popup close image popup close image
We use cookies in order to personalize website content and analyze traffic on our website.
I agree

Merchant Guide

Home pageHelp & Support
Ready plugins plugins Api integration guide Api SCI/Merchant integration guide SCI
If you need help please do not hesitate to contact our support service.

SCI merchant request

This method is used to request information necessary for SCI. It returns link to point customer to for processing payment.

The following URL is used to send Merchant POST requests

https://api.worldcore.eu/v1/merchant

The list of parameters for this request:

Parameter Description Example Value
account (string) *
Account to receive payment to
S1234567
amount (string) *
Amount of payment
456.78
invoiceId (string)
This field can be used to pass Invoice ID to identify payment upon receiving confirmation (up to 100 chars, see "SCI payment confirmations")
ID-3347
comment (string)
Comment of payment
ABC 123
customField (string)
This field can be used to pass some custom data to be received on Status URL (up to 1000 chars)
JSON can be used to pass multiple fileds:
{"field1":"value","field2":"value"}

List of returned parameters

Parameter Description
account (string)
Account to receive payment to
amount (decimal)
Amount of payment
url (string)
Worldcore SCI processing URL to point customer to
customField (string)
Custom data passed on input
invoiceId (string)
Invoice ID passed on input

Example of sending and handling Worldcore API Merchant request:

PHP
C#
Ruby
Python
<?php
// These values should be filled according API page of Worldcore Member's area:
define('API_KEY', '1234567890');
define('API_PASSWORD', 'some pass phrase');
$post_str=json_encode(array(
	'account' => 'S1234567',
	'amount' => 456.78
));
$hash_in=strtoupper(hash('sha256', $post_str.API_PASSWORD));
$auth_header='Authorization: wauth key='.API_KEY.', hash='.$hash_in;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://api.worldcore.eu/v1/merchant');
curl_setopt($curl, CURLOPT_HEADER, true);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json; charset=utf-8', $auth_header));
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_str);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$curl_response = curl_exec($curl);
if($curl_response==false){
	$error_msg = curl_error($curl);
	echo $error_msg;
}else{
	list($response_headers, $json_response)=explode("\r\n\r\n", $curl_response, 2);
	preg_match("/^WSignature: ([A-Z0-9]{64})\r$/m", $response_headers, $hash_outputed);
	$hash_check=strtoupper(hash('sha256', $json_response.API_PASSWORD));
	if($hash_outputed[1]!=$hash_check){
		echo "Hash not match!";
	}else{
		$decoded_response=json_decode($json_response, true);
		if(isset($decoded_response['error'])){
			echo 'Error occurred: '.print_r($decoded_response['error'], true);
		}else{
			print_r($decoded_response['data']);
		}
	}
}
curl_close($curl);
var baseAddress = new Uri("https://api.worldcore.eu/v1/");
using (var httpClient = new HttpClient {BaseAddress = baseAddress})
{
    var paramerters = new
    {
        account = "S1234567",
        amount = 100m,
        comment = "Some comment",
        invoiceId = "Inv124647",
        customField = "Some optional data..."
    };
    var json = JsonConvert.SerializeObject(paramerters);
    var content = new StringContent(json, Encoding.UTF8, "application/json");
    var appKey = "YOUR API KEY";
    var appPassword = "YOUR API PASSWORD";
    var authHeader = string.Format("wauth key={0}, hash={1}", appKey, ArrayToHexString(ComputeHash(json + appPassword)));
    httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", authHeader);
    using (var response = await httpClient.PostAsync("merchant", content))
    {
        if (response.StatusCode == HttpStatusCode.OK)
        {
            var responseData = await response.Content.ReadAsStringAsync();
            IEnumerable<string> signatures;
            response.Headers.TryGetValues("WSignature", out signatures);
            var returnedSignature = signatures != null ? signatures.SingleOrDefault() : null;
            var actualSignature = ArrayToHexString(ComputeHash(responseData + appPassword));
            if (returnedSignature != actualSignature)
            {
                // Signatures mismatch. Do something when signature is invalid
            }
            else
            {
                var responseObject = JsonConvert.DeserializeObject<ApiResponse>(responseData);
                if (responseObject.Data != null)
                {
                    // do something useful
                    // for example redirect your user to responseObject.Data.Url
                }
                else {
                    // do some error handling here
                }
            }
        }
        else
        {
           // something went wrong
        }
    }
}
// ...
public static byte[] ComputeHash(string str)
{
    var bytes = Encoding.ASCII.GetBytes(str);
    using (var algorithm = SHA256.Create())
    {
        return algorithm.ComputeHash(bytes);
    }
}
public static string ArrayToHexString(IEnumerable<byte> array)
{
    var result = new StringBuilder();
    foreach (var item in array)
    {
        result.AppendFormat("{0:X2}", item);
    }
    return result.ToString();
}
public class ApiResponse
{
    public ErrorInfo Error { get; set; }
    public UrlInfo Data { get; set; }
}
public class ErrorInfo
{
    public string Type { get; set; }
    public string Message { get; set; }
}
public class UrlInfo
{
    public string Account { get; set; }
    public decimal Amount { get; set; }
    public string InvoiceId { get; set; }
    public string CustomField { get; set; }
    public string Url { get; set; }
}
require 'digest'
require 'json'
require 'uri'
require 'net/http'
require 'net/https'
# These values should be filled according API page of Worldcore Member's area:
api_key = '1234567'
api_password = 'some password'
post_str = {
	'account' => 'S1234567',
	'amount' => 456.78
}.to_json
hash_in = Digest::SHA256.hexdigest "#{post_str}#{api_password}"
hash_in = hash_in.upcase
uri = URI.parse('https://api.worldcore.eu/v1/merchant')
connection = Net::HTTP::new(uri.host, uri.port)
connection.use_ssl = true
req = Net::HTTP::Post.new(uri.path, initheader = {
	'Content-Type' => 'application/json; charset=utf-8',
	'Authorization' => "wauth key=#{api_key}, hash=#{hash_in}"
})
req.body = post_str
res = connection.request(req)
hash_out = res.get_fields('WSignature')
hash_check = Digest::SHA256.hexdigest "#{res.body}#{api_password}"
hash_check = hash_check.upcase
if not "[\"#{hash_check}\"]".eql? "#{hash_out}"
	render :text => "hash hot match"
else	
	response = JSON.parse res.body
	if response["error"]
		render :text => "error occurred: #{response["error"]}"
	else
		render :text => response["data"]
	end		
end
    
#!/usr/bin/python
print("Content-Type: text/html;charset=utf-8\n")
import sys
import json
import hashlib
# These values should be filled according API page of Worldcore Member's area:
API_KEY='1234567'
API_PASSWORD='some password'
input_params={
	"account": "S1234567",
	"amount": 456.78
}
request_str=json.dumps(input_params)
h = hashlib.new('sha256')
h.update((request_str+API_PASSWORD).encode())
hash_in=h.hexdigest().upper()
auth_header="Authorization: wauth key="+API_KEY+", hash="+hash_in
import pycurl
from StringIO import StringIO
buffer = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, "https://api.worldcore.eu/v1/merchant") 
c.setopt(c.HEADER, 1)
c.setopt(c.POST, 1)
c.setopt(c.HTTPHEADER, ["Content-Type: application/json; charset=utf-8", auth_header])
c.setopt(c.POSTFIELDS, request_str)
c.setopt(c.TIMEOUT, 10)
c.setopt(c.WRITEFUNCTION, buffer.write)
try:
	c.perform()
except pycurl.error, e:
	print('curl error: '+e)
	sys.exit()
# Fetch	response
code = c.getinfo(c.RESPONSE_CODE)
response = buffer.getvalue().split("\r\n\r\n", 2)
headers = response[0]
body = response[1]
if code == 200:
	import re
	m=re.search("^WSignature: ([A-Z0-9]{64})\r$", headers, re.M)
	hash_out=m.group(1)
	h = hashlib.new('sha256')
	h.update((body+API_PASSWORD).encode())
	hash_check=h.hexdigest().upper()
	if hash_out!=hash_check:
		print("BAD HASH")
	else:
		result = json.loads(body)
		if result.get('error'):
			print("error occurred: "+str(result.get('error')))
		else:
			# Process payment here
			print(result.get('data'))
else:
	print("error occurred: "+body)
c.close()
    

SCI payment confirmation

Upon successful payment Worldcore sends confirmation to client-side. To receive confirmations it is needed to set up status URL under Members Area of Worldcore account. This status URL will be used to receive payment confirmations. Payment confirmations come to status URL in the following format:

Parameter Description
account (string)
Account to receive payment to (Example: S1234567)
amount (decimal)
Amount of payment (Example: 456.78)
feeAmount (decimal)
Fee (Example: 1.23)
customField (string)
Custom field value
invoiceId (string)
invoiceId value (Example: ID-3347)
track (string)
Worldcore payment tracking ID
status (string)
Indicates actual status of payment. May be one of the following:
  • Created
  • Pending
  • Completed
  • Rejected

Example of payment confirmation hash checking:

PHP
C#
Ruby
Python
<?php
define(API_PASSWORD, 'dI,}dswd_03u2jfalgju39');
define(LOG_PATH, '/path/to/log');
$headers=apache_request_headers();
$json_body=file_get_contents('php://input');
$hash_check=strtoupper(hash('sha256', $json_body.API_PASSWORD));
if($headers['WSignature']==$hash_check){
	// some code to confirm payment
}else{
	// some code to log invalid payments
	file_put_contents(LOG_PATH.'/log.txt', 'Hash mismatch! '.$headers['WSignature'].' vs. '.$hash_check."\n", FILE_APPEND);
}
[HttpPost]
public ActionResult Status(NotificationModel model)
{
    string appPassword = "YOUR API PASSWORD";
    var passedSignature = HttpContext.Request.Headers["WSignature"];
    var requestBody = GetFromBodyString(HttpContext.Request);
    var actualSignature = ArrayToHexString(ComputeHash(requestBody + appPassword));
    if (actualSignature == passedSignature)
    {
        // do something useful with data in your model object
    }
    return new EmptyResult();
}
// ...
public static byte[] ComputeHash(string str)
{
    var bytes = Encoding.ASCII.GetBytes(str);
    using (var algorithm = SHA256.Create())
    {
        return algorithm.ComputeHash(bytes);
    }
}
public static string ArrayToHexString(IEnumerable<byte> array)
{
    var result = new StringBuilder();
    foreach (var item in array)
    {
        result.AppendFormat("{0:X2}", item);
    }
    return result.ToString();
}
public static string GetFromBodyString(HttpRequestBase request)
{
    string result = string.Empty;
    if (request == null || request.InputStream == null)
        return result;
    request.InputStream.Position = 0;
    using (MemoryStream memoryStream = new MemoryStream())
    {
        CopyToMemoryStream(request.InputStream, memoryStream);
        using (StreamReader streamReader = new StreamReader(memoryStream))
        {
            result = streamReader.ReadToEnd();
        }
    }
    return result;
}
public static void CopyToMemoryStream(Stream source, MemoryStream destination)
{
    if (source.CanSeek)
    {
        int pos = (int)destination.Position;
        int length = (int)(source.Length - source.Position) + pos;
        destination.SetLength(length);
        while (pos < length)
            pos += source.Read(destination.GetBuffer(), pos, length - pos);
    }
    else
        source.CopyTo(destination);
}
// ...
public class NotificationModel
{
    public string Account { get; set; }
    public decimal Amount { get; set; }
    public decimal FeeAmount { get; set; }
    public string InvoiceId { get; set; }
    public string CustomField { get; set; }
    public string Track { get; set; }
    public string Status { get; set; }
}
class MerchantStatusController < ActionController::Base
  def index
	require 'digest'
	# This value should be filled according API page of Worldcore Member's area
	api_password = 'some password'
	hash = request.headers['WSignature']
    hash_check = Digest::SHA256.hexdigest "#{request.body}#{api_password}"
	hash_check = hash_check.upcase
	if "#{hash_check}".eql? "#{hash}"
		# add some code to confirm payment
		render :text => request.body
	else
		# some code to log bad requests
		render :text => "bad hash"
	end
  end
end
    
def status_url():
	# This value should be filled according API page of Worldcore Member's area
	API_PASSWORD='some password'
	import hashlib
	import json
	from flask import request
	h = hashlib.new('sha256')
	h.update((request.data+API_PASSWORD).encode())
	hash_check=h.hexdigest().upper()
	if request.headers['WSignature']!=hash_check:
		return "BAD HASH"
	else:
		# Process payment here
		result = json.loads(request.data)
		return result
    

SCI success URL

In case of successful payment customer is redirected to Success URL. Usually this is an order confirmation page. URL of this page should be set under Worldcore Member's Area, under SCI/Merchant Settings.

Success URL receives the following parameters about payment as a GET request:

Parameter Description
customfield (string)
Custom field value
invoiceid (string)
invoiceId value (Example: ID-3347)
track (string)
Worldcore payment tracking ID

SCI failure URL

Customer may be redirected to Failure URL if payment has not been completed by some reason. Failure URL should be set under Worldcore Member's Area, under SCI/Merchant Settings.