Request for order registration and payment (as a single request)

In this document, the following data type conventions are used when describing request and response parameters:

string – string;
array – data array;
object – data object;
data – date;
boolean – boolean (logical) data type;
int. (integer) – integer data type;
amount – a numeric data type (amount).

Request parameters:

Parameter	Type	Description	Value example
`merchantOpenTokenId`	string	The merchant's public key.	8u144674veh8u9b8gnhdm5ua89
`returnUrl`	string	Data object to specify the URL for the customer to return to.	https%3A%2F%2Fya.ru
`amount`	string	Data object about the amount of payment. Passed as a string and in major units. Template xxxx, xx – i.e. the amount is transferred in the form of rubles + kopecks; For example, 100.20 – 100 rubles 20 kopecks.	10001
`preAuth`	string	Parameter that defines the necessity of a pre-authorization (putting the amount on hold on the customer's account until its debiting). The following values are available: true – the parameter is enabled, a payment is processed with a pre-authorization (the amount on the customer's account is put on hold until the debiting); false – the parameter is disabled (the amount is debited immediately). If the parameter is not specified in the request, the debiting occurs immediately; if it is specified, you must send a separate request for completion.	false
`bindingUuid`	string	Sbersafe binding identifier.
`pan`	string	Payment card number.	4276010013296064
`expiry`	string	The validity of the card.	202412
`cardholder`	string	Name of the cardholder.	Integration+Tester
`cvc`	string	CVC/CVV2 code on the back of the card.	555
`phone`	string	Customer's phone number without a leading «7».	9886496412
`email`	string	Customer's email address.	test@test.ru
`deliveryAddress`	string	Delivery address.
`loyaltyId`	string	Loyalty program identifier.	sbrf_spasibo
`loyaltyPointAmount`	string	Amount of «Spasibo» bonuses (in units of bonuses). When you specify bonuses in the order registration request, they are deducted from the amount in `amount` rather than being added to it.	100
`loyaltyPayments`	string	A block containing information about the loyalty program identifier and the amount of points.	«loyaltyId»:«sbrf_spasibo», «loyaltyPointAmount»:«200000»
`externalBindingId`	string	Gateway Binding (External).
`importExternalBindings`	string	Flag for importing bindings.
`params`	string	Extra options. It is forbidden to pass reserved names in the parameter (if they are passed, the order may be rejected): sbrf_spasibo:amount_bonus sbrf_sbermiles:amount_bonus loyaltyId
`googlePaymentToken`	string	Google Pay payment token.
`samsungPaymentToken`	string	Samsung Pay payment token.
`applePaymentToken`	string	Apple Pay payment token.
`threeDSServerTransId`	string	Transaction identifier created on the 3DS server. This parameter is used for Customer authentication using the 3DS Protocol version 2.0.

Request example:

POST /order/instantPayment?merchantOpenTokenId=8u144674veh8u9b8gnhdm5ua89&returnUrl=https%3A%2F%2Fya.ru&amount=10001&preAuth=false&pan=4276010013296064&expiry=202412&cardholder=Integration+Tester&cvc=555&phone=9886496412&email=test@test.com&loyaltyPayments=[{%22loyaltyId%22:%22sbrf_spasibo%22,%20%22loyaltyPointAmount%22:%22100%22},%20{%22loyaltyId%22:%22sbrf_sbermiles%22,%20%22loyaltyPointAmount%22:%22100%22}] HTTP/1.1
Host: 3dsec.sberbank.ru/sbersafe
Content-Length: <content-lenght>

Response parameters:

Parameter	Type	Description	Value example
`errorCode`	int	Error code.	0
`errorMessage`	string	Error description.	«Invalid operation for the current order status»
`mdOrder`	string	Order number in the payment gateway. Unique within the payment gateway.	de2ad073-79f5-7877-b600-69d00008e652
`orderStatus`	string	Order status in the payment system.	DEPOSITED
`acsUrl`	string	Redirect address to the address of the ACS server.	"https://test.paymentgate.ru/acs/auth/start.do"
`paReq`	string	Parameter to pass to ACS for authentication.	eJxVUk1zgjAQ/SsM95KEr1pnjUOLnXqgYxUvvVHYAVQ+DFDUX99EUeshM/t2N2/3vQSmXCV5mU70dfj+N
`termUrl`	string	URL to redirect the payer to after authentication.	"https://server/context/rest/finish3ds.do"
`redirect`	string	Return address after the payment.	"http://ya.ru?orderId=eb49300c-95b7-4dcd-9739-eee6c61f2ac4"
`is3DSVer2`	boolean	Flag indicating that the payment/transfer will be made using the 3DS Protocol version 2.0. The following values are available: true – the payment/transfer will be made using the 3DS Protocol version 2.0; false – the payment/transfer will not be made using 3DS Protocol version 2.0. This parameter is used for Customer authentication using the 3DS Protocol version 2.0.
`packedCReq`	string	Packed data of challenge request. This value should be used as the value of the `creq` parameter of the link to ACS (`acsUrl`), for redirecting the customer to ACS.
`status`	string	Indication of the status of the request processing result	SUCCESS
`threeDSServerTransId`	string	Transaction identifier created on the 3DS server. This parameter is used for Customer authentication using the 3DS Protocol version 2.0.
`threeDSMethodURL`	string	The URL address of the ACS to collect data about the browser. This parameter is used for Customer authentication using the 3DS Protocol version 2.0.
`threeDSMethodURLServer`	string	URL address of the 3DS server for connecting browser data to include in the AReq (Authentication Request) request from the 3DS server to the ACS server. This parameter is used for Customer authentication using the 3DS Protocol version 2.0.
`threeDSMethodDataPacked`	string	Base64-encoded CReq (Challenge Response) data to send to the ACS server. This parameter is used for Customer authentication using the 3DS Protocol version 2.0.

Response example:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache
{"errorCode":0,"mdOrder":"b8419699-7f19-744d-800f-e8b00008e652","orderStatus":"DEPOSITED","redirect":"https://test.com/release/merchants/sbersafe/finish.html?orderId=b8419699-7f19-744d-800f-e8b00008e652&lang=ru","status":"SUCCESS"}