Overview
Apcopay Hosted Fields provides a secure, PCI-compliant solution for collecting and tokenizing payment card details via an iframe. Merchants do not handle raw card data; instead, they receive a token to finalize payment server-side.
𧩠Integration Flow Summary
- Backend creates a session via /api/hostedfields/createsession.
- Frontend initializes the Hosted Fields iframe using the session token.
- User inputs card data directly into the iframe.
- Iframe tokenizes the card and returns a
CardToken. - Backend uses
CardTokenwith /api/hostedfields/pay to process the payment.
π API Endpoints
| Step | Endpoint | Method | Description |
|---|---|---|---|
| 1 | /api/hostedfields/createsession |
POST | Creates a session and returns SessionToken |
| 5 | /api/hostedfields/pay |
POST | Processes the payment using CardToken |
Please refer to following documentation for implementing the correct safeguards for Authentication and Payload Signature validation
You can find the full payload details at the following link.
π Hosted Fields Payment Flow β Explained
π Diagram: High-Level View
This diagram outlines the end-to-end Hosted Fields integration, from page load to final payment response. Each interaction represents a step required for secure, tokenized payment processing.
π Step-by-Step Flow Breakdown
| Step | Actor | Action | Purpose |
|---|---|---|---|
| 1 | Browser β Merchant | Loads checkout page | The customer initiates a checkout request, triggering the frontend to load. |
| 2 | Merchant β Apco Gateway | POST /api/hostedfields/createsession |
Merchant server requests a SessionToken to begin the HostedFields transaction. |
| 3 | Apco Gateway β Merchant | Returns SessionToken |
The gateway responds with a unique, time-bound session token. |
| 4 | Merchant β Browser | Sends token and UI | Token is embedded in the frontend with the payment form container. |
| 5 | Browser β IFrame | apcopay.hostedFields.create() |
The JS SDK initializes HostedFields in the merchantβs DOM. |
| 6 | IFrame β Apco Gateway | Loads HostedFields form | The iframe securely fetches and renders the card input UI. |
| 7 | Apco Gateway β IFrame | Returns UI form HTML | Hosted card form is returned and rendered inside the iframe. |
| 8 | IFrame β Browser | initialised() callback |
HostedFields notifies the parent page that the form is ready. |
| 9 | Browser | User submits form | The user clicks "Pay" or similar. |
| 10 | Browser β IFrame | apcopay.hostedFields.tokenise() |
JS SDK is asked to tokenize the card input. |
| 11 | IFrame β Apco Gateway | Secure tokenization call | The iframe securely sends card data for tokenization. |
| 12 | Apco Gateway β IFrame | Returns CardToken |
Sensitive card data is tokenized; only a token is returned. |
| 13 | IFrame β Browser | tokeniseSuccess(cardToken) |
The card token is sent to the parent browser window. |
| 14 | Browser β Merchant | POST /api/hostedfields/pay |
The token is submitted to the backend to process the payment. |
| 15 | Merchant β Apco Gateway | Executes payment transaction | Backend uses the token to authorize and capture funds. |
| 16 | Apco Gateway β Merchant | Returns payment result | Gateway responds with a result: Processed, Declined, or Redirect. |
| 17 | Merchant β Browser | Final UI response | The browser UI is updated or redirected based on payment result. |
π‘οΈ Key Considerations
- Security: The iframe is hosted from ApcoPay, ensuring no sensitive data passes through the merchantβs frontend or backend.
- Tokenization: Only a
CardTokenis used to complete the payment. - Whitelisting: The domain must be whitelisted by ApcoPay for iframe access to work correctly.
- Session Expiry: Tokens expire after 5 minutes or if the transaction is declined.
π§ Hosted Fields Technical Integration Guide
π Introduction
This guide provides technical instructions for integrating ApcoPay Hosted Fields, a secure, iframe-based solution for collecting and tokenizing payment card details without exposing sensitive data to the merchant's infrastructure.
This section covers the full lifecycle of a Hosted Fields transaction, including:
- Loading the Apcopay JavaScript SDK
- Creating a Hosted Fields session on the backend
- Initializing and rendering the payment fields securely in the browser
- Tokenizing card details using the JavaScript SDK
- Submitting the token to the backend for payment processing
The guide includes:
- Detailed sequence diagrams for the initialisation and payment flows
- Full integration steps with error handling
By following this guide, developers can implement a PCI-compliant card payment flow while maintaining a seamless checkout experience.
π₯ 1. Load the Hosted Fields Script
Place this script on the merchantβs checkout page to render the secure card form.
<script src="https://static.apcopay.tech/hostedjs/apcopay.js"></script>
π 2. Initialisation Flow
β Sequence Diagram: Initialise
π§ Frontend Example
<div id="card-form"></div>
<button id="pay-btn">Pay Now</button>
<script>
apcopay.hostedFields.create(
"SESSION_TOKEN_FROM_BACKEND",
"#card-form",
{
initialised: () => console.log("HostedFields ready"),
initialisedError: (type, message) => console.error(`${type}: ${message}`),
tokeniseSuccess: (cardToken) => {
fetch("/pay", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ cardToken })
});
},
tokeniseError: (type, message) => console.error(`Error: ${type} - ${message}`)
},
{
showSavedCards: true
}
);
document.getElementById("pay-btn").addEventListener("click", () => {
apcopay.hostedFields.tokenise();
});
</script>
π³ 3. Payment Flow
β Sequence Diagram: Pay
π Security & Production Notes
| Area | Description |
|---|---|
| Token Expiry | SessionToken expires after 5 minutes or upon decline. |
| Theme/Language | apcopay.hostedFields.setTheme('dark') & setLanguage('en'). |
| Retry Strategy | Re-create session token if expired. |
| Whitelist | Merchant origin must be whitelisted in ApcoPay. |