FPX Payment
For partner
Preferred partner can have their own ID for processing payment. Merchant will use their own API credentials as usual.
Environment | URL | Method |
Sandbox | https://sandbox.securepay.my/api/v1/payments | POST |
Production | https://securepay.my/api/v1/payments | POST |
Using authentication parameter below:
| |
uid (Merchant API UID) | 2aaa1633-e63f-4371-9b85-91d936aa56a1 |
token (Merchant API Auth Token) | ZyUfF8EmyabcMWPcaocX |
Checksum Token | 159026b3b7348e2390e5a2e7a1c8466073db239c1e6800b8c27e36946b1f8713 |
Partner may have many merchants. The uid and token are merchant credentials, partner only need to supply their partner_uid only. While merchant need to use theirs. In some case, partner also can be a merchant.

Every partner will be issued one or more partner UID (partner_uid). SecurePay will identified partner account by using this identifier.
Parameter | Description | Condition | Example |
order_number | Unique order number generated by merchant end for reference. | Compulsory | 20200425132755 |
buyer_name | Valid buyer full name in one line. | Compulsory | AHMAD AMSYAR MOHD ALI |
buyer_email | Valid buyer email address for status update | Compulsory | |
buyer_phone | Valid buyer phone number e.g: +60123121989 | Compulsory | +60123121678 |
transaction_amount | Amount format: 100.20 , 1000.00, 7000.30 | Compulsory | 1540.40 |
product_description | Meaningful Product Description e.g.
| Compulsory | Payment for order no 20200425132755 |
checksum | Signed strings for verification. | Compulsory | 2cb338beae0859e....... |
token | API token | Compulsory | ZyUfF8EmyabcMWPcaocX |
callback_url | Server to server. Securepay platform will post the payment status. | Optional | |
redirect_url | Browser to browser, Securepay platform will post to the endpoint browser. | Optional | |
partner_uid | Partner UID value | Compulsory | c52853e0-24d6 ..... |
uid | API UID | Compulsory | 2aaa1633-e63f ...... |
redirect_post | Auto redirect to endpoint page. | Optional | true |
params | Send up to 18 values or parameters e.g: reference1_label and reference1 .. reference18_label and reference18 | optional | "params": {"reference1_label" : "Size", "reference1" : "XL", "reference2_label" : "IC No" , "reference2" : "830102035587" |
buyer_bank_code | Bank code generated from the banks list | Optional | MBB0228 |
shipping_address | Shipping address | optional | "shipping_address":{"contact_name":"John Doe John Kay", "contact_phone_number":"0133121999", "line1":"JLN UNGGUL 14/12","line2":"Bukit Harimau Belang", "postcode":"46000", "city":"Shah Alam","state":"Selangor"} |
billing_address | Billing address | optional | "billing_address":{"contact_name":"John Doe John Kay", "contact_phone_number":"0133121999", "line1":"JLN UNGGUL 14/12","line2":"Bukit Harimau Belang", "postcode":"46000", "city":"Shah Alam","state":"Selangor"} |
model | If not specify the platform will use B2C as default model. If using B2B1, set the model to B2B1. The FPX bank list also need to match with the model | optional | B2C or B2B1 |
fpx_bank_selection | If using securepay page for bank selection page. The bank selection can be displayed as dropdown or grid | optional | dropdown or grid |
cancel_url | SecurePay page for bank selection. If set the cancel URL. Button cancel will appear. | optional | e.g: https://yourdom.com/securepay_cancel?order_number=123123 |
timeout_url | SecurePay page for bank selection. if set the timeout URL. The page will timeout within 3 minutes | optional | e.g: https://yourdom.com/securepay_timeout?order_number=123123 |
B2C or B2B1 please set on the API settings inside SecurePay Apps. Other settings also can be set at the settings page.



Below is how to generate checksum parameter
- Arrange the parameter variables in ascending order as below (except partner_uid)
buyer_email|buyer_name|buyer_phone|callback_url|order_number|product_description|redirect_url|transaction_amount|uid
- Construct the parameter values string based on the position in point no 1.
[email protected]|AHMAD AMSYAR MOHD ALI|+60123121678||20200425132755|Payment for order no 20200425132755||1540.40|2aaa1633-e63f-4371-9b85-91d936aa56a1S
- Sign the string with checksum token using HMAC256
Ruby
PHP
string = "[email protected]|AHMAD AMSYAR MOHD ALI|+60123121678||20200425132755|Payment for order no 20200425132755||1540.40|2aaa1633-e63f-4371-9b85-91d936aa56a1"
checksum_token = "159026b3b7348e2390e5a2e7a1c8466073db239c1e6800b8c27e36946b1f8713"
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), checksum_token, string)
=> "5475e02fc8c9443c055eef6bca36b5b5b7999e36c14d9890c45409ea56c53942"
$string = "[email protected]|AHMAD AMSYAR MOHD ALI|0123121678||20200425132755|Payment for order no 20200425132755||1540.40|2aaa1633-e63f-4371-9b85-91d936aa56a1"
$checksum_token = "159026b3b7348e2390e5a2e7a1c8466073db239c1e6800b8c27e36946b1f8713"
$sign = hash_hmac('sha256', $string, $checksum_token)
=> "5475e02fc8c9443c055eef6bca36b5b5b7999e36c14d9890c45409ea56c53942"
Generate checksum from the above example:
75b54e403151b1e9b413df8ce5c426ef0dbbc9adcec58b8f5dd5c9c5c6b78844
Sending all parameters in Request Parameter Table to the payment URL by using post method
PHP
Rails
<?php
//Author: [email protected], [email protected]
//Org : SecurePay
//We need more contribution on sample codes. Email me.
if(isset($_POST['order_number']))
{
//Change with your token
$uid = '9097b595-b77a-4321-94c0-0a6d323b5252';
$checksum_token = 'f4e4f07afb72a56fc6681d652713522436b50f087306efec39ab7d1be5b8c684';
$auth_token = '5BXhsTmVmRBKkg6xizNB';
$partner_uid = 'ebeadaa9-024a-4803-8968-cca40814ba66';
$url = 'https://sandbox.securepay.my/api/v1/payments';
#$_POST['order_number'] = '20200425132755';
#$_POST['buyer_name'] = 'AHMAD AMSYAR MOHD ALI';
#$_POST['buyer_email'] = '[email protected]';
#$_POST['buyer_phone'] = '+60123121678';
#$_POST['transaction_amount'] = '10.00';
#$_POST['product_description'] = 'Payment for order no 20200425132755';
#$_POST['callback_url'] = "";
#$_POST['redirect_url'] = "";
#$_POST['token'] = $auth_token;
#$_POST['redirect_post'] = "true";
$order_number = $_POST['order_number'];
$buyer_name = $_POST['buyer_name'];
$buyer_phone = $_POST['buyer_phone'];
$buyer_email = $_POST['buyer_email'];
$product_description = $_POST['product_description'];
$transaction_amount = $_POST['transaction_amount'];
$callback_url = $_POST['callback_url'];
$redirect_url = $_POST['redirect_url'];
$redirect_post = "true";
if(isset($_POST['buyer_bank_code'])) {
$buyer_bank_code = $_POST['buyer_bank_code'];
}
//buyer_email|buyer_name|buyer_phone|callback_url|order_number|product_description|redirect_url|transaction_amount|uid
$string = $buyer_email."|".$buyer_name."|".$buyer_phone."|".$callback_url."|".$order_number."|".$product_description."|".$redirect_url ."|".$transaction_amount."|".$uid;
#echo $string . "\n";
#string = "[email protected]|AHMAD AMSYAR MOHD ALI|+60123121678||20200425132755|Payment for order no 20200425132755||1540.40|5d80cc30-1a42-4f9f-9d6b-a69db5d26b01"
#$string = "[email protected]|AHMAD AMSYAR MOHD ALI|0123121678||20200425132755|Payment for order no 20200425132755||1540.40|2aaa1633-e63f-4371-9b85-91d936aa56a1";
#$checksum_token = "159026b3b7348e2390e5a2e7a1c8466073db239c1e6800b8c27e36946b1f8713";
$sign = hash_hmac('sha256', $string, $checksum_token);
#echo $sign . "\n";
//
//echo $sign
//$hashed_string = hash_hmac($checksum_token.urldecode($_POST['product_description']).urldecode($_POST['transaction_amount']).urldecode($_POST['order_number']));
if(isset($_POST['buyer_bank_code'])) {
$post_data = "buyer_name=".urlencode($buyer_name)."&token=". urlencode($auth_token)
."&callback_url=".urlencode($callback_url)."&redirect_url=". urlencode($redirect_url) .
"&order_number=".urlencode($order_number)."&buyer_email=".urlencode($buyer_email).
"&buyer_phone=".urlencode($buyer_phone)."&transaction_amount=".urlencode($transaction_amount).
"&product_description=".urlencode($product_description)."&redirect_post=".urlencode($redirect_post).
"&checksum=".urlencode($sign)."&buyer_bank_code=".urlencode($buyer_bank_code)."&partner_uid=".urlencode($partner_uid);
}
else
{
$post_data = "buyer_name=".urlencode($buyer_name)."&token=". urlencode($auth_token)
."&callback_url=".urlencode($callback_url)."&redirect_url=". urlencode($redirect_url) .
"&order_number=".urlencode($order_number)."&buyer_email=".urlencode($buyer_email).
"&buyer_phone=".urlencode($buyer_phone)."&transaction_amount=".urlencode($transaction_amount).
"&product_description=".urlencode($product_description)."&redirect_post=".urlencode($redirect_post).
"&checksum=".urlencode($sign)."&partner_uid=".urlencode($partner_uid);
}
#echo $post_data. "\n";
// Generated by curl-to-PHP: http://incarnate.github.io/curl-to-php/
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);
$output = curl_exec($ch);
echo $output;
}