API Access
This API will only be made available to selected merchants, so make sure you apply for access before commencing development. Always ensure that you adhere to the API guidelines to avoid having your access revoked.
The Ozow Payment API allows you to build Ozow's real-time EFT functionality directly into your website or app. This integration method gives you more flexibility but would require more effort than using the Ozow hosted method.
This API will only be made available to selected merchants, so make sure you apply for access before commencing development. Always ensure that you adhere to the API guidelines to avoid having your access revoked.
The diagram below outlines the process flow that a standard payment will follow. These steps are explained in detail in the next few sections of this guide.
Get API Token
Create Request
Get Banks
Create Transaction
Bank Messages
Outcome
Staging | https://stagingapi.ozow.com |
---|---|
Live | https://api.ozow.com |
All requests excluding the "Get Token" request require the following HTTP headers.
Name | Type | Req | Description |
---|---|---|---|
Authorization | string (500) | Y | The token generated using the get token method. eg. Authorization: Bearer [token] |
Content-Type | string(50) | N |
The format the response should be returned in e.g.
|
Accept | string(50) | Y |
The format the response should be returned in e.g.
|
All requests return the same error object to indicate if an error has occurred.
Name | Type | Description |
---|---|---|
Message | string | The error message |
CanContinue | bool | Whether or not the process can continue. |
All requests are authenticated using the token you will receive from this request. The same token can be used for all requests until it expires. The only content type supported by this request is "application/x-www-form-urlencoded".
Url | /token | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Method | POST | ||||||||||||
Headers |
|
||||||||||||
URL Params | N/A | ||||||||||||
Data Params |
|
||||||||||||
Response Object |
|
||||||||||||
Request Example |
|
||||||||||||
Response Example |
|
This is where you pass all the information regarding your request.
Url | /secure/request/create | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Method | POST | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Headers |
See common headers | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
URL Params | N/A | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Data Params |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Response Object |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Request Example |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Response Example |
|
Follow these steps to generate the hash check:
Here is an example of how a hash would be generated using the steps above and the values below.
SiteCode | TSTSTE0001 |
---|---|
CountryCode | ZA |
CurrencyCode | ZAR |
Amount | 25.00 |
TransactionReference | 123 |
BankReference | ABC123 |
NotifyUrl | http://demo.ozow.com/notify.aspx |
IsTest | false |
Get list of all valid banks for the request.
Url | /secure/banks/:requestid | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Method | GET | ||||||||||||||||||||||||
Headers |
See common headers. No data is posted so the Content-Type header can be excluded. | ||||||||||||||||||||||||
URL Params |
|
||||||||||||||||||||||||
Data Params | N/A | ||||||||||||||||||||||||
Response Object |
Bank Object
|
||||||||||||||||||||||||
Request Example |
|
||||||||||||||||||||||||
Response Example |
|
Bank selection screen can be completely customised and only preferred banks can be displayed. Using these values directly instead of the list returned by the Get Bank method will bypass any bank limit and other filtering setup in Ozow.
Below is a list of all banks and their identifiers, only banks that are marked with allow payments from can be used to create a transaction.
Name | Id | Payments From | Payments To |
---|---|---|---|
ABSA | 3284a0ad-ba78-4838-8c2b-102981286a2b | ||
Capitec Bank | 913999fa-3a32-4e3d-82f0-a1df7e9e4f7b | ||
FNB | 4816019c-3314-4c80-8b6b-b2cd16dcc4ec | ||
Investec | 4b45be85-b616-4bd1-9027-f8fcf8f9af7b | ||
Nedbank | bf0561fd-4203-4a0c-9174-cb26fcd87a60 | ||
Standard Bank | ad7d8da4-1723-4066-94bb-6662d845e483 | ||
Standard Bank New | ad8127c6-316d-459c-adcc-e62a214251fc | ||
Bidvest Bank | 29c5ee92-46ec-4879-8ad9-5cd3f5502727 | ||
Mercantile Bank | 9e1917ad-29d1-4d11-80b5-0f6c33ae1083 | ||
RMB | cc08d678-09cb-49c8-bcd8-2ec9e3bd0a82 | ||
Demo Bank | ba18699f-8f5f-497b-9bcd-445133076408 |
Once the user has selected their bank you need to create the transaction. This will return the first bank message response which will contain the bank login fields.
Url | secure/transaction/create/:requestId/:bankId | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
Method | GET | |||||||||
Headers |
See common headers. No data is posted so the Content-Type header can be excluded. | |||||||||
URL Params |
|
|||||||||
Data Params | N/A | |||||||||
Response Object | See Bank Messages response object. | |||||||||
Request Example |
|
|||||||||
Response Example |
|
There are a number of messages that will be received and sent during the bank payment process.
Url | /secure/payment/process/:paymentStep/:transactionId | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Method | POST | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Headers |
See common headers | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
URL Params |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Data Params |
Login field values need to be encrypted using the method described later in this guide.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Response Object |
Display Object
InputField ObjectSee field types section as properties will vary depending on the type. Transaction Object
Successful transactions need to be confirmed using the status as receiptId is available for a few statuses.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Request Example |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Response Example |
|
The display types determine what needs to be displayed to the user.
Form |
This requires you to display the input fields and a button (If the display action text property has a value).
If the input fields are empty and the "allowResend" property is true only a resend button should be displayed.
|
---|---|
Prompt |
This is sent when the user needs to complete an action on their side e.g. Accepting a push message notification on their phone. In this instance the message in the title and instruction properties need to be displayed in a way that catches the user's attention so they can acknowledge what action needs to be completed.
A message should be sent back to Ozow after receiving a prompt display type to await for the next update.
|
Busy |
This is sent when the user has or has not completed the action in the prompt. When receiving this display type you should display a busy indicator to the user.
A message should be sent back to Ozow after receiving a busy display type to await for the next update.
|
The field type will determine what type of field you display to the user.
Text |
This can be displayed to the user as a text input field.
|
|||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Password |
This can be displayed to the user as a password input field. This would have the same properties as the text field type above except the value of the type property would be "Password". |
|||||||||||||||||||||||||||
Select |
There are a number of ways this can be displayed to a user e.g. Html select, custom picker, list of buttons (if there is no other input required for that step).
Select Option Object
|
|||||||||||||||||||||||||||
Partial Password |
This is where a user only needs to enter certain character of their password. To determine which characters need to be entered, a field for each character is returned and the ones for which input is not required will have a disabled property set to true.
The fields that are not disabled should be displayed as password inputs.
Field Object
|
|||||||||||||||||||||||||||
Image |
Used for CAPTCHA images
|
The use of icons for fields is not required, the list below is just an indication of icons you could use for the various field groups.
Username | |
---|---|
Password | |
Account | |
Otp | |
Reference | |
Captcha | |
UserNumber |
All values for the "Login" step need to be encrypted using this encryption method before sending back to Ozow. The resulting bytes from the encryption should be converted to a Base64 string.
Algorithms | AES |
---|---|
Mode | CBC |
Key Length | 256 bits |
Key |
Your 32 character API key provided to you by Ozow.
If you are using a key that is not 32 characters long you would need append it on itself until it is 32 characters or longer and use the first 32 characters.
|
IV | Get the lowercase string of the transaction identifier. Do a SHA512 hash on the lowercase result and use the first 16 characters |
private static function encrypt($data, $key, $iv_string) {
while (strlen($key) < 32) {
$key .= $key;
}
$iv = substr(hash('sha512', strtolower($iv_string)), 0, 16);
$encrypted_bytes = openssl_encrypt($data, 'AES-256-CBC', substr($key, 0, 32), OPENSSL_RAW_DATA, $iv);
return base64_encode($encrypted_bytes);
}
public static string EncryptAes(string data, string key, string ivString)
{
byte[] dataBytes = Encoding.UTF8.GetBytes(data);
byte[] encryptedBytes;
string iv = GetSHA512Hash(ivString.ToLower()).Substring(0, 16);
while (key.Length < 32)
{
key += key;
}
using (var aes = new AesCryptoServiceProvider())
{
aes.Key = Encoding.UTF8.GetBytes(key.Substring(0, 32));
aes.Mode = CipherMode.CBC;
aes.IV = Encoding.UTF8.GetBytes(iv);
var encryptor = aes.CreateEncryptor();
encryptedBytes = encryptor.TransformFinalBlock(dataBytes, 0, dataBytes.Length);
aes.Clear();
}
return Convert.ToBase64String(encryptedBytes, 0, encryptedBytes.Length);
}
Once you receive a bank message that contains a transaction status the transaction has been concluded and the status of the payment can be determined. You can trigger the relevant actions on your system based on the payment status received.
Complete | The payment was successfully completed |
---|---|
Cancelled | The payment was cancelled as we could not proceed any further with the payment or the user cancelled. |
Error | A technical error occurred while processing the payment. |
Abandoned | No activity from the user for a set amount of time. The time varies for different steps. |
PendingInvestigation | An inconclusive result was received by the bank and the payment needs to be verified manually. |
Pending | The status cannot be determined as yet but will be posted to the notification URL as soon as it has been determined. Merchants not using the notification URL will receive a PendingInvestigation status. |
Once the transaction has concluded a notification will be sent to the notification url specified in the Create Request method or configured in your Ozow merchant admin portal. If the status is "Pending", a notification will be sent again once the final status has been determined.
Name | Type | Description |
---|---|---|
SiteCode | string (50) | The site code sent to Ozow in the request post. |
TransactionId | guid | The transaction identifier. |
TransactionReference | string (50) | The merchant's transaction reference sent in the Create Request's TransactionReference variable. |
Amount | decimal (9,2) | The payment amount. The amount is in the currency specified by the currency code. |
Status | string (50) | The transaction status. See possible values. |
Optional1 Optional2 Optional3 Optional4 Optional5 |
string (50) | Optional fields sent in the Create Request. |
CurrencyCode | string (3) | The transaction currency code sent in the Create Request. |
IsTest | bool | Whether or not the original request was a test request. Test requests are currently not available for this API so value will always be false. |
StatusMessage | string (500) | Message regarding the status of the transaction. This field will not always have a value. This is a user friendly message that can be displayed to the user e.g. User cancelled transaction. |
Hash | string (250) | SHA512 hash used to ensure that certain fields in the message have not been altered after the hash was generated. Check the generate hash section below for more details on how to validate the response variables using the hash. |
Gets the status of a transaction. This can be used for polling to pick up abandoned transactions or can be used to verify the status of a transaction.
Url | secure/transaction/status/:transactionId | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Method | GET | ||||||||||||||||||
Headers |
See common headers. No data is posted so the Content-Type header can be excluded. | ||||||||||||||||||
URL Params |
|
||||||||||||||||||
Data Params | N/A | ||||||||||||||||||
Response Object |
|
||||||||||||||||||
Request Example |
|
||||||||||||||||||
Response Example |
|
Users should be given an option to cancel transactions or to change the bank they selected while on the login page.
Even though it might not seem completely necessary to instruct Ozow to terminate the transaction, it does help track customer behaviour as well as enable Ozow to make sure user banking sessions are not kept open any longer than necessary.
Should be called when the user confirms that they would like to cancel the transaction or request.
Url | secure/transaction/cancel/:transactionId | ||||||
---|---|---|---|---|---|---|---|
Method | GET | ||||||
Headers |
See common headers. No data is posted or returned so the Content-Type and Accept headers can be excluded. | ||||||
URL Params |
|
||||||
Data Params | N/A | ||||||
Response Object | N/A | ||||||
Request Example |
|
Should be called when the user chooses to change the bank selected and hasn't logged in.
Url | secure/transaction/void/:transactionId | ||||||
---|---|---|---|---|---|---|---|
Method | GET | ||||||
Headers |
See common headers. No data is posted or returned so the Content-Type and Accept headers can be excluded. | ||||||
URL Params |
|
||||||
Data Params | N/A | ||||||
Response Object | N/A | ||||||
Request Example |
|
Get list of all transaction eligible for billing in a given month for a merchant.
Url | transaction/billing | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Method | GET | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Headers |
See common headers. No data is posted so the Content-Type header can be excluded. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
URL Params |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Data Params | N/A | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Response Object |
Transactions Object
Transaction Object
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Request Example |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Response Example |
|
The Ozow Payment API allows you to build Ozow's real-time EFT functionality directly into your website or app. This integration method gives you more flexibility but would require more effort than using the Ozow hosted method.