The integration of Tosspay is as simple as its payment. Please refer to the diagram below for a better understanding before starting integration.
First, apply for a merchant through Inquire Contract. Once the application approval is completed, the merchant account is issued, and you can log into Toss merchant manager page to manage the store.
If you log into Toss merchant manager page, you can check the API Keys of the payment store (The API Key issued may be found in ‘Merchant Manager > Merchant Information’).
The issued store API Key is used as an authentication in every transaction such as payment generation/refund, etc.
If API Key is leaked to the outside, unwanted payment generation or refund may take place, resulting in financial losses for the store.
Please be cautious not to expose the API key on the website or to third parties outside.
There are two types of API Keys that are issued (for testing/ for actual transaction). These two Keys are different as the following.
Please be cautious.
Once testing is completed, please change it to ‘Key for Actual Transaction’ before resuming operation.
Toss Pay provides the operating environment for all and depending on the apiKey,
it is classified into testing or actual transaction.
If the service is released with the key for testing, there is the risk of the merchant not receiving the payment after providing the service to the customer for free although the customer makes payment successfully, so please check this carefully.
A customer takes a look at the ‘Toss Mall,’ selects a ‘Toss T-shirt’ worth 35,000 KRW, and requests payment. The Toss Mall should request ‘payment generation’ to the Toss payment server. Call the payment generation API as below.
The payment of the customer is requested as below.
curl https://pay.toss.im/api/v2/payments \ -H "Content-Type: application/json" \ -d '{ "orderNo":"1", "amount":25000, "amountTaxFree":0, "productDesc":"Toss T-shirt", "apiKey":"sk_test_w5lNQylNqa5lNQe013Nq", "autoExecute":true, "resultCallback":"https://YOUR-SITE.COM/callback", "retUrl":"http://YOUR-SITE.COM/ORDER-CHECK", "retCancelUrl":"http://YOUR-SITE.COM/close" }'import java.nio.charset.StandardCharsets; URL url = null; URLConnection connection = null; StringBuilder responseBody = new StringBuilder(); try { url = new URL("https://pay.toss.im/api/v2/payments"); connection = url.openConnection(); connection.addRequestProperty("Content-Type", "application/json"); connection.setDoOutput(true); connection.setDoInput(true); org.json.simple.JSONObject jsonBody = new JSONObject(); jsonBody.put("orderNo", "1"); jsonBody.put("amount", 25000); jsonBody.put("amountTaxFree", 0); jsonBody.put("productDesc", "Toss T-shirt"); jsonBody.put("apiKey", "sk_test_w5lNQylNqa5lNQe013Nq"); jsonBody.put("autoExecute", true); jsonBody.put("resultCallback", "https://YOUR-SITE.COM/callback"); jsonBody.put("retUrl", "http://YOUR-SITE.COM/ORDER-CHECK"); jsonBody.put("retCancelUrl", "http://YOUR-SITE.COM/close"); BufferedOutputStream bos = new BufferedOutputStream(connection.getOutputStream()); bos.write(jsonBody.toJSONString().getBytes(StandardCharsets.UTF_8)); bos.flush(); bos.close(); BufferedReader br = new BufferedReader(new InputStreamReader(connection.getInputStream(), StandardCharsets.UTF_8)); String line = null; while ((line = br.readLine()) != null) { responseBody.append(line); } br.close(); } catch (Exception e) { responseBody.append(e); } System.out.println(responseBody.toString());$arrayBody = array(); $arrayBody["orderNo"] = "1"; $arrayBody["amount"] = 10000; $arrayBody["amountTaxFree"] = 0; $arrayBody["productDesc"] = "Toss T-shirt"; $arrayBody["apiKey"] = "sk_test_w5lNQylNqa5lNQe013Nq"; $arrayBody["autoExecute"] = true; $arrayBody["resultCallback"] = "https://YOUR-SITE.COM/callback"; $arrayBody["retUrl"] = "http://YOUR-SITE.COM/ORDER-CHECK"; $arrayBody["retCancelUrl"] = "http://YOUR-SITE.COM/close"; $jsonBody = json_encode($arrayBody); $ch = curl_init('https://pay.toss.im/api/v2/payments'); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonBody); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Content-Type: application/json', 'Content-Length: ' . strlen($jsonBody)) ); $result = curl_exec($ch); curl_close($ch); echo "Response: ".$result;
As you can see in the above example, 9 setting values should be included and requested to Toss for ‘payment generation.’
As mentioned above, API Key should never be leaked.
Please be careful not to expose the content of payment requests on the web page.
If the requested payment generation is completed, Toss will reply as the following.
If any of these values is not delivered, please check ''Toss Firewall Setting' since it may be the issue of firewall.
{"code":0,"checkoutPage":"https://pay.toss.im/payfront/auth?payToken=test_token1234567890",
"payToken":"example-payToken"}code '0' means payment is ‘successfully’ generated. Otherwise, error codes and messages are delivered.
checkoutPage is the Toss Pay web page URL for processing payment. Please make sure this URL is displayed to the users in the store.
payToken is the eigenvalue of Toss that distinguishes transactions. Please manage the token cautiously since the transaction will be accessed through this unique value when processing payment and refund as well as identifying the status of the payment.
The process of Toss Pay is simple. You simply need to send the purchaser through 'checkoutPage' URL received in response at the moment payment is generated.
checkoutPage of the example above is the following (a different URL is issued for each payment).
https://pay.toss.im/payfront/auth?payToken=example-payTokenPlease pay attention to the following for transferring to checkoutPage URL.
The purchaser may proceed with payment after selecting the payment method through the Toss screen that is called.
From then on, Toss oversees the whole process up to payment authentication (if Toss Money is selected, top-up takes place after verifying account validity; for card payment, the cardholder’s identity is checked and then the card may be added).
This is the section in which the communication between Toss App and Toss server takes place.
If the customer is connected to the adequate URL, payment will proceed through the screen below.
Toss supports the app payment method.
For payments made in PC web browser, the payment push notification is sent to the user’s mobile phone.
Any follow-up authentication should be processed through Toss App. For security purpose, the web payment in the form of web keyboard is not provided.
As in the diagram below, if the customer enters the payment password properly, purchaser authentication is completed. Then, Toss sends the customer to 'retUrl' that is transferred when payment is generated.
When sending the customer to retUrl, order number (orderNo) and payment method (payMethod) are sent along with the authentication result (status) via query string parameter. The example is as follows.
For card payments, the payment card code (cardCompany) is returned to the authentication data below additionally, and for Toss Money payments, bank codes (bankCode) are returned.
http://YOUR-SITE.COM/ORDER-CHECK?status=PAY_COMPLETE&orderNo=1&payMethod=TOSS_MONEY&bankCode=38Please check the status value here.
Let’s take a look at the payment generation request in detail. The example below shows the code that used all the parameters supported by the payment generation API
curl https://pay.toss.im/api/v2/payments \
-H "Content-Type: application/json" \
-d '{
"orderNo":"1", # unique order number of Toss Mall (mandatory)
"amount":25000, # payment amount (mandatory)
"amountTaxFree":0, # nontaxable amount (mandatory)
"productDesc":"Toss T-shirt", # product information (mandatory)
"apiKey":"sk_test_w5lNQylNqa5lNQe013Nq", # store API Key (mandatory)
"retUrl":"http://YOUR-SITE.COM/ORDER-CHECK?orderno=1", # web URL to connect to after payment is completed (mandatory)
"retCancelUrl":"http://YOUR-SITE.COM/close", # web URL to connect to when payment is canceled (mandatory)
"autoExecute":true, # automatic authorization setting (mandatory)
"resultCallback":"https://YOUR-SITE.COM/callback", # payment result callback web URL (mandatory – if automatic authorization setting is true)
"callbackVersion":"V2", # callback version (mandatory – if automatic authorization setting is true)
"amountTaxable":22727, # payment amount out of taxable amount
"amountVat":2273, # VAT out of payment amount
"amountServiceFee":0, # service fee out of payment amount
"expiredTime":"2019-06-17 12:47:35", # scheduled time of payment expiration
"cashReceipt":true, # cash receipt issuance availability
}'Please send the following 9 values for requesting payment generation.
The specification supported by Toss for app payment is as follows. Please check the following.
✓ This function is for calling Toss App or moving to App store right after checking whether Toss App is installed or not when clicking ‘Pay by App.’
✓ Since the link above is directly called from the Toss Pay server, please make sure that the link above is permitted in the merchant’s app.
✓ For Android, Intent URI parsing of the merchant is necessary.
✓ Toss does not officially support iframe, but if Toss App is inevitably called by iframe, the app may not be called, or errors may occur, thus it is recommended to call it by opening a new screen.
You can set ‘the time up to when payment authorization may be processed after a payment is generated’ through this parameter. If the ‘payment on standby’ reaches the expiration date, it is automatically canceled in the Toss server.
Depending on the features of the product for sale or the store, you can set the expiration period as long or short.
The payment expiration period is 60 minutes at the maximum, and without any particular setting, it is set as 15 minutes by default.
It is feasible to set the availability of cash receipt issuance
Cash receipts cannot be issued for card payments or securities such as culture or department store gift cards, mobile coupons, etc. which are excluded from taxation, and only the payments made with cash equivalents such as Toss Money are subject to cash receipt issuance.
Toss Pay provides two options.
After purchaser authentication is completed, Toss immediately tries withdrawal, and depending on the method of completing payment and the stock, the merchant may become the subject of the ‘final authorization.’ Depending on the product sold at the payment store, two methods may be taken into account.
Refer to the following diagram.
If a certain amount to be processed as ‘nontaxable’ is included in the total payment amount, or if you would like to set the ratio differently for VAT and the service fee, use the ‘compound taxation’ parameter when payment is generated.
Toss checks only the total amount and the nontaxable amount mandatorily. If you need to select compound taxation, please set the 4 values, and the sum of those 4 values must be equal to the total payment amount. Otherwise, an error occurs.
The value set through the above parameter is reflected in the cash receipt as-is.
If the parameter value above is not set, it is processed automatically as the following.
However, for payments unavailable for issuing cash receipts (cashReceipt = false), it is processed as the following.
Payment may be processed after the stock is confirmed, in the ‘standby’ status in which purchaser authentication is completed.
The example below is the code that used some parameters supported by authorization API.
curl "https://pay.toss.im/api/v2/execute" \
-H "Content-Type: application/json" \
-d '{
"apiKey":"sk_test_w5lNQylNqa5lNQe013Nq", # Store API Key (mandatory)
"payToken":"example-payToken", # payment number (mandatory)
}'
There are 2 mandatory parameters of ‘payment authorization.’ Please notify ‘which payment’ is authorized at ‘which merchant.’
Returning a part of or the entire amount of the completed payment to the purchaser.
Immediately after the refund is completed, the requested amount is transferred to the account of the purchaser for the transaction paid with Toss Money, and authorization is canceled for the transaction paid with a credit card.
The following example is the code used from the parameters supported by the payment refund API.
curl "https://pay.toss.im/api/v2/refunds" \
-H "Content-Type: application/json" \
-d '{
"apiKey":"sk_test_w5lNQylNqa5lNQe013Nq", # store API key (mandatory)
"payToken":"example-payToken", # payment number (mandatory)
"amount":10000, # amount to be refunded (mandatory)
"amountTaxable":5000, # taxable amount of the amount to be refunded
"amountTaxFree":4000, # non-taxable amount from the amount to be refunded(mandatory)
"amountVat":500, # VAT of the amount to be refunded
"amountServiceFee":500 # service fee of the amount to be refunded
}'
There are four mandatory parameters of 'payment refund.' Please indicate ‘which transaction’ made at ‘which merchant’ needs a refund.
For a partial refund of the total paid amount, set this parameter value. If you do not set the amount, the entire amount will be refunded.
When the payment is generated, you must designate which amount you will request a refund for if you designated the specific composition of the amount (taxable amount/non-taxable amount/VAT/services fee).
The amount requested for a refund must be smaller than or equal to the ‘remaining payment amount’ and the sum of the specific amounts to be refunded must be equal to the entire refund amount (an error occurs if they do not match).
Use this parameter if you need to leave the reason for a refund. You can write up to 255 at the maximum.
The payment ‘status’ changes continuously as payment is generated and processed. Operating a store will require frequently identifying the status of a specific transaction (whether payment is processed well or canceled, or whether any refund request has been completed).
In such case, search ‘payment status confirmation API.’ For some cases, you can use it even if you do not receive any authorization or refund response.
The following example is the code for calling payment status confirmation API.
curl "https://pay.toss.im/api/v2/status" \
-H "Content-Type: application/json" \
-d '{
"apiKey":"sk_test_w5lNQylNqa5lNQe013Nq", # store API Key (mandatory)
"payToken":"example-payToken", # payment number (mandatory)
}'
There are 2 mandatory parameters. Please designate ‘which transaction’ you want to view from ‘which merchant.’
* You can use ‘store order number (orderNo)’ instead of 'payment token (payToken).'
You will receive the following response for a payment status confirmation request.
This is a part of the response, and please refer to payment status API for more details.
{
"code": 0, # response code
"payToken": "example-payToken", # payment token
"orderNo": "1", # order number of store
"payStatus": "PAY_COMPLETE", # payment status
"payMethod": "TOSS_MONEY", # payment method
"amount": 15000, # payment request amount
"transactions": [ # transaction list
{
"stepType": "PAY",
"transactionId": "3243c76e-4669-881b-33a3b82ddf49",
"transactionAmount": 15000,
"discountAmount": 300,
"pointAmount": 0,
"paidAmount": 14700,
"regTs": "2020-03-01 12:33:20"
}
],
"createdTs": "2020-03-01 12:33:04", # first payment request time
"paidTs": "2020-03-01 12:33:20" # time for payment completion
}
Each item has the following meanings.
The payment status shall be one of the following.
After a payment case is generated, the payment status is changed as payment is carried out, and for each payment status, the action that the seller or purchaser can request changes according to each payment status.
Please check detail here payment API > payment status.
| PAY_STANDBY | Payment on standby
The status in which a payment case is generated, and the purchaser’s payment is on standby. In this status, the purchaser or the merchant can cancel the payment. If the ‘expiration period’ is reached, it is automatically canceled. |
| PAY_APPROVED | Purchaser authentication complete
The status in which purchaser authentication for payment is completed and the final authorization of the merchant is on standby (When payment is generated, this phase comes up only if ‘autoExecute’ is set as false. If the payment ‘valid period expires’ in this status, it is automatically canceled.) |
| PAY_CANCEL | Payment cancelation
The contract of which the purchaser cancels payment before payment is completed or the valid period has expired (the case that is terminated without any transfer of the amount). |
| PAY_PROGRESS | Payment in progress
The status in which the purchaser authorized payment and the payment amount is withdrawn from the account of the purchaser. |
| PAY_COMPLETE | Payment complete
The status in which payment authorization and withdrawal of the purchaser or the merchant is completed properly. |
| REFUND_PROGRESS | Refund in progress
The entire or partial refund is in progress and other refunds cannot be carried out before it is completed. |
| REFUND_SUCCESS | Successfully refunded
The entire or partial refund is completed, and the refunded amount is deposited in the purchaser’s account. |
| SETTLEMENT_COMPLETE | Settlement complete
The paid amount is settled, and a refund is no longer available (a year has passed from the date of authorization or purchase confirmation). |
| SETTLEMENT_REFUND_COMPLETE | Refund settlement complete
The entire or partial refund is settled, and a refund is no longer available (a year has passed from the date of authorization or purchase confirmation, or the entire refund is settled) |
Call the payment token of the transaction for the sales slip that needs to be checked.
The call URL is as follows. Send the parameter for the call in the query string form.
https://pay.toss.im/payfront/web/external/sales-check?payToken=example-payToken&transactionId=12637496-8a46-488c-bc30-febded96656f✓ Only the credit card transaction can be checked. Check with cash receipt for payments made with Toss Money.
✓ Checking the sales slip requires additional authentication with the purchaser’s ‘birthday’ and ‘mobile phone.’
✓ Incomplete transactions such as payment on standby (PAY_APPROVED) or payment cancelation (PAY_CANCEL) cannot be checked.
✓ As the transaction code value is not a mandatory value, use it as an option value if you want to check a certain status.