All requests to the 株式会社ITO-Japan API are sent via HTTP to our endpoints.
Register as a merchant in our system. In your merchant dashboard you will find the option for API access key.
Example access key : 51a4bd18-5bc1-4eaa-97b0-c09323398883
The following example code enables you to initiate a payment,depending on how you structure it. The perameter details are also below.
| Param Name | Param Type | 概要 |
|---|---|---|
| custom | string | Identification of your end Required |
| amount | decimal | The amount you want to transaction Required |
| details | string | Purchase details String Max 255 |
| web_hook | string | Instant payment notification url Required |
| cancel_url | string | Payment cancel return url Required |
| success_url | string | Payment success return url Required |
| customer_email | string | Customer email address Required |
| access_key | string | Send access_key as bearer token with header Required |
<?php
$parameters = [
'custom' => 'DFU80XZIKS',
'currency_code' => 'USD',
'amount' => 280.00,
'details' => 'Digital Product',
'web_hook' => 'https://yoursite.com/web_hook.php',
'cancel_url' => 'https://yoursite.com/cancel_url.php',
'success_url' => 'https://yoursite.com/success_url.php',
'customer_email' => '[email protected]',
];
$url = 'https://payment.ito-japan.jp/payment/process';
$timestamp = time();
$body = json_encode($parameters);
$signature = hash_hmac('sha256', $timestamp . '.' . $body, $secret_key);
$headers = [
"Accept: application/json",
"Authorization: Bearer access_key",
"X-Timestamp: $timestamp",
"X-Signature: $signature",
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($parameters));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
?>
//Success Response.
{
"code": 200,
"status": "ok",
"payment_id": "AIYmQIOAz0GlmsjfhgiOeu304",
"message": "Your payment has been processed. Please follow the URL to complete the payment.",
"url":"https://payment.ito-japan.jp/process-checkout?payment_id=AIYmQIOAz0GlmsjfhgiOeu304"
}
//Error Response.
{
"code": 401,
"status": "error",
"message": "Invalid API credentials."
}
//WEBHOOK HEADER
"X-Timestamp: $timestamp",
"X-Signature: $signature",
//Client Can verify our webhook.
$timestamp = $_SERVER['HTTP_X_TIMESTAMP'];
$signature = $_SERVER['HTTP_X_SIGNATURE'];
$body = file_get_contents('php://input');
$secret_key = 'merchant側で事前共有したシークレット';
$expected_signature = 'sha256=' . hash_hmac('sha256', $timestamp . '.' . $body, $secret_key);
if (!hash_equals($expected_signature, $signature)) {
http_response_code(403);
exit('Invalid signature');
}
//Success Response.
{
"code": 200,
"status": "ok",
"payment_id": "AIYmQIOAz0GlmsjfhgiOeu304",
"transaction": "AIYmQIOAz0G",
"amount": 100.00,
"charge": 5.00,
"currency": "USD",
"custom": "BVSUZ545XCS",
"date" : "22-05-2022"
}
You can verify the payment whether it is valid or not. After successful payment transaction you will have the response where you find the Payment ID. With this payment id and your access key you need make a request to our server for verify the payment. Example code is below.
Payment verify end point : https://payment.ito-japan.jp/payment/check-validity
<?php
$parameters = [
'payment_id' => 'AIYmQIOAz0GlmsjfhgiOeu304',
]
$url = 'https://payment.ito-japan.jp/payment/check-validity';
$headers = [
"Accept: application/json",
"Authorization: Bearer access_key",
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $parameters);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
?>
//Success Response.
{
"code": 200,
"status": "ok",
"message": "Transaction is valid",
}
//Error Response.
{
"code": 401,
"status": "error",
"message": "Invalid API credentials."
}
//or
{
"code": 404,
"status": "error",
"message": "Transaction not found"
}
Use this flow for server-to-server communication from the merchant backend.
The merchant obtains an access token and uses it as Bearer token for /oauth/merchant/* endpoints.
| Item | Value |
|---|---|
| Token Endpoint | https://payment.ito-japan.jp/oauth/token |
| Grant Type | client_credentials |
| Auth Header | Authorization: Bearer {access_token} |
curl -X POST "https://payment.ito-japan.jp/oauth/token" \
-H "Accept: application/json" \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_MERCHANT_CLIENT_ID" \
-d "client_secret=YOUR_MERCHANT_CLIENT_SECRET" \
-d "scope="
Example: Call merchant endpoints with the token:
curl -X GET "https://payment.ito-japan.jp/api/oauth/merchant/users/123/balance" \
-H "Accept: application/json" \
-H "Authorization: Bearer {access_token}"
All endpoints below require a Merchant OAuth access token (client_credentials).
| Method | Path | 概要 |
|---|---|---|
| POST | /api/oauth/merchant/users | Create User (belongs to this merchant) |
| PATCH | /api/oauth/merchant/users/{user}/profile | Update user profile (partial) |
| GET | /api/oauth/merchant/users/{user}/balance | Get user balance |
| GET | /api/oauth/merchant/users/{user}/transactions | Get user transactions |
| GET | /api/oauth/merchant/users/{user}/cards | List user cards |
| GET | /api/oauth/merchant/users/{user}/kyc | Get KYC form schema + existing values |
| PATCH | /api/oauth/merchant/users/{user}/kyc | Save KYC draft (partial) |
| PUT | /api/oauth/merchant/users/{user}/kyc | Save KYC full state (completeness check) |
| POST | /api/oauth/merchant/users/{user}/kyc/submit | Submit KYC (lock status) |
Security All /oauth/merchant/users/{user} routes must verify ownership by created_by_client_id == client_id.
Use this flow when the end-user authorizes access from an app.
Recommended
Use PKCE (no client_secret in mobile apps).
| Item | Value |
|---|---|
| Authorize Endpoint | https://payment.ito-japan.jp/oauth/authorize |
| Token Endpoint | https://payment.ito-japan.jp/oauth/token |
| Grant Type | authorization_code |
Step 1: Redirect user to authorize
https://payment.ito-japan.jp/oauth/authorize?
response_type=code&
client_id=YOUR_PUBLIC_CLIENT_ID&
redirect_uri=YOUR_REDIRECT_URI&
scope=&
state=RANDOM_STATE&
code_challenge=CODE_CHALLENGE&
code_challenge_method=S256
Step 2: Exchange code for token
curl -X POST "https://payment.ito-japan.jp/oauth/token" \
-H "Accept: application/json" \
-d "grant_type=authorization_code" \
-d "client_id=YOUR_PUBLIC_CLIENT_ID" \
-d "redirect_uri=YOUR_REDIRECT_URI" \
-d "code=AUTH_CODE_FROM_STEP1" \
-d "code_verifier=CODE_VERIFIER"
After obtaining access_token, call /oauth/user/* endpoints using Bearer token.
All endpoints below require a User OAuth access token (auth:passport_api).
| Method | Path | 概要 |
|---|---|---|
| GET | /api/oauth/user/me | Get current user |
| GET | /api/oauth/user/balance | Get my balance |
| GET | /api/oauth/user/transactions | Get my transactions |
| GET | /api/oauth/user/cards | List my cards |
| GET | /api/oauth/user/kyc | Get my KYC schema + values |
| PATCH | /api/oauth/user/kyc | Save my KYC draft (partial) |
| PUT | /api/oauth/user/kyc | Save my KYC full state |
| POST | /api/oauth/user/kyc/submit | Submit my KYC |
| POST | /api/oauth/user/cards/issue | Issue card |
| POST | /api/oauth/user/cards/sensitive | Get sensitive card info (recommended: last4 only) |
Following currencies are currently supported in our system. It may update furthur.
| Currency Name | Currency Symbol | Currency Code |
|---|---|---|
| United State Dollar | $ | USD |
| Japanese Yen | ¥ | JPY |
| SAKURAGUAMPOINT-USD | $ | SGP-USD |