If you want to use Alipay sandbox to test the integration, see the sandbox handbook for details.
If you are still using the previous sandbox gateway https://openapi.alipaydev.com, please use the https://mapi.alipaydev.com/gateway.do gateway instead. This gateway adjustment is caused by a system difference between the Alipay international sandbox test environment and the Alipay domestic sandbox test environment.
For a GET request or POST request, if the value of request parameters contains special characters or Chinese characters, you need to URL encode values of all the parameters in the request URL.
For a POST request, you need to include the _input_charset field in the gateway URL. For example,if the value of request parameters contains Chinese characters, the gateway URL is: https://intlmapi.alipay.com/gateway.do?_input_charset=utf-8
Request parameters
Parameter
Type (length in bytes)
Description
Optional
Example
Basic Parameter
service
String
Service Name
N
create_forex_trade
partner
String(16)
Partner ID.
Composed of 16 digits beginning with 2088.
N
2088001159940003
_input_charset
String
The charset with which the request data is encoded.
UTF-8 is supported
N
UTF-8
sign_type
String
Signature method. The following are supported. Must be uppercase.
DSA, RSA, and MD5.
N
RSA
sign
String
Signature value.
N
e5815a4556db338ed237f7d3fd222184
notify_url
URL(200)
The URL for receiving asynchronous notifications after the payment is done.
Y
return_url
URL(200)
After the payment is done, the result is returned to this url via the URL redirect.
Y
Business Parameter
subject
String(255)
Brief description of the transaction. Special characters are not supported.
Note: The value of this field will be displayed to customers.
N
Baby cloth
body
String (400)
Detailed description about the goods. Special characters are not supported.
Y
Baby cloth in red, large size.
out_trade_no
String(64)
The unique transaction ID specified by the partner. If the id is duplicated with an earlier transaction’s out_trade_no, the payment will fail with a error message indicating that it is the duplicated payment.
N
PARTNER_TRANS_ID_113
currency
String(10)
The settlement currency code that the merchant specifies in the contract.
A floating number ranging 0.01~1000000.00. If total_fee is not null, it means the transaction uses foreign currency and the product price will be calculated in RMB based on the exchange rate.
Y
100.30
rmb_fee
Number(8,2)
Use this parameter to replace total_fee if partner wish to price their product in RMB.
If total_fee is used, rmb_fee should not be set. They are mutual exclusive.
Y
100.30
timeout_rule
String(10)
The default is 12h. Please contact Alipay Technical Support if you need to use other values. This parameter controls the valid time from login to completion.
Y
5m 10m 15m 30m 1h 2h 3h 5h 10h 12h.
order_gmt_create
Date
YYYY-MM-DD HH:MM:SS Please use Beijing time in order to sync up with Alipay system. This parameter can only be used with order_valid_time together in order to control the valid time from redirect to login.
Y
order_valid_time
String(5)
In seconds. Max value is 2592000. This parameter can only be used with order_gmt_create together in order to control the valid time. If the current time passes the time of order_gmt_create + order_valid_time, the payment transaction will be closed.
Y
3600
supplier
String(16)
Supplier’s name, for page display purpose.
Y
secondary_merchant_id
String(64)
A unique ID assigned by the partner to identify a secondary merchant. The ID can contain letters, numbers, and underscores. Note: This parameter is required for partners.
Y
A80001
secondary_merchant_name
String(64)
A name is shown in the Alipay Wallet and the reconciliation file to identify a secondary merchant. Note: This parameter is required for partners.
Industry classification identifier of sub-merchant which assigned by Alipay. Such like:
catering industry: 5812
department stores: 5311
lodging industry: 7011
taxi industry: 4121 Note: This parameter is required for partners.
Business type. 5 types are supported.
1: Hotel
2: AIR
3: Overseas study consulting
4: Sales of goods
5: Others, including all the other business types that do not fall into the above 4 categories. For example, mobile data service recharge, airport pick up service, etc.
If more than one type is involved, separate type values with vertical bar (|).
N
1|2|3|4|5 or 1
hotel_name
String
Hotel name that consists of numbers, letters, spaces, and special characters including ,.<>()[]/\-,. If more than one hotel name exists, separate values with vertical bar (|). Specify this field only when business_type is 1 (Hotel).
N
zlidu, sluhg-987, 889utng
check_in_time
Date
Check-in time. Format: yyyy-MM-dd. Timezone: GMT +8. Specify this field only when business_type is 1 (Hotel).
N
2018-10-20
check_out_time
Date
Check-out time. Format: yyyy-MM-dd. Timezone: GMT +8. Specify this field only when business_type is 1 (Hotel).
N
2018-10-22
flight_number
String
Flight number. If flight transfer exists, separate flight numbers with vertical bar (|). Specify this field only when business_type is 2 (AIR).
N
NWS 996|TWF 8854
departure_time
Date
Departure time. Format: yyyy-MM-dd HH:mm Timezone: GMT +8. If flight transfer exists, separate time values with vertical bar (|). Specify this field only when business_type is 2 (AIR).
N
2018-10-22 20:49
admission_notice_url
String
If business_type is 3 (Overseas study consulting), the URL of admission notice (image) must be specified.
N
https://www.iconfont.cn/search/index?test
goods_info
String
Goods information that includes SKU names and corresponding quantities, in the format of SKU_name^quantity. If more than one goods exists, separate values with vertical bar (|). Specify this field only when business_type is 4 (Sales of goods).
N
pencil^2|eraser^5|iPhone XS 256G^1
total_quantity
Number
Total quantities of all goods in one order. Specify this field only when business_type is 4 (Sales of goods).
N
8
other_business_type
String
If business_type is 5 (Others), specify the business type in details.
N
Airport pick up service
In case a merchant wishes to price their products in RMB, the merchant can put the CNY payment amount in the ‘rmb_fee’ field. In the same time, “total_fee” filed should be ignored. The payment amount will be displayed in RMB to the user.
The merchant should not change the value of the ‘currency’ field, which is the settlement currency which Alipay will pay the merchant in.
The “total_fee” or “rmb_fee” fields are mutually exclusive. One and only one of them should be used.
For the amount of charge in “total_fee” or “rmb_fee” field, the number should be in the form with 2 digits after the decimal point, for example, 100.30 USD. But for Japanese and Korean currency, the number should be 0 digit after the decimal point, like 1000 KRW and 1000 JPY. The system will return with exception for numbers in other formats, for example, USD 101.999.
If both order_gmt_create + order_valid_time and timeout_rule are passed, will use order_gmt_create + order_valid_time for order timeout control. Alipay suggests to use order_gmt_create + order_valid_time for order timeout control.
The merchant could not attach parameters to the “return_url”, and hoping them be passed by Alipay. Alipay will remove all extra parameters in the “return_url” field.
To verify whether all API requests and responses are correctly handled, and whether user experiences are as expected, you can test Alipay payment features integrated with your applications in sandbox environment before going live in the production environment.
Sandbox environment is an environment where you can mimic the characteristics of the production environment and create simulated responses from all APIs the application relies on before going live. You can make API tests based on your own requirements including making a transaction, cancel, or refund a transaction, and so on. Before you access the Alipay Sandbox Portal to start the test, you need to make some preparations. See Prerequisites for details.
Before you test Alipay payment features in sandbox, you need to get the following preparations:
Download the demo code. If you haven’t done this, see demo code.
Get an Alipay merchant account. If you don’t have one, watch the video below to get yourself an Alipay merchant account and a quick overview of Alipay sandbox portal.
Use the Alipay sandbox gateway for testing. The URL of the sandbox gateway is: https://mapi.alipaydev.com/gateway.do?
Alipay sandbox test accounts
There are two types of test account: merchant test account and buyer test account.
Merchant test accounts:
Find the merchant test account information in the Alipay sandbox portal under Sandbox Accounts > Merchant. More than one test accounts are provided, and the accounts are sorted by payment feature. Find the correct one to use according to the payment feature you want to test. For example, to test the Alipay Auto Debit feature, use the account information provided under Alipay Auto Debit.
Login password: Use this password to login to the Alipay for Business website in the sandbox environment.
Signature key: Only MD5 signature is supported in the sandbox environment. RSA signature is not supported at this time.
Use the buyer test account to login to the Alipay sandbox app.
The buyer test account information can be found in the Alipay sandbox portal under Sandbox Accounts > Buyer.
Account balance: You can click Top Up to top up the buyer test account.
Download the Alipay sandbox app
The Alipay sandbox app supports only Android at this time.
1) In the Alipay sandbox portal, click Alipay Sandbox App from the menu on the left.
2) Take one of the following steps:
Scan the QR code displayed on the page with a QR code reader on your Android device. This will download and install the sandbox app to your device.
Click the download link to download the sandbox app to your computer.
To log in to the Alipay sandbox app, use the buyer test account and login password that are provided in the portal under Sandbox Accounts > Buyer.
To generate a digital signature, normally a key is required to sign the data. You must prepare the MD5 private key or the RSA/DSA private and public key pair to generate and verify a digital signature.
MD5 sign type
MD5 private key is required for generating and verifying MD5 signatures. The MD5 secret key is the 32-byte string which is composed of English letters and numbers. You can log in to the Global Portal to view the private key:
Log in with your user ID.
Click My Technical Service and enter your payment password. If you don't know your payment password, please contact Global Merchant Business Support
Check your MD5 Key. For example, the following graphic is an example of an MD5 Key:
RSA/DSA sign type
An RSA/DSA key pair contains the private key and the public key. The private key is required for generating the signature, while the public key is used for verifying the signature. The following steps assume that you are using RSA sign type, similar steps applied for generating and uploading DSA key pair.
Generating the private/public key pair
Many tools can be used to generate the RSA key pair. The following example illustrates the steps to generate the RSA key pair by using OpenSSL.
Install OpenSSL
For linux system, use the following command:
sudo apt-get install openssl
For windows system, download and then install OpenSSL from OpenSSL site.
Generate RSA key pair.
For linux system, use the following command:
After that, you can see two files under current folder, rsaprivatekey.pem and rsapublickey.pem. The former is the private key and the latter is the public key.
Notes:
For Java developers, remove the header, footer, carriage return, and space from the pkcs8 private key output in the console.
After creating a private key with openssl, if you use JAVA, you need to transform the private key into PKCS8 format; if you use .NET or PHP, no need to transform the private key into PKCS8 format.
-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQWiDVZ7XYxa4CQsZoB3n7bfxLDkeGKjyQPt2FUtm4TWX9OYrd523iw6UUqnQ+Evfw88JgRnhyXadp+vnPKP7unormYQAfsM/CxzrfMoVdtwSiGtIJB4pfyRXjA+KL8nIa2hdQy5nLfgPVGZN4WidfUY/QpkddCVXnZ4bAUaQjXQIDAQAB-----END PUBLIC KEY-----
Exchange the public key
You need to exchange your public key with Alipay. Contact Global Merchant Technical Support and provide your PID and public key information. Alipay will then make configurations accordingly, and provide you Alipay public key.
For a transaction that has been successfully paid, the customer can request the merchant for refunding as long as the refunding period is still valid, and the merchant can make use of the refunding interface to complete the refunding, as illustrated.
For the integration of the refunding service, we would like to highlight:
The refunding service name is: alipay.acquire.overseas.spot.refund(REFUND);
To refund a transaction, the interface REVERSE is only applicable at the same day of the payment (GMT +8, Beijing time); on the other hand, the interface REFUND is applicable as long as the refunding period has not expired yet;
the refunding of a transaction can be full or partial, i.e. the refunding amount can respectively be the same as or less than the original transaction amount that has been paid; furthermore, for a transaction, multiple refunding request is allowed provided the sum of the amount of the multiple refunding request is less than or equal with the original transaction amount.
Except for "sign" and "sign_type", all other parameters used need to be signed.
Parameters without value don't need to be transmitted, nor to be included in the data to be signed;
At signing, the character set used to change the character into byte stream must be consistent with that specified in _input_charset;
If the parameter _input_charset is transmitted, it shall also be included in the data to be signed.
MD5 sign type
After the pre-sign string is generated:
Append the MD5 secret key to the pre-sign string to generate a new string.
Calculate the new string with the MD5 signature algorithm (by using the MD5 signature function).
The result 32-byte string is the signature, which is used as the value of the “sign” parameter.
RSA/DSA sign type
After the pre-sign string is generated, perform the following steps to generate the signature:
Use the RSA/DSA algorithm and the merchant private key to generate the signature.
Encode the signature to a string.
Then, use the string as the value of the “sign” parameter.
MD5 sign type
After receiving the character string of the response or notification from Alipay system, similar to the steps taken in Signing the data, append the MD5 secret key to the character string to generate a new string. Then, calculate this new string with the MD5 signature algorithm. After the 32-byte signature result string is generated, verify whether the value is equal to the value passed in the sign parameter. If Yes, the verification is passed.
RSA/DSA sign type
After receiving a response or notification, perform the following steps to verify the signature:
Use the RSA/DSA algorithm to calculate a message digest.
Use the RSA/DSA public key to de-sign the signature (the value of the sign field) to a message digest.
Compare the two message digests obtained in step 2 and step 3. If the digests are the same, then it indicates that the signed data has not been changed.
