Getting Started with QorCommerce
This page will help you get started with QorCommerce. You'll be up and running in a jiffy!
The QorCommerce API is organized around REST. Our API has predictable resource-oriented URLs, accepts JSON-encoded or form-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs.
API Credentials
The QorCommerce API uses API keys to authenticate requests. You will receive your Production API keys from QorCommerce and can view your API Keys in the QorCommerce Portal.
Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
Authentication to the API is performed via header keys. Provide your API keys in the required header key / value pairs.
All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
Note:
Never publish your application or client keys in any kind of Front-End applications. They carry all the project privileges, and would be exposed to third-parties.
API Idempotency
The QorCommerce API supports idempotency, allowing you to retry a request multiple times while only performing the action once. This helps avoid unwanted duplication in case of failures and retries. For example, in the case of a timeout error, it is possible to safely retry sending the same API payment call multiple times with the guarantee that the payment detail will only be charged once.
The accounting rules in the QorCommerce payments platform take care of most potential double-processing issues that can impact payment modifications. For example, the following default rules apply:
- Captures: While partial captures are allowed, it is not possible to capture a higher amount than the authorized one.
- Refunds: While multiple refunds are allowed, by default the total refunded value cannot exceed the captured amount.
To minimize unwanted side effects when requests are duplicated, you can also take the following actions on your end:
- Implement asynchronous server-to-server webhooks. For example, this approach helps keep track of missing responses, a common consequence of a data transmission timeout.
- Enable idempotency in your API requests with for instance unique order ids or invoice numbers.
- Or to perform a forced idempotent request, provide an additional
idempotency-keyin the header of your request. Idempotency works by saving the resulting status code and body of the first request made for any given idempotency key, regardless of whether it succeeded or failed. Subsequent requests with the same key return the same result, including errors. An idempotency key is a unique value generated by the you which the server uses to recognize subsequent retries of the same request. How you create unique keys is up to you, but we suggest using V4 UUIDs, or another random string with enough entropy to avoid collisions. Idempotency keys can be up to 40 characters long.
The QorCommerce API supports idempotency on POST requests (other request types such as GET, DELETE and PUT are idempotent by definition).
Metadata
Payments, Forms, Subscriptions, Refunds calls have a metadata parameter. You can use this parameter to attach key-value data.
Metadata is useful for storing additional, structured information. As an example, you could store your user's full name and corresponding unique identifier from your system. Metadata is not used by QorCommerce — for example, it is not used to authorize or decline a charge and won't be seen by your customers or users unless you choose to show it to them.
Do not store any sensitive information (bank account numbers, card details, etc.) as metadata.
You can specify up to 10 keys, with key names up to 40 characters long and values up to 100 characters long.
Try It
All of the APIs listed in this documentation can be tested with your local REST client or through our Try It feature. We provide samples of all parameters with field types and validations - with and without values. All you need to do is copy/paste an example API and press SEND to review a real time request and response. We also provide you with full response parameters, test cards and account numbers that produce different success and error messages. Feel free to change any of the parameter values at any time.
Testing Transactions & API Calls
QorCommerce provides a test account supporting our payment solutions across all APIs, SDKs, plugins, carts and hosted pages allowing you to process transactions and receive real-time responses.
Test Mode
The QorCommerce ‘Test’ module was designed and implemented to replicate the base functionality of a 'Live' Processor for testing, training and development environments. Currently Test Mode supports the following transaction types:
• Credit Cards
• Debit Cards
• ACH
All requests and data created in test mode will never reach your customers nor create any charge against their accounts.
'Test Mode' was designed for black box testing to simulate communication with a 'Live' Processor. Specific transaction parameters will cause defined (below) responses to be returned. The 'Test Mode' module will perform sanity checks (in additional to what QorCommerce already performs) against the transaction data to ensure it is consistent with industry and interchange requirements.
• Please use your email address in the 'cemail' element (email address) - this allows our staff to track or find your specific test messages quickly.
Test API Endpoint
Testing should be done on the https://<<test_api_url>>/v3 endpoint.
Test Merchant ID
- To evaluate our APIs use the following Merchant ID (for CNP) if required by a request: 887728202
- To evaluate our APIs use the following Merchant ID (for CP) if required by a request: 887728203
Header Parameters
To evaluate our APIs use the following key value pair in the Header of every request:
| key name | value |
|---|---|
| Qor-App-Key | T6554252567241061980 |
| Qor-Client-Key | 01dffeb784c64d098c8c691ea589eb82 |
Test Card Numbers
You can use the following card numbers in the creditcard parameter for testing transactions in the ../payment/sale and ../payment/authorize endpoints.
| card brand | creditcard value | month value | year value |
|---|---|---|---|
| VISA | 4012888888881881 | 11 | 24 |
| VISA CORP | 4055011111111111 | 11 | 24 |
| MASTERCARD | 5454545454545454 | 11 | 24 |
| MASTERCARD | 2222333344445559 | 11 | 24 |
| MASTERCARD CORP | 5405222222222226 | 11 | 24 |
| AMEX | 371449635398431 | 11 | 24 |
| DISCOVER | 6011000995500000 | 11 | 24 |
Address Verification Service (AVS)
To simulate a successful transaction and valid AVS response when posting a credit card SALE to the ../payment/sale endpoint or an AUTHORIZATION to the ../payment/authorize endpoint use the following parameters and values.
| paramter | value |
|---|---|
| baddress | 5800 NW 39th AVE |
| bzip | 32606 |
To simulate a declined transaction and failed AVS response when posting a credit card SALE to the ../payment/sale endpoint or an AUTHORIZATION to the ../payment/authorize endpoint use the following parameters and values
| parameter | value |
|---|---|
| baddress | 2831 NW 41st St |
| baddress2 | STE J |
| bzip | 32615 |
Any other baddress, baddress2, and bzip parameter values will return a failed AVS but not decline the transaction.
If you do not send any values for baddress, baddress2 parameters the AVS will also fail but not decline the transaction.
Card Validation (CV / CVV / CVV2)
To simulate a successful transaction and valid CVV response when posting a credit card SALE to the ../payment/sale endpoint or an AUTHORIZATION to the ../payment/authorize endpoint use the following parameters and values for the specified card brand.
| card brand | parameter | value |
|---|---|---|
| VISA | cvv | 999 |
| MASTERCARD | cvv | 999 |
| DISCOVER | cvv | 999 |
| AMEX | cvv | 1234 |
To simulate a successful transaction and failed CVV response when posting a credit card SALE to the ../payment/sale endpoint or an AUTHORIZATION to the ../payment/authorize endpoint use the following parameters and values for the specified card brand.
| card brand | parameter | value |
|---|---|---|
| VISA | cvv | 123 |
| MASTERCARD | cvv | 123 |
| DISCOVER | cvv | 123 |
| AMEX | cvv | 9999 |
Any other cvv parameter value will return a failed CVV but not decline the transaction.
Failure to send a cvv parameter will return a declined transaction.
Test - Decline Codes
In test-mode you can enter a specific value in the amount parameter for the ../payment/sale and ../payment/authorize endpoint requests and receive expected decline codes.
amount value | code | description |
|---|---|---|
| 6.04 | 04 | Confiscate card (no fraud assumed) |
| 6.15 | 05 | Do not honor card |
| 6.36 | 08 | Valid ID required for transaction |
| 6.08 | 14 | Account number or length error |
| 6.32 | 17 | Cardholder requested a cancellation on recurring charges |
| 6.40 | 19 | Bad transaction data or setup, re-enter |
| 6.20 | 22 | Violation |
| 6.14 | 30 | Date error |
| 6.41 | 31 | Card type not accepted |
| 6.05 | 34 | Confiscate card (fraud assumed) |
| 6.06 | 41 | Confiscate card (reported lost) |
| 6.07 | 43 | Confiscate card (reported stolen) |
| 6.16 | 51 | Insufficient funds |
| 6.22 | 54 | Credit/Debit card expired |
| 6.10 | 55 | Bad Debit/ EBT pin info |
| 6.17 | 61 | Exceeds withdrawal limit |
| 6.24 | 63 | Security violation |
| 6.19 | 65 | Exceeds activity limit |
| 6.21 | 81 | Encryption Error (usually debit/ebt) |
| 6.29 | 94 | Duplicate batch number |
| 6.27 | 96 | System error |
| 6.13 | 97 | CVV2/ CID error |
| 6.12 | N3 | Cash back services unavailable (VISA) |
| 6.11 | N4 | Too much cash back (VISA) |
Moving to Production
When you are satisfied and ready to move to the production environment you need to use a Qor-App-Key issued for production and point to the https://<<api_url>>/v3 endpoint.
To identify your production Qor-App-Key from your test Qor-App-Key:
-
The Production
Qor-App-Keybegins with aP -
The Testing
Qor-App-Keybegins with aT
Note:
It is important to understand the
Qor-Client-Keyrepresents an individual merchant account and is assigned and provided to the merchant when the merchant account is created. When developing your application, you need to make sure that the merchant can enter this assigned value in your app and that this value is passed as the header value forQor-Client-Keyto ensure the data processes and is recorded correctly.
In other words, DO NOT use the sameQor-Client-Key/code> for multiple merchant accounts in Production
Updated about 1 month ago