Introduction

This guide walks you through the complete integration process of EdfaPay’s Server-to-Server (S2S) Card Payment using the SALE action. The S2S SALE API allows merchants to charge cards securely with 3D Secure (3DS) redirection using a backend-to-backend call.

Endpoint

POST https://api.edfapay.com/payment/post

Content-Type: multipart/form-data

❗️
Security Note
All API requests must be sent over HTTPS to ensure data integrity and confidentiality.

Request Parameters

Field	Type	Required	Description
action	String	Yes	Transaction type. Use `"SALE"` for standard sale transactions.
client_key	String	Yes	Your unique merchant identifier issued by Edfapay.
order_id	String	Yes	Unique identifier for the transaction/order.
order_amount	Decimal	Yes	Amount to be charged (e.g., `0.11`).
order_currency	String	Yes	Currency code in ISO 4217 format (e.g., `SAR`).
order_description	String	Yes	Description of the order.
req_token	String	Optional	`"Y"` to request a tokenized transaction; `"N"` otherwise.
payer_first_name	String	Yes	First name of the customer.
payer_last_name	String	Yes	Last name of the customer.
payer_address	String	Yes	The email or address of the customer.
payer_country	String	Yes	Country code (e.g., `SA`, `UAE`).
payer_city	String	Yes	City of the payer.
payer_zip	String	Yes	ZIP or postal code of the payer. Max length:5 digit
payer_email	String	Yes	The email address of the customer.
payer_phone	String	Yes	The customer’s phone number with country code.
payer_ip	String	Yes	IP address of the Customer Must follow the format of IPv4 Example: XXX.XXX.XXX.XXX
term_url_3ds	String	Yes	URL that the customer is redirected to after completing 3D Secure authentication
auth	String	Optional	`"Y"` to authorize only, `"N"` for authorize+ capture (default).
recurring_init	String	Optional	`"Y"`If this transaction is a recurring initiation
hash	String	Yes	Secure hash for request authentication.
card_number	String	Yes	Customer's card number (PAN)
card_exp_month	String	Yes	Expiry month in MM format
card_exp_year	String	Yes	Expiry year in YYYY format
card_cvv2	String	Yes	CVV/CVC of the card

🚧
For order_id
Must be unique per transaction. Duplicate order_id may result in rejected or duplicated payments.

👍
payer_ip:
Ensure IP address is captured accurately for fraud prevention and 3D Secure validation.

📘
recurring_init and req_token:
Use "Y" only if initiating tokenization or recurring billing. These options are required for saved cards or subscriptions.

Hash Generation (Request Authentication)

To secure your API request, you must generate a hash using the request data and your secret merchant password. This hash ensures that the request is authentic and hasn’t been tampered with.

Formula

var password = "XXXXXXXXXXXXXX";
var cardNumber = "XXXXXXXXXXXXXXXX";
var email = "XXXXXXXXX@domain.com";

const ReverseString = str => [...str].reverse().join('');

var final = (ReverseString(email) + password + ReverseString(cardNumber.substr(0, 6) + cardNumber.substr(-4))).toUpperCase();
var finalHash = CryptoJS.MD5(final).toString();

❗️
Common Mistakes
Make sure to reverse the email and card segments correctly. Any mismatch between hash calculation on your side and our validation will cause the request to fail.

Notes:

password → Your secret hash key from EdfaPay.
cardNumber → The full card number entered by the customer.
email → The customer’s email used in hash generation.

Example cURL Request

curl --location 'https://api.edfapay.com/payment/post' \
--form 'client_key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"' \
--form 'order_id="TEST-XXXXXXXXXXX"' \
--form 'hash="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"' \
--form 'order_amount="0.11"' \
--form 'card_number="XXXXXXXXXXXXXXXX"' \
--form 'card_exp_month="XX"' \
--form 'card_exp_year="XXXX"' \
--form 'card_cvv2="XXX"' \
--form 'payer_phone="+XXXXXXXXXXX"' \
--form 'payer_country="SA"' \
--form 'payer_address="XXXXXX@domain.com"' \
--form 'action="SALE"' \
--form 'payer_zip="XXXXXX"' \
--form 'payer_ip="XXX.XX.XX.XXX"' \
--form 'order_currency="SAR"' \
--form 'payer_first_name="XXXXXX"' \
--form 'payer_city="XXXXXX"' \
--form 'auth="N"' \
--form 'payer_last_name="XXXXXX"' \
--form 'order_description="Test Order"' \
--form 'payer_email="XXXXXX@domain.com"' \
--form 'term_url_3ds="https://google.com/"' \
--form 'recurring_init="N"' \
--form 'req_token="N"'

curl --location 'https://api.edfapay.com/payment/post' \
--form 'client_key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"' \
--form 'order_id="TEST-XXXXXXXXXXX"' \
--form 'hash="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"' \
--form 'order_amount="0.11"' \
--form 'card_number="XXXXXXXXXXXXXXXX"' \
--form 'card_exp_month="XX"' \
--form 'card_exp_year="XXXX"' \
--form 'card_cvv2="XXX"' \
--form 'payer_phone="+XXXXXXXXXXX"' \
--form 'payer_country="UAE"' \
--form 'payer_address="XXXXXX@domain.com"' \
--form 'action="SALE"' \
--form 'payer_zip="XXXXXX"' \
--form 'payer_ip="XXX.XX.XX.XXX"' \
--form 'order_currency="AED"' \
--form 'payer_first_name="XXXXXX"' \
--form 'payer_city="XXXXXX"' \
--form 'auth="N"' \
--form 'payer_last_name="XXXXXX"' \
--form 'order_description="Test Order"' \
--form 'payer_email="XXXXXX@domain.com"' \
--form 'term_url_3ds="https://google.com/"' \
--form 'recurring_init="N"' \
--form 'req_token="N"'

❗️
Important Note — Hash Generation
The hash parameter included in the request body is dynamically generated for each request and must not be hardcoded.
The hash value is calculated using specific request parameters combined with your merchant secret key. Any change in the request data requires regenerating the hash before sending the request.
🔗 For detailed steps and the exact formula used to generate the hash, refer to the Hash Generation Section.

Response Example

{
  "action": "SALE",
  "result": "REDIRECT",
  "status": "REDIRECT",
  "order_id": "TEST-XXXXXXXXXXX",
  "trans_id": "XXXXXXXXXXXXXXXXXXXXXXXXX",
  "trans_date": "29-07-2025 11:44:35",
  "amount": "0.11",
  "currency": "SAR",
  "redirect_url": "https://pgapi.edfapay.com/s2s/collector/XXXXXXXXXXXXXXXXXXXXXXXXX",
  "redirect_params": {
    "body": "BASE64_ENCODED_JSON_STRING",
  },
  "redirect_method": "POST",
  "merchant_id": "Merchant_name"
}

{
  "action": "SALE",
  "result": "REDIRECT",
  "status": "REDIRECT",
  "order_id": "TEST-XXXXXXXXXXX",
  "trans_id": "XXXXXXXXXXXXXXXXXXXXXXXXX",
  "trans_date": "29-07-2025 11:44:35",
  "amount": "0.11",
  "currency": "AED",
  "redirect_url": "https://api.edfapay.com/payment/Collector/",
  "redirect_params": {
    "body": "UUID",
  },
  "redirect_method": "POST",
  "merchant_id": "Merchant_name"
}

action: The type of transaction performed (always SALE).
result: Tells you what to do next (REDIRECT means further action is needed).
status: Current transaction status (also REDIRECT here).
order_id: The order ID you sent in the original request.
trans_id: Unique transaction ID generated by EdfaPay (also used at the end of the redirect_url).
trans_date: The date and time of the transaction.
amount: The transaction amount.
currency: The currency used (e.g., SAR).
redirect_url: The URL to which you should send the next POST request.
redirect_params.body: Base64-encoded data to include in the POST request body.
redirect_method: HTTP method to use for the redirect (always POST).
merchant_id: Merchant Name.

Redirect to Collector

POST https://pgapi.edfapay.com/s2s/collector/{trans_id}

Content-Type: application/json

{
  "body": "BASE64_ENCODED_JSON_STRING"
}

Use the value from redirect_params.body received in the response on the Successful Response of the Sale API

📘
Important Note
The body must be sent exactly as received from redirect_params.body. It is Base64-encoded JSON that the collector uses to complete the transaction.

Response

This request will return an HTML page (3DS challenge, OTP, etc.) which must be rendered to the user. You can open this in:

A browser (web integration)
A WebView (mobile apps)