CCBill RESTful Transaction API
The primary function of CCBill's RESTful API is to enable merchants to create payment tokens and use them to charge customers.
CCBill's RESTful API allows you to take full advantage of CCBill's payment platform without utilizing CCBill's hosted payment forms.
With the API, you only need to ask customers for payment information once. For any subsequent transactions, you can use their tokenized data.
You can develop customer-facing and backend applications to access RESTful API resources programmatically and seamlessly integrate CCBill's payment processing solutions into payment flows.
Use the RESTful API to deliver an engaging and frictionless checkout experience regardless of the device or platform the customer is using.
Getting Started
Merchants need to build apps that capture customer payment data and send structured API calls to CCBill RESTful API endpoints. The API requests must be structured according to the CCBill RESTful API documentation.
Before proceeding with the API integration, merchants must open a payment processing account and register their apps with CCBill.
1. Open a CCBill Merchant Account
If you do not have a CCBill Merchant account, contact CCBill Sales or use the APPLY NOW button on our website.
CCBill employs a dedicated team of professionals to assist merchants and ensure that the onboarding process is completed with minimal friction.
The Merchant Support Service is available 24/7 and offers complete technical and administrative support regarding CCBill services.
2. Register App with CCBill
Before accessing the API, you need to register your application with CCBill Merchant Support and inform them you need a RESTful API setup on your merchant account.
Once the setup and registration are complete, the Merchant Support team will provide frontend and backend credentials.
These credentials are required to generate OAuth bearer tokens to authenticate and authorize your API requests.
In addition, the support team will set up a test account that allows you to test API calls and responses and optimize the RESTful API integration before going live.
The Payment Flow
1. Provide Payment Information
Customer payment details (such as the credit card number, expiration date, cardholder name, etc.) must be collected through a payment form.
Merchants can design custom payment forms and apps to capture this information and then forward the data in an API request to the correct endpoint.
To comply with banking regulations, your payment forms must display card logos for the accepted card schemes and payment methods.
The CCBill RESTful API uses the captured data to create a unique payment token.
- Do not process raw card details on your server. To remain PCI-DSS compliant, send payment details directly to CCBill without storing or logging them.
- Validate input fields. Ensure that credit card numbers, expiration dates, and CVVs follow CCBill's validation rules.
| NAME | DESCRIPTION |
|---|---|
| firstName | Customer's first name. |
| lastName | Customer's last name. |
| currencyCode | A three-digit currency code (ISO 4217 standard) for the currency used in the transaction. |
| amount | Transaction total. Should be value greater than 0. |
| address1 | Customer's billing address. If provided, it should be between 1 and 50 characters long. |
| address2 | Customer's address (line 2). If provided, it should be between 1 and 50 characters long. |
| postalCode | Customer's billing zip code. It should be a valid zip code between 1 and 16 characters long. |
| city | Customer's billing city. If provided, it should be between 1 and 50 characters long. |
| state | Customer's billing state. If provided, it should be between 1 and 3 characters long. |
| country | Customer's billing country. Should be a two-letter country code as defined in ISO 3166-1. |
| Customer's email. Should be a well-formed email address, max 254 characters long. | |
| phoneNumber | Customer's phone number. If provided, it should be a well-formed phone number. |
| ipAddress | Customer's IP address. |
| browserHttpUserAgent | Browser User-Agent header value. |
| browserHttpAccept | Browser Accept header value. |
| browserHttpAcceptEncoding | Browser Accept Encoding header value. |
| browserHttpAcceptLanguate | Browser Accept Language header value. |
| cardNumber | A valid credit card number. |
| expMonth | Credit card expiration month in mm format. Should be a value between 1 and 12. |
| expYear | Credit card expiration year in yyyy format. Should be a value between current year and 2100. |
| cvv2 | Card security code. Should be a 3-4 digit value. |
| nameOnCard | Name displayed on the credit card. Should be between 2 and 45 characters long. |
HTML Example
<form id="payment-form">
<input data-ccbill="firstName" />
<input data-ccbill="lastName" />
<input data-ccbill="amount" />
<input data-ccbill="postalCode" />
<input data-ccbill="country" />
<input data-ccbill="email" />
<input data-ccbill="cardNumber" />
<input data-ccbill="currencyCode" />
<input data-ccbill="expYear" />
<input data-ccbill="expMonth" />
<input data-ccbill="nameOnCard" />
<input data-ccbill="cvv2" />
</form>2. Generate CCBill OAuth Bearer Token
Frontend Bearer Token
Use your frontend credentials Merchant_ApplicationID:Secret_Key to generate a frontend bearer token. Include this token in the Authorization header of API requests when authenticating customers and creating payment tokens.
Backend Bearer Token
Use your backend credentials Merchant_ApplicationID:Secret_Key to request a backend bearer token. Include this token in the Authorization header of API requests that charge payment tokens to ensure only authorized backend systems can initiate transactions.
Please note that the credentials should be encoded using Base64 encoding. This step cannot be done from within the browser, you must make the call from your backend.
- Never expose API credentials on the front end. Always store your Merchant Application ID and Secret Key securely in server-side environment variables.
- Reduce API token attack surface. Execute calls to create a frontend OAuth token and a payment token in quick succession to minimize the risk of the access token being exposed to attackers.
- Use CSRF tokens for your front-end payment forms. Protect your front-end forms with CSRF tokens to prevent unauthorized form submissions.
Example Request
curl - POST 'https://api.ccbill.com/ccbill-auth/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Merchant_ApplicationID:Secret_Key ' \
--data-urlencode 'grant_type=client_credentials'3. Create a Payment Token
Use the frontend bearer token and payment details to request a payment token from CCBill's API.
You can initiate a request to the payment token endpoint by passing the necessary payment details and parameters to the relevant endpoint.
API Endpoint for Creating Payment Tokens
https://api.ccbill.com/payment-tokens/merchant-only-verifyWhile this step can be completed by making requests directly to our API endpoints, you can also use the CCBill Advanced Widget (JS library) to simplify the integration.
4. Charge Payment Token
After you receive a payment token ID, use it together with the backend bearer token to charge the customer's credit card.
Sending an API request to the /transactions endpoint allows you to charge a payment token or retrieve data on a charge.
Once the payment token has been charged, a webhooks HTTP POST notification will be triggered so that you can capture the transaction information. This webhooks event will be a “UpSaleSuccess”.
API Endpoint for Charging Payment Tokens
https://api.ccbill.com/transactions/payment-tokens/{payment_token_id}CCBill Advanced Widget
The CCBill Advanced Widget streamlines the frontend integration by handling API calls within a JavaScript function that runs directly on your webpage. Benefits include:
- Seamless Data Collection. Automatically retrieves and validates payment form data.
- Secure Data Handling. Payment details are sent directly to CCBill without passing through your server.
- Strong Customer Authentication (SCA). Customers can complete SCA directly within the browser, ensuring compliance with regulations like PSD2.
- 3DS Verification Support. The widget allows you to check whether 3D Secure (3DS) authentication is required and manipulate payment flows dynamically.
Use the CCBill Advanced Widget to integrate a non-3DS or 3DS payment flow.
Non-3DS Payment Flow
This is the primary method for generating a payment token using the CCBill Advanced Widget.
If you DO NOT require Strong Customer Authentication (SCA) or operate in regions where it is not mandatory, this is the only method you will need to integrate from your JavaScript code.
SCA is a set of rules that card issuers (banks or other financial institutions) need to adhere to when approving a card-not-present transaction.
To support strong customer authentication, merchants and payment processors have to capture and deliver customer data to the card issuer.
They need to integrate multi-factor authentication into the payment flow to ensure that online payments cannot be initiated without the payer's knowledge.
The decision to implement an SCA solution depends on where your business is registered and if you sell products and services in the European market:
- Non-European merchants that do not accept payments from European customers do not need to implement SCA unless required by local laws.
- Non-European merchants, such as US merchants who want to accept payments from European customers, are not required to adopt SCA, but it is highly recommended that they do so.
- European merchants that accept payments from European customers need to implement an SCA solution.
3DS Payment Flows
3D Secure is one of the most widely used security protocols for strong customer authentication. CCBill has implemented 3DS across its payment systems and is fully compliant with PSD2 regulations.
The 3D Secure protocol is not a prerequisite for accepting online payments. However, it is a cost-effective and easy-to-implement strong customer authentication (SCA) method.
Many countries are introducing legislation that makes SCA mandatory for card-not-present transactions. The most prominent example is the Revised Payment Services Directive (PSD2) in the European Economic Area.
The CCBill Advanced Widget helps you integrate 3DS into your payment flows and tokenize customer authentication results and payment information.
Select a payment flow that aligns with your business model and planned checkout process, then follow the outlined steps to generate payment tokens using the CCBill Advanced Widget.
You can use this approach to create payment tokens and charge customers in real-time while they are still in session.
If you run an e-commerce store or offer instant access to digital content or services, this flow enables seamless, one-click payments while maintaining security and compliance.
This flow is similar to the Create Payment Token (3DS) flow and is ideal for real-time transactions when the customer is in session and the charge amount is known upfront.
It combines 3DS authentication and payment token creation in a single step. This improves efficiency by reducing the number of API calls your system needs to make.
This method authenticates the cardholder and creates a payment token. The customer does not have to be in session when the token is later charged.
For example, you can generate a token when customers register on a website (i.e., for a free trial) and use it later to charge them for recurring subscriptions or one-time purchases.
Additional Documentation