Payment Intents API
The API base URL is https://checkout.securepayapi.com. All requests use HTTPS.
Endpoints overview
Integrating with SecurePayAPI involves one server-side API call plus two browser-facing URLs:
| Method | URL | Used from | Purpose |
|---|---|---|---|
POST | /api/v1/payment-intents | Your server | Create a payment and get a client_secret |
GET | /embed?pk=sp_client_… | Browser (iframe) | Load the embedded checkout widget |
GET | /<productId> | Browser | Open a hosted checkout page |
The full flow:
your server ──POST /api/v1/payment-intents──▶ { client_secret }
│
└─ pass client_secret to the browser
│
browser ──GET /embed──▶ widget ──postMessage(client_secret)──▶ { success }
The /embed widget talks to its own internal endpoints to encrypt the card and run 3-D Secure — you don't call those directly. You only ever call POST /api/v1/payment-intents from your backend and listen for the widget's result messages.
Authentication
Authenticate server-to-server calls with your secret key as a Bearer token:
Authorization: Bearer sp_secret_…
Never call the API from the browser — the secret key must stay on your server.
Create a Payment Intent
POST /api/v1/payment-intents
Request body
| Field | Type | Required | Description |
|---|---|---|---|
amount | integer | yes | Amount in the smallest currency unit (cents). 1–99,999,999. |
currency | string | yes | Currency code. USD in v1. |
reference | string | no | Your own order reference. Up to 200 chars. |
metadata | object | no | Flat key–value object with string values. Up to 4 KB. |
externalid | string | no | An additional identifier of your own. Up to 200 chars. |
descriptor | string | no | Statement descriptor. 5–100 chars. |
description | string | no | Description of the purchase. 5–100 chars. |
theme | string | no | Checkout theme: light or dark. |
Example
curl https://checkout.securepayapi.com/api/v1/payment-intents \
-H "Authorization: Bearer sp_secret_…" \
-H "Content-Type: application/json" \
-d '{
"amount": 2000,
"currency": "USD",
"reference": "order_123",
"description": "Pro plan — annual",
"metadata": { "plan": "pro" }
}'
Response 200
{
"id": "abcdef0123456789abcdef01",
"client_secret": "pi_abcdef0123456789abcdef01_secret_…",
"amount": 2000,
"currency": "USD",
"status": "requires_payment"
}
Pass client_secret to the embedded checkout widget to collect payment. See Payment Intents for statuses and the client-secret lifecycle.
Errors
Errors return a non-2xx status and a JSON body:
{
"error": {
"type": "invalid_request",
"code": "...",
"message": "..."
}
}
type | When |
|---|---|
invalid_request | A parameter is missing or invalid |
authentication | The secret key is missing or invalid |
server | An unexpected error on our side |
The endpoint does not return CORS headers — it's designed to be called from your backend, not from a browser.