PaymentIntent

The PaymentIntent object contains payment data. To ensure that this payment data is not tampered with (e.g. a customer amends the amount to be smaller), the PaymentIntent requires a HMAC verification field to be conducted in your backend using your Pay Now secret.

PaymentIntent is used in the following methods.

Attribute

Type

Description

payment.amount

number

Amount in subunit (non-decimal)

payment.currency

string

ISO-4217 country codes

payment.reference

string

Reference or invoice number for the payment transaction/

payment.hide_card_holder

boolean

Determines if the "Card Holder" field should be shown on the page or not. If this is included and true, it must be appended to the end of the verification hash. See "Verification Value Hash Calculation" below for more details.

verification

string

Hash of amount, reference, currency. See Verification Value Hash Calculation below for more details on how to calculate this value.

{
  payment: {
    amount: 10025,
    currency: "AUD",
    reference: "INV1121"
  },
  verification: "xxxxxx"
}

Verification Value Hash Calculation

❗️

The Verification Value Hash should only ever be calculated on your backend server, and never in client-side code.

This is because your Pay Now token is a secret value that only you should know. Calculating the Verification Value Hash on the client-side (e.g. in client-side Javascript) would make your Pay Now token secret visible to public via browser developer tools.

Below is pseudo code demonstrating how the verification hash is calculated using a PayNow token. The Pay Now token can be obtained from the Fat Zebra Merchant Dashboard.

Please make sure that reference (invoice #), amount (subunit) and currency are in the correct order as shown:

shared_secret = "abc123" # Also known as your Pay Now token

invoice_no = "INV4567" # Also known as reference
amount = "1000"
currency = "AUD"
hide_card_holder = true

hmac = HMAC::MD5.new(shared_secret)
data = [invoice_no, amount, currency]
data << [hide_card_holder] if hide_card_holder

# Data will be:
# INV4567:1000:AUD:true
verification = hmac_md5(shared_secret, data.join(":"))
# Expected value: c045c96c113ae660b91b60bd09feda20
# Hash will be 0a40877ca9f75152f27bf093af7fd44b if hide_card_holder is false