Documentation version 2.01, 03.10.2024

Here at Inbank we strive to help our partners sell more by simplifying purchases and making financing more accessible to customers. For exactly this reason we offer a number of sales financing solutions. Our most known credit offering is hire-purchase, also known as payment by installments.

There are several methods of how partners can integrate with Inbank, this document covers our e-POS solution. With Inbank e-POS, partners only need to add Inbank as a payment method and redirect clients to our environment, Inbank will take care of all the rest. After a successful financing process we will redirect the customer back to you.

Inbank e-POS is supplemented with Inbank Partner Portal where merchants can see detailed overview of submitted credit applications, create applications for customers and conduct contract withdrawals.

For any questions regarding the e-POS integration process, contact Inbank at integration@inbank.ee. We will be happy to help.

In general, the flow looks like this:

Inbank also sends server-to-server notification messages to ensure delivery of information about the payment session even if the customer does not return to the e-shop.

Inbank will provide a link to the detailed terms and conditions of credit, which can then be made available to customers.

The payment day of all credit installments is set automatically to the default system value.

Inbank API for partner integration (Partner API) is made available for the systems integration on request basis.

Inbank provides a separate environment for development and integration testing. The demo environment remains available during the later life cycle of our cooperation, after the integration on production environment has been launched. The demo and production environments are different, each having individual data sets.

Note that the access credentials and product codes are different in the production environment. You will be provided production specific information.

For testing purposes, the demo environment returns preconfigured decisions. For the Inbank Hire Purchase Estonia payment product, a positive decision is given for amounts 0 - 500, 15 000 - 16 000.

The credit application process may include an OTP code exchange via SMS. The demo environments do not send out SMS messages, but list them in the simulator available at: https://demo-sms.inbank.eu/. In the search field at the top of the page, you need to specify the phone number you have indicated in the credit application and click Search. The simulator will then list the messages sent to that number. Inbank will provide you with the credentials necessary to access the SMS simulator.

Before you can initiate a session, Partner API connectivity must be configured.

Inbank will provide you an API key, used for authentication, and a unique identifier of your shop, required for building API URLs (for example POST /shops/YOUR_SHOP_UUID/pos_sessions). The keys should remain private at all times.

The authentication process consists of the following two steps:

1. Merchant places the API key in the Authorization header of the request.
2. API server verifies the API key authenticity.

The easiest way to test that your API key is working correctly is to send a GET /ping request. On successful authentication API will respond with message: pong.

Authorization header must have the Bearer scheme and value of your API key, for example:

Authorization: Bearer e93174d3b9158a01c861c65fab0e7f96

In case of unsuccessful authorization, the system will return the following response:

{
    "error": [
        "unauthorized"
    ]
}

The HTTP header Content-Type application/json is expected in all requests, unless otherwise specified in the endpoint description. Example:

Content-Type: application/json

For the easiest integration we have designed the session status model to be similar to other payment channels that the e-shop integrates with.

The integration flow can be configured to require a final merchant-side confirmation step, before the credit application process is completed. This is somewhat similar to the credit card flows where the amount is first reserved on the credit card account (transaction is approved), and is later 'captured' after the merchant has completed the transaction.

This may be handy if the stock is limited and the merchant does not allocate stock items before it is ensured that the customer can get the credit. If the merchant does not send the final approval (i.e. items are out of stock, order can not be completed), the granted credit is not completed.

Inbank will send callbacks about changes to the credit contract status. Contracts can have the following statuses:

When initiating the payment session in Inbank Partner API the e-shop should provide 3 URLs:

• redirect URL - the URL to which the customer's browser will be redirected back after the customer has completed the credit application dialog. Regardless of the outcome of the credit application process, the customer is redirected here, even if the credit is not granted.
• cancel URL - the URL to which the customer's browser is redirected if the customer deliberately chooses to cancel the credit application dialog.
• callback URL - the URL to which Inbank will send server-to-server callback notifications on session status change events.

Inbank will send two callbacks, both with the same structure and content:

• First one is performed on redirect_url, via the customer's browser.
• Second one is server-to-server callback which ensures that the merchant receives the callback. It is done on callback_url.

Note that the first callback may not arrive if the customer does not press the "back to merchant" button, or if there are connectivity or technical problems at the customer's device/browser. Thus there is no guarantee that the first callback will arrive, or which one of the two callbacks will arrive first. Callback requests are lightweight triggers for initiating activities on the merchant side. They contain only minimal information.

To avoid processing accidental or malicious traffic to callback endpoints, the handlers should first verify the authenticity of the request. For more details, see the Callback authenticity validation chapter.

E-shop should process the incoming messages, at a minimum, in the following way:

• Validate the authenticity of the request, to avoid further processing of invalid traffic.
• Look up the pos_session identifier either from the incoming message, or from the internal database as it was persisted when the session was initiated.
• Inspect pos_session status and process the order payment status based on the pos_session state. If needed, you can also check the purchase reference.
• Redirect the user to the respective dialog, i.e. the “payment complete” page.

Both of the callbacks are sent as http POST requests, ("Content-Type" => "application/x-www-form-urlencoded"). The POST form has the following structure:

Request header

{"Content-Type":"application/x-www-form-urlencoded"}

Request body

message=%7B%22uuid%22%3A%223241a6d5-051b-415b-afc7-0a5aad115fcc%22%2C%22status%22%3A%22cancelled%22%2C%22
purchase_reference%22%3A%221234%22%7D&hmac=4c4686db2aac832dd2e001fdc02e2b4021dc5e49c064552215dab2ca9c564
9435562bc60e96b812ca8ea40223f500ced9c257541b43ab7fb482067c8bae7a963&timestamp=1553072069

The message contains minimal information, it is meant as a trigger to obtaining more detailed information over Partner API.

• uuid - POS session UUID.
• status - status of the POS session at the moment of message dispatch. For more details, see the State model chapter.
• purchase_reference - merchant side reference, i.e. order ID. For more details, see the Session initiation chapter.

We use message authenticity hash (HMAC) transported within the POST request form field hmac. To validate the message authenticity you need to calculate the verifying HMAC based on data from the request and your secret api_key, and compare the calculated HMAC with the HMAC value passed in the request.

Verifying HMAC is calculated as SHA512 HMAC, over the timestamp and message from the request, concatenated with . delimiter. Your shop API key is used as HMAC secret.

Pseudocode for example verifying HMAC calculation:

key = your_api_key;
req_timestamp = request[timestamp];
req_message = request[message];
req_data = req_timestamp+'.'+req_message;
v_hmac = hmac("sha512", key, req_data);

JavaScript example (Postman):

key = your_api_key;
req_timestamp = decodeURIComponent(request[timestamp]);
req_message = request[message];
req_data = req_timestamp + '.' + req_message;
v_hmac = CryptoJS.HmacSHA512(req_data, key);

PHP example:

$key = $settings->api_key;
$req_timestamp = $_POST['timestamp'];
$req_message = stripslashes($_POST['message']);
$v_hmac = hash_hmac('sha512', $req_timestamp . '.' . $req_message, $key);

This section lists the API request required for the integration with the Inbank e-POS system. The enlisted API requests are used in the following way:

1. The e-shop initiates a payment session using the POST /pos_sessions request. The response includes the uuid parameter which will then be used to link the credit application to the payment session. The redirect_url from the response indicates the link to which the client is to be redirected to complete the financing process.
   
   

   Please note: Inbank payment methods should be available only for cart values that are within the price range agreed with Inbank. If you would like to receive the price range and other details of your Inbank product over API, please use the GET /products endpoint.

   
   

2. The e-shop submits the credit application containing the information about the purchase and the client using the POST /applications request. The submitted data will be used to make the decision on the possibility and conditions of the credit offer.
   
   

3. The e-shop checks if the application has a decision from Inbank using the GET /applications request. As the decision process might take some time, the endpoint may need to be polled once a second for a maximum of 30 seconds. The response includes all the credit information necessary to display the offer to the customer..
   
   

4. The e-shop redirects the client to Inbank's e-POS environment. Here customers are guided through a number of dialogs to complete the financing of the purchase. After the e-POS dialogs, customers are redirected back to the e-shop.
   
   

5. The e-shop requests the details of the payment session to learn the identifier of the concluded contract, credit_contract_uuid, using the GET /pos_sessions request.
   
   

6. The e-shop checks the status of the credit contract using the GET /contracts request. If the contract has status activated, the financing of the purchase has been successful.

Additionally, e-shops can provide approximate credit calculations on their sites using the POST /calculations request.

The chart demonstrates the sequence in which the API requests should be applied to successfully initiate the payment session, redirect the customer to e-POS and later check the credit contract status to confirm that the financing has been successful.