Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Safepay custom integration

To integrate with Safepay, you will need a production account and a sandbox account.

Production accounts can be created by visiting this link

Sandbox accounts can be created by visiting this link

Please take a note of your:

  1. Production API Key
  2. Production Secret Key
  3. Sandbox API Key
  4. Sandbox Secret Key

When the customer reaches the payment step, selects pay with Safepay, and clicks Place Order, the plugin should create an order in your system, generate an Order ID and then with the appropriate API key (whether its sandbox or production) make a POST request to Safepay to generate a Payment like so:

$prod_url = "";
$sandbox_url = "";
$url = $env === "sandbox" ? $sandbox_url : $prod_url;

curl --location --request POST $url.'/order/v1/init' \
--header 'Content-Type: application/json' \
--data-raw '{
"client": "sec_c18b707b-bd0f-41fe-947a-e894adf81e20",
"amount": 1000.00,
"currency": "PKR",
"environment": "sandbox" ("sandbox" or "production" based on the plugin setting)

This request will return the following response



Upon receiving the response extract the "token" property from the JSON payload and use it to construct the following URL like so:


function construct_url($order, $tracker="")
  $baseURL = $this->sandbox ? self::SANDBOX_CHECKOUT_URL : self::PRODUCTION_CHECKOUT_URL;
  $params = array(
    "env" => $this->sandbox ? "sandbox" : "production",
    "beacon" => $tracker,
    "source" => 'magento',
    "order_id" => $order->get_id(),
    "redirect_url" => $this->get_success_url(),
    "cancel_url" => $this->get_cancel_url()

  $baseURL = add_query_arg($params, $baseURL);

  return $baseURL;

Once the URL is constructed, redirect the user to this URL.

When the user is on the Safepay payment page, if he clicks on "Cancel Payment", Safepay will automatically redirect the user to the "cancel_url". Your application should handle the order cancellation flow including marking the order as cancelled and redirecting the user back to the Checkout page.

If the user completes payment, Safepay will make a POST request via an HTML form with the "action" being the "redirect_url". The following body will be sent to the post request: Order ID (Your Order ID) Reference Code (Safepay Transaction Reference Code) Tracker (Safepay Transaction Tracker Token) Signature (Signed value to prove authenticity of transaction)

The plugin must use the appropriate secret key (whether sandbox or production) to verify the transaction using the following code as example:

public function validate_signature($tracker, $signature)
  $secret = $this->get_shared_secret();
  $signature_2 = hash_hmac('sha256', $tracker, $secret);
  if ($signature_2 === $signature) {
    return true;
  return false;

If the signature fails validation, your should mark the order as "review" and add a note saying the payment failed validation. Or your app should just cancel the order and redirect the customer back to the checkout page.

If the signature passes validation, your app should save the Safepay Reference Code & Safepay Tracker to your database so that the store owner can reconcile the Order with the payment.

The plugin should then mark the order as complete and redirect the customer to the order confirmed page.

Please refer to the Official Safepay Wordpress plugin for details and code on how to achieve this.

Also refer to the Official Safepay Wordpress Plugin on the wordpress registry for screenshots on how the admin settings should look like:


This comment has been minimized.

Copy link

@najamsk najamsk commented Jun 18, 2020

I am able to run curl command and get response json. But couldnt follow rest of steps. you are talking about constructing the url and my guess is you are using php code. Can you also show the sample url so we can use our own programming language to construct same url.

from sandbox account under settings section i am able to get my api key from where i get secret? on top of documentation its more user friendly if you put urls to api key and secret otherwise user have to visit every url to figure out where are these things,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.