Allpay API Reference
API for Israel-based businesses. All requests are POST to https://allpay.to/app/?show=<endpoint>&mode=api12 with a JSON body. The show and mode parameters are passed in the URL query string — not in the JSON body — and are not included in the signature. Authentication uses your API login and a SHA256 signature.
Authentication
Every request must include two fields in the JSON body:
| Field | Type | Description | |
|---|---|---|---|
| login* | string | required | Your API login — found in Settings → Integrations |
| sign* | string | required | SHA256 signature of the request body (see algorithm below) |
Signature Algorithm
The signature is generated from the request parameters using your private API key.
- Remove the
signfield from the request. - Exclude all parameters with empty values (
"",null, missing). - Sort the remaining keys in alphabetical order (A–Z). Alphabetical sorting must be applied everywhere — to top-level parameters, to the
itemsarray, and to the keys inside each item. - From the sorted list, take only the parameter values and join them into a single string using a colon
:as the separator. - Append your API key to the end of the string, preceded by a colon.
- Apply the SHA256 algorithm to the final string.
null or 0 instead of an empty string, or omitting parameters from the signature function.Errors
All errors return HTTP 200 with a JSON body containing an error field:
{ "error": "Signature is incorrect" }
const crypto = require('crypto'); function allpaySign(data, apiKey) { const d = Object.fromEntries( Object.entries({...data}) .filter(([k, v]) => k !== 'sign' && v !== '' && v != null) ); const chunks = []; for (const key of Object.keys(d).sort()) { const val = d[key]; if (typeof val === 'string') { chunks.push(val); } else if (Array.isArray(val)) { for (const item of val) for (const k of Object.keys(item).sort()) if (typeof item[k] === 'string' && item[k]) chunks.push(item[k]); } } chunks.push(apiKey); return crypto .createHash('sha256') .update(chunks.join(':')) .digest('hex'); }
function allpay_sign(array $data, string $api_key): string { unset($data['sign']); $data = array_filter($data, fn($v) => $v !== '' && $v !== null); ksort($data); $chunks = []; foreach ($data as $val) { if (is_string($val)) { $chunks[] = $val; } elseif (is_array($val)) { foreach ($val as $item) { ksort($item); foreach ($item as $v) if (is_string($v) && $v !== '') $chunks[] = $v; } } } $chunks[] = $api_key; return hash('sha256', implode(':', $chunks)); }
import hashlib def allpay_sign(data: dict, api_key: str) -> str: d = {k: v for k, v in data.items() if k != 'sign' and v not in ('', None)} chunks = [] for key in sorted(d): val = d[key] if isinstance(val, str): chunks.append(val) elif isinstance(val, list): for item in val: for k in sorted(item): if isinstance(item[k], str) and item[k]: chunks.append(item[k]) chunks.append(api_key) return hashlib.sha256(':'.join(chunks).encode()).hexdigest()
Payments
Create payment links, check status, issue refunds.
Create Payment
The payment process follows three steps: (1) send a signed POST request to create a payment link, (2) redirect the customer to the returned payment_url, (3) receive a webhook notification at your webhook_url once payment is complete.
Parameters
| Name | Type | Description | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| login* | string | required | Your API login from Settings → Integrations | ||||||||||||||||||||||||||||
| order_id* | string | required | Unique order identifier in your system | ||||||||||||||||||||||||||||
| items* | array | required | List of products/services. Displayed in your Allpay account and on accounting documents. The total charge is calculated from item prices × quantities.
| ||||||||||||||||||||||||||||
| sign* | string | required | SHA256 signature | ||||||||||||||||||||||||||||
| currency | string | optional | The billing (settlement) currency — the currency in which the customer is charged and your account is settled. If your account does not have permission to process USD or EUR, the amount is automatically converted to ILS using Google Finance exchange rates. ILSUSDEUR | ||||||||||||||||||||||||||||
| currency_display | string | optional | The display currency shown to the customer on the payment page. The price values in the request must be provided in this currency — Allpay automatically converts the amount to the billing currency. Examples: CAD, AED, RUB. Full list of supported currencies → | ||||||||||||||||||||||||||||
| lang | string | optional | Payment page language. AUTOENHERUARESITDEFR | ||||||||||||||||||||||||||||
| button_title | string | optional | Text on the payment button. paydonatesubscribe | ||||||||||||||||||||||||||||
| doc_type | integer | optional | Document type for the invoice issued after payment. Default value is taken from your account settings. 320 — Tax Invoice Receipt400 — Receipt405 — Receipt for donation | ||||||||||||||||||||||||||||
| webhook_url | string | optional | After a successful or failed payment, Allpay sends a POST webhook with payment details to this URL. If not provided, the transaction will be visible only in your Allpay dashboard. | ||||||||||||||||||||||||||||
| success_url | string | optional | The customer is redirected to this URL after successful payment. If not provided, the customer is redirected to the default Allpay success page. | ||||||||||||||||||||||||||||
| backlink_url | string | optional | URL for the "Return to site" button displayed at the bottom of the payment page — allows the customer to return to your checkout. Note: there is no fail URL — payment errors are displayed directly on the payment page, prompting the customer to make a new attempt. | ||||||||||||||||||||||||||||
| inst | integer | optional | Max installment payments offered (1–12) | ||||||||||||||||||||||||||||
| inst_fixed | integer | optional | 0 — customer chooses from 1 up to the inst value1 — number of payments is fixed at the inst value; customer cannot change it | ||||||||||||||||||||||||||||
| allpay_token | string | optional | Charge a card using a saved token — the customer does not need to re-enter card details. When provided, the response returns status directly instead of payment_url. | ||||||||||||||||||||||||||||
| preauthorize | boolean | optional | If true, creates a J5 pre-authorization — the amount is reserved on the customer's card for up to 168 hours (7 days), but no charge is made. To collect the funds, a separate Charge Pre-auth request must be sent within this period. | ||||||||||||||||||||||||||||
| subscription | object | optional | Add to create a recurring subscription. See Create Subscription. | ||||||||||||||||||||||||||||
| client_name | string | optional | Customer's full name (any language). If not provided, the customer will be asked to enter it on the payment page. Required when using Hosted Fields integration. | ||||||||||||||||||||||||||||
| client_email | string | optional | Customer's email address. Used to send an invoice if a digital invoicing service is enabled. If not provided, the customer will be asked to enter it on the payment page. Required when using Hosted Fields integration. | ||||||||||||||||||||||||||||
| client_phone | string | optional | Customer's phone number. | ||||||||||||||||||||||||||||
| client_tehudat | string | optional | For private customers — Social ID (Tehudat Zehut); for companies — Company Number (Mispar Het Pey). Pass "000000000" to hide this field and skip the ID request for non-Israeli customers. | ||||||||||||||||||||||||||||
| show_applepay | boolean | optional | Show Apple Pay button (module must be active) | ||||||||||||||||||||||||||||
| show_bit | boolean | optional | Show Bit payment button (module must be active) | ||||||||||||||||||||||||||||
| add_field_1 | string | optional | Any additional data about the order or customer — returned unchanged in the webhook. | ||||||||||||||||||||||||||||
| add_field_2 | string | optional | Any additional data about the order or customer — returned unchanged in the webhook. | ||||||||||||||||||||||||||||
| expire | integer | optional | Unix timestamp when the payment link expires (default: 1 week) |
Response
Redirect flow (no allpay_token):
| Field | Type | Description |
|---|---|---|
| payment_url | string | URL to redirect the customer to |
Token payment flow (allpay_token provided):
| Field | Type | Description |
|---|---|---|
| order_id | string | Allpay order ID |
| status | integer | 0 = failed, 1 = successful |
curl https://allpay.to/app/?show=getpayment&mode=api12 \ -X POST \ -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "ORDER-001", "items": [{ "name": "Product A", "qty": 1, "price": 100, "vat": 1 }], "currency": "ILS", "webhook_url": "https://yoursite.com/webhook", "sign": "YOUR_COMPUTED_SIGN" }'
const crypto = require('crypto'); function allpaySign(data, apiKey) { const d = Object.fromEntries( Object.entries({...data}) .filter(([k, v]) => k !== 'sign' && v !== '' && v != null) ); const chunks = []; for (const key of Object.keys(d).sort()) { const val = d[key]; if (typeof val === 'string') chunks.push(val); else if (Array.isArray(val)) { for (const item of val) for (const k of Object.keys(item).sort()) if (typeof item[k] === 'string' && item[k]) chunks.push(item[k]); } } chunks.push(apiKey); return crypto.createHash('sha256').update(chunks.join(':')).digest('hex'); } const body = { login: 'your_login', order_id: 'ORDER-001', items: [{ name: 'Product A', qty: '1', price: '100', vat: '1' }], currency: 'ILS', webhook_url: 'https://yoursite.com/webhook' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const res = await fetch('https://allpay.to/app/?show=getpayment&mode=api12', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) }); const { payment_url } = await res.json();
function allpay_sign(array $data, string $api_key): string { unset($data['sign']); $data = array_filter($data, fn($v) => $v !== '' && $v !== null); ksort($data); $chunks = []; foreach ($data as $val) { if (is_string($val)) { $chunks[] = $val; } elseif (is_array($val)) { foreach ($val as $item) { ksort($item); foreach ($item as $v) if (is_string($v) && $v !== '') $chunks[] = $v; } } } $chunks[] = $api_key; return hash('sha256', implode(':', $chunks)); } $body = [ 'login' => 'your_login', 'order_id' => 'ORDER-001', 'items' => [[ 'name' => 'Product A', 'qty' => '1', 'price' => '100', 'vat' => '1' ]], 'currency' => 'ILS', 'webhook_url' => 'https://yoursite.com/webhook' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); $ch = curl_init('https://allpay.to/app/?show=getpayment&mode=api12'); curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_POSTFIELDS => json_encode($body), CURLOPT_HTTPHEADER => ['Content-Type: application/json'], CURLOPT_RETURNTRANSFER => true ]); $response = json_decode(curl_exec($ch), true); $payment_url = $response['payment_url'];
import hashlib, requests def allpay_sign(data: dict, api_key: str) -> str: d = {k: v for k, v in data.items() if k != 'sign' and v not in ('', None)} chunks = [] for key in sorted(d): val = d[key] if isinstance(val, str): chunks.append(val) elif isinstance(val, list): for item in val: for k in sorted(item): if isinstance(item[k], str) and item[k]: chunks.append(item[k]) chunks.append(api_key) return hashlib.sha256(':'.join(chunks).encode()).hexdigest() body = { 'login': 'your_login', 'order_id': 'ORDER-001', 'items': [{'name': 'Product A', 'qty': '1', 'price': '100', 'vat': '1'}], 'currency': 'ILS', 'webhook_url': 'https://yoursite.com/webhook' } body['sign'] = allpay_sign(body, 'YOUR_API_KEY') res = requests.post('https://allpay.to/app/?show=getpayment&mode=api12', json=body) payment_url = res.json()['payment_url']
Payment Webhook
After a payment, Allpay sends a POST request with JSON body to your webhook_url. Respond with HTTP 200 to acknowledge. Allpay makes up to 10 delivery attempts total — the first retry 1 minute after the initial failure, then with progressively increasing intervals, with the final attempt within 24 hours.
Payload Fields
| Field | Type | Description |
|---|---|---|
| order_id | string | Your order identifier |
| status | integer | 0 = unpaid / failed, 1 = successful |
| amount | number | Payment amount |
| currency | string | ILS / USD / EUR |
| inst | integer | Number of installment payments |
| card_mask | string | Masked card number, e.g. 465901******7049 |
| card_brand | string | Visa / Mastercard / AmEx / Diners |
| foreign_card | integer | 0 = local card (issued by an Israeli bank), 1 = foreign card |
| receipt | string | URL to the digital receipt. Generated only if the Receipts module is active in your Allpay account. |
| client_name | string | Customer name |
| client_email | string | Customer email |
| client_phone | string | Customer phone |
| client_tehudat | string | Customer Social ID (if provided) |
| add_field_1 | string | Custom data from request (unchanged) |
| add_field_2 | string | Custom data from request (unchanged) |
| sign | string | SHA256 signature — verify using your API key |
{ "order_id": "ORDER-001", "status": 1, "amount": 100.00, "currency": "ILS", "inst": 1, "card_mask": "465901******7049", "card_brand": "Visa", "foreign_card": 0, "client_name": "Joe Doe", "client_email": "[email protected]", "add_field_1": "your-data", "sign": "abc123..." }
$payload = json_decode(file_get_contents('php://input'), true); $received_sign = $payload['sign']; // Recompute signature to verify $expected = allpay_sign($payload, 'YOUR_API_KEY'); if ($payload['status'] === 1 && hash_equals($expected, $received_sign)) { // Payment confirmed — fulfill order fulfill_order($payload['order_id'], $payload['amount']); echo 'OK'; }
app.post('/webhook', (req, res) => { const payload = req.body; const expected = allpaySign(payload, 'YOUR_API_KEY'); if (payload.status === 1 && expected === payload.sign) { fulfillOrder(payload.order_id, payload.amount); } res.sendStatus(200); });
Check Payment Status
Check the status of a payment. Call at least 2 seconds after the payment attempt.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Order identifier |
| sign* | string | required | SHA256 signature |
Response
| Field | Type | Description |
|---|---|---|
| order_id | string | Order identifier |
| status | integer | 0 = unpaid, 1 = successful, 3 = refunded, 4 = partially refunded |
| amount | number | Payment amount |
| currency | string | Billing currency |
| inst | integer | Installment count |
| card_mask | string | Masked card number |
| card_brand | string | Card brand |
| foreign_card | integer | 0 = local card (issued by an Israeli bank), 1 = foreign card |
| receipt | string | URL to the digital receipt. Generated only if the Receipts module is active in your Allpay account. |
| client_name / email / phone / tehudat | string | Customer details |
curl https://allpay.to/app/?show=paymentstatus&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "ORDER-001", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'ORDER-001' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=paymentstatus&mode=api12 // $response['status']: 0=unpaid, 1=paid, 3=refunded, 4=partial refund
const body = { login: 'your_login', order_id: 'ORDER-001' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { status, amount, currency } = await (await fetch('https://allpay.to/app/?show=paymentstatus&mode=api12', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })).json(); // status: 0=unpaid, 1=paid, 3=refunded, 4=partial refund
Refund Payment
Issue a full or partial refund. Refunds are processed from your available withdrawal balance.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Order identifier |
| amount* | number | required | Total refund amount |
| sign* | string | required | SHA256 signature |
| items | array | optional | For partial refund: array matching original items count/order. Each object has one field: amount (string). Use "0" to skip an item. Amounts must be strings. |
Response
| Field | Type | Description |
|---|---|---|
| order_id | string | Order identifier |
| status | integer | 3 = fully refunded, 4 = partially refunded |
# Full refund — omit items curl https://allpay.to/app/?show=refund&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "ORDER-001", "amount": 100.00, "sign": "YOUR_COMPUTED_SIGN" }'
// Partial refund: 3 original items, refund only 2nd $body = [ 'login' => 'your_login', 'order_id' => 'ORDER-001', 'amount' => 200.0, 'items' => [ ['amount' => '0'], // item 1: skip ['amount' => '200'], // item 2: refund 200 ['amount' => '0'], // item 3: skip ] ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=refund&mode=api12
// Full refund const body = { login: 'your_login', order_id: 'ORDER-001', amount: '100.00' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { status } = await (await fetch('https://allpay.to/app/?show=refund&mode=api12', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })).json(); // status 3 = fully refunded, 4 = partially refunded
Subscriptions
Create and manage recurring billing. Currently, only monthly frequency is supported. Requires the Subscriptions module to be active on your account.
Create Subscription
Same as Create Payment but with an additional subscription object. Returns a payment_url for the customer to authorize the first charge. Subsequent charges happen automatically each month with webhooks sent for each.
subscription object
| Name | Type | Description | |
|---|---|---|---|
| start_type* | integer | required | When first charge occurs: 1 — immediately2 — specific date (start_date)3 — after N days (start_n) |
| start_date | integer | optional | Unix timestamp (required if start_type=2) |
| start_n | integer | optional | Number of days (required if start_type=3) |
| end_type* | integer | required | When subscription ends: 1 — infinite2 — specific date (end_date)3 — after N charges (end_n) |
| end_date | integer | optional | Unix timestamp (required if end_type=2) |
| end_n | integer | optional | Number of charges (required if end_type=3) |
Additional top-level parameter
| Name | Type | Description | |
|---|---|---|---|
| button_title | string | optional | Button text. Default for subscriptions is subscribe.subscribepaydonate |
curl https://allpay.to/app/?show=getpayment&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "SUB-001", "items": [{"name": "Monthly Plan", "qty": "1", "price": "49", "vat": "1"}], "currency": "ILS", "webhook_url": "https://yoursite.com/webhook", "button_title": "subscribe", "subscription": {"start_type": 1, "end_type": 1}, "sign": "YOUR_COMPUTED_SIGN" }'
const body = { login: 'your_login', order_id: 'SUB-001', items: [{ name: 'Monthly Plan', qty: '1', price: '49', vat: '1' }], currency: 'ILS', webhook_url: 'https://yoursite.com/webhook', button_title: 'subscribe', subscription: { start_type: 1, // immediately end_type: 1 // infinite } }; body.sign = allpaySign(body, 'YOUR_API_KEY');
$body = [ 'login' => 'your_login', 'order_id' => 'SUB-001', 'items' => [['name' => 'Monthly Plan', 'qty' => '1', 'price' => '49', 'vat' => '1']], 'currency' => 'ILS', 'webhook_url' => 'https://yoursite.com/webhook', 'subscription' => [ 'start_type' => 3, 'start_n' => 7, // first charge after 7 days 'end_type' => 3, 'end_n' => 12 // cancel after 12 charges ] ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=getpayment&mode=api12
body = {
'login': 'your_login',
'order_id': 'SUB-001',
'items': [{'name': 'Monthly Plan', 'qty': '1',
'price': '49', 'vat': '1'}],
'currency': 'ILS',
'subscription': {
'start_type': '1', 'end_type': '1'
}
}
body['sign'] = allpay_sign(body, 'YOUR_API_KEY')
# POST to https://allpay.to/app/?show=getpayment&mode=api12
Cancel Subscription
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Subscription order ID |
| sign* | string | required | SHA256 signature |
Response
| Field | Type | Description |
|---|---|---|
| status | integer | After cancellation, you can expect 4 (cancelled) or 2 (subscription was already completed — no cancellation needed). Full codes: 1 = active, 2 = completed, 3 = error, 4 = cancelled. |
curl https://allpay.to/app/?show=cancelsubscription&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "SUB-001", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'SUB-001' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=cancelsubscription&mode=api12 // status 4 = cancelled, 2 = already completed
const body = { login: 'your_login', order_id: 'SUB-001' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { status } = await (await fetch('https://allpay.to/app/?show=cancelsubscription&mode=api12', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })).json(); // status 4 = cancelled, 2 = already completed
Subscription Status
Get detailed status and full charge history of a subscription.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Subscription order ID |
| sign* | string | required | SHA256 signature |
Response
| Field | Type | Description |
|---|---|---|
| order_id | string | Subscription ID |
| status | integer | 1=active, 2=completed, 3=error (last charge failed, retry tomorrow), 4=cancelled |
| amount | number | Amount per charge |
| currency | string | ILS / USD / EUR |
| payments_n | integer | Number of successful charges |
| paid_total | number | Total amount charged |
| payments | array | Charge history: each item has ts (Unix timestamp), amount, receipt (URL) |
curl https://allpay.to/app/?show=subscriptionstatus&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "SUB-001", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'SUB-001' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=subscriptionstatus&mode=api12 // $response['status']: 1=active, 2=completed, 3=error, 4=cancelled // $response['payments_n'] — successful charges count // $response['paid_total'] — total charged amount
const body = { login: 'your_login', order_id: 'SUB-001' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { status, payments_n, paid_total } = await (await fetch('https://allpay.to/app/?show=subscriptionstatus&mode=api12', { method: 'POST', headers: {'Content-Type':'application/json'}, body: JSON.stringify(body) } )).json(); // status: 1=active, 2=completed, 3=error, 4=cancelled
List Subscriptions
Get a paginated list of subscriptions (100 per page).
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| sign* | string | required | SHA256 signature |
| status | integer | optional | Filter by subscription status. If omitted or set to 0, returns all subscriptions regardless of status. 0 — any1 — active2 — completed3 — error4 — cancelled |
| page | integer | optional | Page number to retrieve. If not provided, the first page is returned. Each page contains up to 100 subscriptions. |
Response
| Field | Type | Description |
|---|---|---|
| total_n | integer | Total subscriptions returned |
| next_page | integer | Next page number or 0 if no more |
| subscriptions | array | Each item: name, status, amount, currency, payments_n, paid_total, start_date, end_date, next_payment, client_name/email/phone/tehudat, add_field_1/2 |
curl https://allpay.to/app/?show=getsubscriptions&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "status": "1", "page": "1", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'status' => '1', // active only 'page' => '1' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=getsubscriptions&mode=api12 // $response['subscriptions'] — array of subscriptions // $response['next_page'] — 0 if no more pages
const body = { login: 'your_login', status: '1', page: '1' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { subscriptions, total_n, next_page } = await (await fetch('https://allpay.to/app/?show=getsubscriptions&mode=api12', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })).json();
Subscription Statistics
Statistical breakdown of subscriptions by status and currency.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| sign* | string | required | SHA256 signature |
Response
info array — each element contains:
| Field | Type | Description |
|---|---|---|
| status | integer | Subscription status group: 1 = active, 2 = completed, 3 = error, 4 = cancelled |
| total_n | integer | Total number of subscriptions with this status |
| per_currency | array | Breakdown by currency. Each item: currency (ILS / USD / EUR), total_n_currency (number of subscriptions in this currency), total_amount_currency (total monthly amount / turnover for subscriptions in this currency) |
curl https://allpay.to/app/?show=subscriptionsinfo&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=subscriptionsinfo&mode=api12 // $response['info'][0] = ['status' => 1, 'total_n' => 42, 'per_currency' => [...]]
const body = { login: 'your_login' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { info } = await (await fetch('https://allpay.to/app/?show=subscriptionsinfo&mode=api12', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) })).json(); // info[0] = { status: 1, total_n: 42, per_currency: [{currency:'ILS', ...}] }
Tokens
Save a card without charging, then reuse it for future payments without requiring the customer to re-enter card details.
Capture Token Without Payment
Creates a card capture session. Returns a payment_url where the customer enters their card details — no charge is made. After capture, Allpay sends the token to your webhook_url.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Unique identifier in your system |
| items* | array | required | Items for display only (no charge). Only name field is required per item. |
| sign* | string | required | SHA256 signature |
| button_title | string | optional | Submit button text. submitsavesubscribepaydonate |
| lang | string | optional | Page language (AUTO, EN, HE, RU, AR, ES, IT, DE, FR) |
| webhook_url | string | optional | When a token is captured, Allpay sends a POST webhook containing the allpay_token to this URL. If not provided, the token will only be visible in your Allpay dashboard. |
| success_url | string | optional | The customer is redirected to this URL after the token is captured. If not provided, the customer is redirected to the default Allpay success page. |
| backlink_url | string | optional | URL for the "Return to site" button displayed at the bottom of the page. Note: there is no fail URL — errors are displayed directly on the page, prompting the customer to try again. |
| client_name / email / phone / tehudat | string | optional | Prefill customer fields |
| add_field_1 / add_field_2 | string | optional | Custom data — returned in webhook |
| expire | integer | optional | Unix timestamp when link expires (default: 1 week) |
API Response
| payment_url | string | Redirect the customer here |
Webhook (after customer submits card)
| Field | Type | Description |
|---|---|---|
| order_id | string | Your order ID |
| status | integer | 0 = failed, 1 = token captured |
| allpay_token | string | Token for future payments (when status=1) |
| card_mask | string | Masked card number |
| card_brand | string | Card brand |
| foreign_card | integer | 0 = local, 1 = foreign |
| client_name / email | string | Customer details |
| sign | string | Verify with your API key |
curl https://allpay.to/app/?show=capturetoken&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "TOKEN-001", "items": [{"name": "Save payment method"}], "button_title": "save", "webhook_url": "https://yoursite.com/token-webhook", "lang": "EN", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'TOKEN-001', 'items' => [['name' => 'Save payment method']], 'button_title' => 'save', 'webhook_url' => 'https://yoursite.com/token-webhook' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=capturetoken&mode=api12 // redirect to $response['payment_url'] // webhook receives { status:1, allpay_token:'...', card_mask:'...' }
const body = { login: 'your_login', order_id: 'TOKEN-001', items: [{ name: 'Save payment method' }], button_title: 'save', webhook_url: 'https://yoursite.com/token-webhook', lang: 'EN' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { payment_url } = await (await fetch('https://allpay.to/app/?show=capturetoken&mode=api12', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) })).json(); // redirect customer to payment_url // webhook receives { status:1, allpay_token:'...', card_mask:'...' }
Get Token for Existing Payment
Retrieve a reusable token from a completed payment.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Order ID of the completed payment |
| sign* | string | required | SHA256 signature |
Response
| Field | Type | Description |
|---|---|---|
| order_id | string | Order identifier |
| allpay_token | string | Token for future payments |
| card_mask | string | Masked card number |
| card_brand | string | Card brand |
| foreign_card | integer | 0 = local, 1 = foreign |
curl https://allpay.to/app/?show=gettoken&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "ORDER-001", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'ORDER-001' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=gettoken&mode=api12 // $response['allpay_token'] — use in future getpayment calls
const body = { login: 'your_login', order_id: 'ORDER-001' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { allpay_token, card_mask } = await (await fetch('https://allpay.to/app/?show=gettoken&mode=api12', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })).json(); // pass allpay_token in future Create Payment calls
J5 / Pre-authorization
Reserve an amount on a card without charging it. The reservation is valid for 7 days (168 hours). You can charge an amount equal to or less than the reserved amount — but only once. To void a reservation without charging, call the Refund endpoint.
Pre-authorize (Reserve)
Same as Create Payment with preauthorize: true. Reserves the amount on the customer's card — no charge is made. Returns payment_url.
| preauthorize | boolean | Set to true |
curl https://allpay.to/app/?show=getpayment&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "J5-001", "items": [{"name": "Hotel reservation", "qty": "1", "price": "500", "vat": "1"}], "preauthorize": true, "webhook_url": "https://yoursite.com/webhook", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'J5-001', 'items' => [['name' => 'Hotel reservation', 'qty' => '1', 'price' => '500', 'vat' => '1']], 'preauthorize' => true, 'webhook_url' => 'https://yoursite.com/webhook' ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=getpayment&mode=api12 // redirect to $response['payment_url']
const body = { login: 'your_login', order_id: 'J5-001', items: [{ name: 'Hotel reservation', qty: '1', price: '500', vat: '1' }], preauthorize: true, webhook_url: 'https://yoursite.com/webhook' }; body.sign = allpaySign(body, 'YOUR_API_KEY');
Charge Pre-authorized Payment
Charge a reserved amount. Can only be done once, must not exceed the reserved amount, and must happen within 168 hours.
items field.Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login |
| order_id* | string | required | Order ID from the original pre-authorization |
| amount* | number | required | Amount to charge (≤ reserved amount) |
| sign* | string | required | SHA256 signature |
Response
| Field | Type | Description |
|---|---|---|
| order_id | string | Order identifier |
| status | integer | 0 = failed, 1 = successful |
| amount | number | Amount charged |
curl https://allpay.to/app/?show=runauthorizedpayment&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "your_login", "order_id": "J5-001", "amount": 450.00, "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'your_login', 'order_id' => 'J5-001', 'amount' => 450.00 // charge less than reserved ]; $body['sign'] = allpay_sign($body, 'YOUR_API_KEY'); // POST to https://allpay.to/app/?show=runauthorizedpayment&mode=api12
const body = { login: 'your_login', order_id: 'J5-001', amount: '450.00' }; body.sign = allpaySign(body, 'YOUR_API_KEY'); const { status } = await (await fetch('https://allpay.to/app/?show=runauthorizedpayment&mode=api12', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) })).json();
Verify API Credentials
Verify that an API login + key pair is valid, without making a payment. Useful for onboarding flows where you're connecting a merchant's account.
Parameters
| Name | Type | Description | |
|---|---|---|---|
| login* | string | required | API login to verify |
| sign* | string | required | SHA256 signature generated with the API key |
Response (valid credentials)
| Field | Type | Description |
|---|---|---|
| last_paid_order_id | string | Last paid order ID, or "-1" if none |
| last_paid_order_date | string | Unix timestamp of last payment, or "-1" if none |
Response (invalid credentials)
{ "error": "Signature is incorrect" }
curl https://allpay.to/app/?show=checkkeys&mode=api12 \ -X POST -H "Content-Type: application/json" \ -d '{ "login": "their_login", "sign": "YOUR_COMPUTED_SIGN" }'
$body = [ 'login' => 'their_login' ]; $body['sign'] = allpay_sign($body, 'THEIR_API_KEY'); // POST to https://allpay.to/app/?show=checkkeys&mode=api12 // isset($response['error']) → invalid credentials
const body = { login: 'their_login' }; body.sign = allpaySign(body, 'THEIR_API_KEY'); const res = await (await fetch('https://allpay.to/app/?show=checkkeys&mode=api12', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) })).json(); if (res.error) { // invalid credentials } else { // valid — res.last_paid_order_id }
Changelog
API updates, new endpoints and parameters, and breaking changes — in reverse chronological order.
API v12 released: support for donation receipts and donation payment buttons.
In light of the new reporting requirements for non-profit organizations in Israel, Allpay API v12 now supports two new parameters for payment creation.
doc_type
Document type for the document issued after payment. If not provided, the default value is taken from your account settings.
Available values: 320 — Tax Invoice Receipt, 400 — Receipt, 405 — Receipt for donation.
button_title
Text displayed on the payment button. Available values: pay (default), donate, subscribe.
This update allows non-profit organizations to create payments that issue the correct donation document and display a more suitable payment button for donation flows.
API v11 released. We've introduced several updates to improve flexibility and control over payments and card handling.
New capturetoken endpoint
Allows saving a customer's card without charging it. Works with both redirect flow and Hosted Fields.
Webhook error notifications
Webhook notifications are now sent to webhook_url in case of payment errors. The customer remains on the payment page, allowing them to retry with another card.
Webhook delivery and retries
Your server must return an HTTP 200 OK response to confirm successful receipt of a webhook. If any other status is returned, or the request fails due to a timeout or network error, Allpay will automatically retry delivery.
Allpay performs up to 10 delivery attempts in total. The first retry is made 1 minute after the initial failure. Subsequent retries are sent with progressively increasing intervals, with the final attempt occurring within 24 hours of the original request. If all delivery attempts fail, the webhook will be marked as failed and no further retries will be made.
Custom payment button text
You can now customize the payment button label using the new button_title parameter. Available options: "Pay" or "Donate".
The notifications_url parameter has been renamed to webhook_url. notifications_url remains valid and fully supported for all API versions below v10.
We've released API v10, introducing the new currency_display parameter. This parameter allows you to display prices to customers in one currency while charging in the billing currency. It helps show prices in a familiar currency for customers, while keeping settlement and payouts in the merchant's preferred currency.
No changes are required if you do not need multi-currency price display.
API version 9 introduces support for item-level discounts. Two new optional parameters have been added: discount_val — discount amount for the item, and discount_type — defines whether the discount is a fixed amount or a percentage. These parameters allow displaying the discount directly on the payment page and automatically deducting it from the item price.
Added new value 4 — partially refunded to the payment status parameter in responses to Refund requests and Payment status verification requests.
Added API Keys Verification endpoint that allows developers of various platforms integrating with Allpay to verify the validity and authenticity of a user's Allpay API login and key without initiating a payment.
Added support for partial refunds by introducing the optional items array in the refund request.
Introducing New J5 Transaction Flow. J5 is a two-step payment process used in Israeli payment systems. It begins with a pre-authorization (reservation) of funds on a customer's card for up to 168 hours (7 days). During this time, you can charge the reserved amount — fully or partially. If no charge is made, the funds are automatically released.
This is applicable for use cases like deliveries, rentals, variable-weight goods, or custom orders. Read more about J5 →
Allpay introduces Hosted Fields — a secure way to embed a payment form on a website or in an application, fully adapting it to your design. Tutorial →
Added a new parameter show_applepay to the payment request, allowing control over the Apple Pay button visibility on the payment page. The Apple Pay module must be activated in your account first. This parameter is useful in order to hide the button when creating a card token, as Apple Pay payments cannot be used for tokenization.
We're introducing two new tools for developers to test payments via API:
Allpay API Tester
With the Allpay API Tester, you can send requests for new payments, refunds, subscriptions, and other operations in both live and test modes, simulating requests from your server.
API Tag
Every transaction processed via the API is marked with an "API" tag in the Allpay dashboard. Clicking on the tag allows you to view the associated API request and response.
Language support updates. New lang parameter values:
AUTO — automatically sets the payment page language based on the client's browser settings. This is now the default value.
AR — added support for Arabic language.
If the lang parameter is not provided or set to AUTO, the payment page will automatically display in the client's browser language. Providing EN, RU, HE, or AR will display the payment page in that language for all clients, regardless of their browser settings.
A language switcher is now available on the payment page, allowing clients to change the language at any time, regardless of the initial lang parameter setting.
API updated to version 6.
New parameters introduced
items — an array containing product details, including names, quantities, prices, and VAT attributes. This information will appear in the Allpay app and in the digital invoice if digital invoice integration is enabled.
expire — a Unix timestamp that defines the lifetime of the payment link. Once the link expires, it becomes invalid for payment. This helps avoid situations where customers pay for products or services that are no longer available.
Removed parameters
name (product name) and amount (total payment amount).
Key changes
The items array replaces the need for the name and amount parameters. The final amount is calculated based on the prices and quantities provided in the items array. Using the vat parameter inside the items array, Allpay will either display the VAT amount on the payment page or indicate that VAT is not included.
Important: Prices provided in the items array must already include VAT (if applicable). The vat parameter is used only to specify whether VAT is included in the item's price or not. We do not add VAT on top of the prices.
The old API version will continue to function as before.
Added support for full or partial refunds via the API. See the Refund endpoint.
The new payment request parameter show_bit allows you to enable or disable the display of the Bit payment button on the payment page. The Bit module must be activated in your Allpay account first.
The receipt parameter is included in both payment notification and payment verification response. This parameter provides the URL to the digital receipt, which is generated by the EasyCount module when the module is activated in the account settings.
Please note that the request URL changed to ...api4.
Added new optional parameter for Payment Request: client_tehudat, representing the client's Social ID Number (Teudat Zehut). If provided, Allpay won't prompt the client for manual entry. If not provided, it will be requested on the payment page, as required by law. For non-Israeli citizens, submit 000000000.
fail_url parameter will no longer be applied because payment errors are displayed directly on the payment page, prompting the customer to make a new payment attempt.
New parameter added: backlink_url — a URL for the new "Return to site" button on the bottom of the payment page.
New parameters added in the responses for payment protocol, status verification and token requests: card_mask (example: 465901******7049), card_brand (example: Visa, Mastercard etc.) and foreign_card (issued in Israel or abroad).
Request URLs changed from ...api1 to ...api2.
Added endpoint for creating and using tokens.
When submitting the currency parameter in USD or EUR, the amount will be auto-converted to ILS on the Allpay side. Exchange rates are taken in real time from Google Finance.
Added payment verification method to check transaction status.
Test Cards
Enable test mode in your account settings, then use the card numbers below. Use any future date as the expiration date and any three digits for the CVV.
Card Numbers
| Brand | Number | Result |
|---|---|---|
| Visa | 4557430402053431 | ✓ Success |
| Mastercard | 5326105300985846 | ✓ Success |
| American Express | 375516193000090 | ✓ Success |
| Any brand | 4000000000000002 | ✗ Failure simulation |
Resources & Support
Tools, guides, and contact information to help with your integration.
Tools
| API Tester | Interactive tool to send API requests and inspect responses without writing code |
| Hosted Fields | Embed a PCI-compliant card input directly in your page without redirecting the customer |
Guides
| Webhooks Guide | How to configure per-integration webhook URLs — in addition to the webhook_url passed per request, you can set a fixed URL in your integration settings that Allpay will also notify after every payment |
| API Q&A | Answers to the most common integration questions |
| Currencies List | All supported currencies and their codes for currency / currency_display |
| J5 / Pre-auth Guide | In-depth explanation of the two-step pre-authorization flow |
| Token UI Recommendations | UX guidelines for building a saved-card interface using tokens |
Support & Updates
| [email protected] | Technical support over email |
| @allpay_israel | Technical support over Telegram |
| @allpay_api | Telegram channel to track API updates |