API. Overview¶
This section documents the implementation of the API for payment acceptance within the Payment acceptance for providers via credit organizations product.
The interaction between QIWI system and a provider is built in the “request-response” mode. The initiator of the request is always the QIWI system, and the response always comes from the provider.
Provider Interface Requirements¶
Provider’s application interface has to comply with the following requirements:
- Interface should accept requests by HTTPS protocol on one of the following TCP-ports:
80,81,443,8008,8080,8081,8090,8443,4433. Using other ports is not allowed. - Accept parameters using
HTTP GET,HTTP POSTmethods. Parameters are placed either in theHTTP GETrequest’s path or inHTTP POSTrequest’s body as a URL-encoded string. - Respond to QIWI request using XML format in UTF-8 encoding.
- Response time should not exceed 60 seconds, otherwise QIWI service would disconnect by timeout.
- Ability to support multi-thread communication with up to 10-15 simultaneous connections, when the planning payments flow for provider’s services is going to be more than 10 payments per minute.
-
Interface should accept requests only from the following QIWI subnets:
- 79.142.16.0/20
- 195.189.100.0/22
- 91.232.230.0/23
- 91.213.51.0/24
Request Authorization¶
By default, QIWI sends requests without authorization data. To authorize requests, the provider may give identifier (login) and corresponding secret password in the initial application for QIWI integration to use in the requests from QIWI side.
The login and password are used in standard Basic-authorization of the requests:
- HTTP header
Authorizationis added. - The header contains
Basic(ending with space) string plus BASE64-encoded “login:password” string.
Request authorization by client SSL certificate is also supported. To use it, provide the PKCS12 client certificate in the initial application for QIWI integration.