Inspect transactions[0].status to determine the outcome.
- application/json
- Schema
- Example (from schema)
Schema
1.00 SARis sent as1001.00 KWDis sent as10001 JPYis sent as1- Card
- DevicePayToken
Array [
initiated: in-flight; no response received yet.approved: scheme / issuer approved.failed: declined by scheme or issuer.timeout: gateway did not receive a response in time.system_error: internal processing error.internet: customer-facing e-commerce transaction (card not present, authenticated by 3DS).merchant: merchant-initiated transaction on a stored agreement (unscheduled, recurring, installment, etc.). Authentication is carried on the linked agreement, not the current transaction.moto: mail-order / telephone-order transaction where card details are collected by the merchant out of band.1.00 SARis sent as1001.00 KWDis sent as10001 JPYis sent as1]
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
merchant
object
required
Brief representation of the merchant that owns the resource.
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
Merchant display name (English).
Stable, human-readable merchant identifier assigned by the acquirer. Often used as the merchant's principal reference in scheme reports.
Merchant display name in Arabic, when configured.
Possible values: Value must match regular expression ^[A-Z]{3}$
ISO 4217 three-letter currency code in uppercase.
The currency must match the currency configured for the merchant's scheme-level terminals. Once an order is created, its currency is immutable: every subsequent capture, void, refund and extension is denominated in the same currency.
Possible values: <= 100000000
A non-negative integer representing a monetary value in the smallest
currency unit for the associated currency (minor units).
Examples:
For most order-creating endpoints the minimum is 100
(one full major unit). Endpoints that support zero-value operations
(such as /v1/orders/verify and /v1/orders/:id/extend) allow 0.
ISO 8601 UTC timestamp with time zone designator.
ISO 8601 UTC timestamp with time zone designator.
source
object
required
Polymorphic payment source. The type discriminator resolves to
either a Card or a DevicePayToken (Apple / Google / Samsung
Pay).
oneOf
Card payment source. Sensitive fields (full PAN, CVV) are never
returned; responses expose only BIN (first_digits) and PAN
last-four, plus network metadata resolved from the BIN tables.
Possible values: [card]
Human-readable issuing bank name, resolved from the BIN.
Card product type — CREDIT, DEBIT, CHARGE, etc.
Issuer product tier (e.g. PLATINUM, SIGNATURE,
INFINITE). Free-text, sourced from the BIN table.
Possible values: Value must match regular expression ^[A-Z]{2}$
Country where the card was issued (from BIN).
Possible values: [visa, mastercard, mada, amex]
The card scheme (network) associated with the card. mada is detected from the issuing BIN and takes precedence over Visa / Mastercard co-branding for Saudi-issued cards.
Scheme that performed 3DS authentication for this card. May
differ from scheme for co-branded cards (e.g. mada card
authenticated via Visa as the parent scheme).
First six digits of the PAN (the BIN).
Last four digits of the PAN.
Possible values: >= 1 and <= 12
Possible values: >= 2000
Apple Pay, Google Pay or Samsung Pay tokenised payment source. The
shape is identical to Card; the type discriminator indicates
which wallet produced the token and first_digits / last_digits
represent the DPAN (device PAN), not the underlying funding PAN.
Possible values: [apple_pay, google_pay, samsung_pay]
Possible values: Value must match regular expression ^[A-Z]{2}$
ISO 3166-1 alpha-2 country code in uppercase.
Possible values: [visa, mastercard, mada, amex]
The card scheme (network) associated with the card. mada is detected from the issuing BIN and takes precedence over Visa / Mastercard co-branding for Saudi-issued cards.
Possible values: >= 1 and <= 12
If this order was created via reauthorization, the original order ID.
airline
object
Airline Addendum data. When present the transaction will be tagged for the scheme's airline data programme, which may affect interchange category.
Possible values: >= 6 characters and <= 15 characters, Value must match regular expression ^[A-Za-z0-9]+$
Passenger Name Record (PNR) locator.
sub_merchant
object
Sub-merchant data for payment facilitators ("payfacs") that settle on behalf of multiple retail businesses. When present, scheme reports will attribute the transaction to this sub-merchant rather than the primary merchant of record.
Possible values: non-empty and <= 15 characters, Value must match regular expression ^[A-Za-z0-9-]+$
Sub-merchant identifier assigned by the payfac.
Possible values: non-empty and <= 100 characters
Possible values: non-empty and <= 100 characters
statement_descriptors
object
Narrative text that appears on the cardholder's statement. The English descriptor is mandatory; the Arabic descriptor is rendered on statements for cardholders whose issuers support it.
Possible values: non-empty and <= 22 characters
Possible values: non-empty and <= 22 characters
agreement
object
A stored cardholder agreement referenced on merchant-initiated transactions.
Merchant-chosen agreement identifier (the id supplied in
new_agreement.id at creation). Use this value as
agreement_id on follow-up transactions.
Possible values: [unscheduled, recurring, registered, installment]
ID of the order that established this agreement.
Possible values: [fixed, variable]
false once the agreement has been disabled via
PUT /v1/agreements/:id/disable. Disabled agreements reject
new transactions.
ISO 8601 UTC timestamp with time zone designator.
ISO 8601 UTC timestamp with time zone designator.
transactions
object[]
required
All transactions against this order, ordered by created_at ascending.
A 36-character UUIDv7 identifier. When used as an idempotency key on write endpoints, the client is responsible for generating a fresh UUID for each logical operation and retaining it across retries.
Possible values: [initiated, approved, failed, timeout, system_error]
Possible values: [verify, purchase, authorize, capture, void, refund, extension, reversal]
Possible values: [internet, merchant, moto]
How the transaction was initiated:
Possible values: [request_timeout, gateway_timeout, response_error, delivery_error, null]
Populated on reversal transactions only.
Possible values: [reauthorization, delayed_charges, resubmission, no_show, null]
If type = reversal, the transaction this reversal nullified.
Human-readable gateway response message.
Two-digit ISO 8583 response code returned by the issuer. 00
indicates approval; non-00 codes are declines. See the scheme /
issuer response code table for the full list.
On a reversal, the message from the transaction being reversed.
Twelve-digit Retrieval Reference Number (RRN) assigned by the acquirer and forwarded to the issuer. Useful for reconciling an entry on the cardholder's statement. Not unique across schemes.
System Trace Audit Number (STAN). A six-digit acquirer-local counter that is unique per terminal per business day.
Six-character authorization code returned by the issuer on approval.
Possible values: <= 100000000
A non-negative integer representing a monetary value in the smallest
currency unit for the associated currency (minor units).
Examples:
For most order-creating endpoints the minimum is 100
(one full major unit). Endpoints that support zero-value operations
(such as /v1/orders/verify and /v1/orders/:id/extend) allow 0.
Cumulative refunds allocated against this specific transaction.
ISO 8601 UTC timestamp with time zone designator.
{
"id": "0191f5a7-3d99-7f81-b7ec-962a5f5fdd7c",
"merchant": {
"id": "0191f5a7-3d99-7f81-b7ec-962a5f5fdd7c",
"name": "Example Store",
"merchant_id": "MERCHANT001",
"arabic_name": "متجر الأمثلة"
},
"currency": "SAR",
"amount": 10000,
"captured_amount": 0,
"refunded_amount": 0,
"voided_amount": 0,
"description": "string",
"created_at": "2025-01-15T14:30:00Z",
"updated_at": "2025-01-15T14:30:00Z",
"source": {
"type": "card",
"issuer": "RIYAD BANK",
"card_type": "CREDIT",
"category": "SIGNATURE",
"country_alpha2": "SA",
"scheme": "visa",
"card_auth_scheme": "string",
"first_digits": "411111",
"last_digits": "1111",
"month": 12,
"year": 2030
},
"reauthorized_order_id": "0191f5a7-3d99-7f81-b7ec-962a5f5fdd7c",
"airline": {
"reference": "ABC123"
},
"sub_merchant": {
"id": "SUB-0001",
"registered_name": "Example Coffee LLC",
"trading_name": "Example Coffee",
"email": "ops@example-coffee.com"
},
"statement_descriptors": {
"english": "EXAMPLE COFFEE",
"arabic": "string"
},
"agreement": {
"id": "SUB-USER-42",
"type": "unscheduled",
"first_order_id": "0191f5a7-3d99-7f81-b7ec-962a5f5fdd7c",
"max_use": 0,
"variability": "fixed",
"expiry": "2024-07-29",
"active": true,
"created_at": "2025-01-15T14:30:00Z",
"updated_at": "2025-01-15T14:30:00Z"
},
"transactions": [
{
"id": "0191f5a7-3d99-7f81-b7ec-962a5f5fdd7c",
"status": "initiated",
"type": "verify",
"source_type": "internet",
"reverse_reason": "request_timeout",
"justification": "reauthorization",
"reversed_transaction_id": "0191f5a7-3d99-7f81-b7ec-962a5f5fdd7c",
"message": "string",
"response_code": "00",
"original_message": "string",
"original_response_code": "string",
"retrieval_reference": "433115207925",
"stan": "123456",
"auth_code": "262345",
"issuer_response_code": "string",
"amount": 10000,
"refunded_amount": 0,
"scheme_trace_id": "string",
"terminal_id": "string",
"created_at": "2025-01-15T14:30:00Z"
}
]
}
Business rule violation.
- application/json
- Schema
- Example (from schema)
Schema
{
"message": "This order cannot be captured."
}
Authentication failed.
- application/json
- Schema
- Example (from schema)
Schema
{
"message": "Missing authentication information"
}
The authenticated principal lacks the required permission.
- application/json
- Schema
- Example (from schema)
Schema
{
"message": "Unauthorized"
}
Validation error.
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
errors
object
required
property name*
string[]
string
{
"message": "The given data was invalid.",
"errors": {
"amount": [
"The amount field must be at least 100."
],
"source.number": [
"The number must be a valid credit card."
]
}
}
Tokenization vault error. Safe to retry.
- application/json
- Schema
- Example (from schema)
Schema
{
"message": "string"
}