3DS Card Payment

In this page, you will learn how to create payments through the 3DS card payment API in a few steps:

  • Collect your client's payment Information.
  • Trigger OPay 3DS card payment API with your collected information.
  • Handle the API Response.
  • Redirect your client to 3DS cashierUrl.
  • Redirect your client to returnUrl after the payment is completed and to cancelUrl when the payment is canceled.

it works as follows:

  1. Merchant will send 3DS Payment request with client information and returnURL to OPay.
  2. OPay will respond to the merchant with redirectURL to the Card Issuing Bank.
  3. Merchant will redirect the client to the bank by the given redirectURL.
  4. Card Issuing Bank will send the payment result to OPay.
  5. OPay will return the client to the merchant returnURL.

Collect your Client's Payment Information

Once your client's Payment information is ready, you will need to present your own payment details form. This form should collect:

  1. Product Information:
    • Name
    • Description

  2. Card Information:
    • CVV
    • Card Number
    • Card Expiry Year
    • Card Expiry Month

Create 3DS Card Payment

To test your 3DS Card Payment, you need to request using the POST method in our sandbox environment.

- Here is the request URL:




- Once you have a fully tested payment flow and you are ready for production, use the following production API endpoint URL instead




Request Parameters:

  1. Header: Authorization(API Calls Signature), MerchantId
                                Authorization    : Bearer {signature}
                                MerchantId       : 256612345678901

  3. Json object containing the transaction information:
                                    "cvv": "100",

HTTP POST parameters

Here is a detailed description for the parameters you need to complete the POST request:

Parameter type required Description
reference String required the unique merchant payment order number.
total Integer required Amount(cent unit).
currency String required Currency type.See full list here
cardNumber String required Card number.See test card
expiryYear String required Card expiry year[21,22,23...].
expiryMonth String required Card expiry month[01,02 ... 11,12].
cvv String required cvv.
cardHolderName String required Card holder name
enable3DS Boolean required Value must be true
callbackUrl String optional If you have sent callbackUrl through API, OPay will send callback notification to this callbackUrl. If you didn't send callbackUrl through API, you need to configure webhook url on the merchant dashboard, and OPay will send callback notification to this webhook url. See callback here
returnUrl String required The URL to which OPay cashier should return the payment processing response.
name String required product name.
description String required Product description.
country String required Country Code.Only support [NG]
payMethod String required Value must be [BankCard].
expireAt Integer optional Payment expiration time in minutes. Default 30.
userClientIP String optional user ip.
userId String optional the customer user id
userName String optional the customer user name
userMobile String optional the customer user mobile
userEmail String optional the customer user email
country String optional The two-character ISO-3166-1 alpha-2 country code. For example, US(required if USD payment).
postalCode String optional postalCode(required if USD payment).
state String optional the name of state(required if USD payment).
city String optional the name of city(required if USD payment).
address String optional address(required if USD payment).
firstName String optional firstName(required if USD payment).
lastName String optional lastName(required if USD payment).
mobileNumber String optional mobileNumber(required if USD payment).
email String optional email(required if USD payment).

An example of 3DS payment request is as follows :

                            class PaymentDsController
                                private $secretkey;
                                private $merchantId;
                                private $url;

                                public function __construct() {
                                    $this->merchantId = '281821110129700';
                                    $this->secretkey = 'OPAYPRV*******0187828';
                                    $this->url = 'https://testapi.opaycheckout.com/api/v1/international/payment/create';

                                public function test(){
                                    $data = [
                                        'amount' => [
                                            'currency' => 'NGN',
                                            'total' => 400
                                        'bankcard' => [
                                            'cardHolderName' => 'DAVID',
                                            'cardNumber' => '450875*******',
                                            'cvv' =>  '100',
                                            'enable3DS' => true,
                                            'expiryMonth' => '02',
                                            'expiryYear' => '26'
                                        'callbackUrl' => 'https://your-call-back-url.com',
                                        'country' => 'NG',
                                        'payMethod' => 'BankCard',
                                        'product' => [
                                            'description' => 'description',
                                            'name' => 'name'
                                        'reference' => '0412339891033312',
                                        'returnUrl' => 'https://your-return-url.com'
                                    $data2 = (string) json_encode($data,JSON_UNESCAPED_SLASHES);
                                    $auth = $this->auth($data2);
                                    $header = ['Content-Type:application/json', 'Authorization:Bearer '. $auth, 'MerchantId:'.$this->merchantId];
                                    $response = $this->http_post($this->url, $header, json_encode($data));
                                    $result = $response?$response:null;
                                    return $result;

                                private function http_post ($url, $header, $data) {
                                    if (!function_exists('curl_init')) {
                                        throw new Exception('php not found curl', 500);
                                    $ch = curl_init();
                                    curl_setopt($ch, CURLOPT_TIMEOUT, 60);
                                    curl_setopt($ch, CURLOPT_URL, $url);
                                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
                                    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
                                    curl_setopt($ch, CURLOPT_HEADER, false);
                                    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                                    curl_setopt($ch, CURLOPT_POST, true);
                                    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
                                    curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
                                    $response = curl_exec($ch);
                                    $httpStatusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                                    if (200 != $httpStatusCode) {
                                        print_r("invalid httpstatus:{$httpStatusCode} ,response:$response,detail_error:" . $error, $httpStatusCode);
                                    return $response;
                                public function auth ( $data ) {
                                    $secretKey = $this->secretkey;
                                    $auth = hash_hmac('sha512', $data, $secretKey);
                                    return $auth;

                                # importing the requests library
                                import requests
                                # API Endpoint
                                URL = "https://testapi.opaycheckout.com/api/v1/international/payment/create"

                                # defining a params dict for the parameters to be sent to the API
                                PaymentData = {
                                    'reference'    : '12312321324',
                                    'amount': {
                                        "total": '400',
                                        "currency": 'NGN',
                                    'product': {
                                        "name": 'Iphone X',
                                        "description": 'xxxxxxxxxxxxxxxxx',
                                    'returnUrl'  : 'your returnUrl',
                                    'callbackUrl'  : 'your callbackUrl',
                                    'userClientIP' : '',
                                    'country' : 'NG',
                                    'cvv' : '123',
                                    'enable3DS' : 'true',
                                    'expireAt' : ':30',
                                    'expiryMonth' : '11',
                                    'expiryYear' : '25',
                                    'merchantName' : 'your merchant name',
                                    'payMethod' : 'BankCard',
                                # sending post request and saving the response as response object
                                status_request = requests.post(url = URL, params = json.dumps(PaymentData))

                                # extracting data in json format
                                status_response = status_request.json()
                                const request = require('request');
                                var sha512 = require('js-sha512');
                                const formData = {
                                      "cvv": "100",

                                var privateKey = "OPAYPRV*******0187828"

                                var hash = sha512.hmac.create(privateKey);
                                hmacsignature = hash.hex();
                                    url: 'https://testapi.opaycheckout.com/api/v1/international/payment/create',
                                    method: 'POST',
                                    headers: {
                                      'MerchantId': '256621051120756',
                                      'Authorization': 'Bearer '+hmacsignature
                                    json: true,
                                    body: formData
                                  }, function (error, response, body) {
                                    console.log('body: ')
                                curl --location --request POST 'https://testapi.opaycheckout.com/api/v1/international/payment/create' \
                                --header 'MerchantId: 256621051120756' \
                                --header 'Authorization: Bearer 38017496e*******2ab0297d1de8905cb7d85a043d9084254e61a8da6093b6f155550ff51891dca9f9889a' \
                                --header 'Content-Type: application/json' \
                                --data-raw '{
                                        "cvv": "100",
                            import com.google.gson.Gson;
                            import org.apache.commons.codec.binary.Hex;
                            import javax.crypto.Mac;
                            import javax.crypto.spec.SecretKeySpec;
                            import java.io.*;
                            import java.net.HttpURLConnection;
                            import java.net.URL;
                            import java.nio.charset.StandardCharsets;
                            import java.util.TreeMap;
                            import java.util.UUID;

                            public class PaymentDs {

                                private static final String privateKey = "OPAYPRV*******0187828";

                                private static final String endpoint = "https://testapi.opaycheckout.com";

                                private static final String merchantId = "256621051120756";

                                public static void main(String[] args) throws Exception {
                                    String addr = endpoint + "/api/v1/international/payment/create";
                                    Gson gson = new Gson();
                                    TreeMap order = new TreeMap<>();
                                    TreeMap amount = new TreeMap<>();
                                    amount.put("total",new Integer(400));
                                    TreeMap bankcard = new TreeMap<>();
                                    TreeMap product = new TreeMap<>();
                                    product.put("name","your product name");
                                    product.put("description","your product description");
                                    order.put("reference", UUID.randomUUID().toString());

                                    String requestBody = gson.toJson(order);
                                    String oPaySignature = hmacSHA512(requestBody, privateKey);

                                    URL url = new URL(addr);
                                    HttpURLConnection con = (HttpURLConnection)url.openConnection();
                                    con.setRequestProperty("Content-Type", "application/json; utf-8");
                                    con.setRequestProperty("Authorization", "Bearer "+oPaySignature);
                                    con.setRequestProperty("MerchantId", merchantId);
                                    OutputStream os = con.getOutputStream();
                                    byte[] input = requestBody.getBytes(StandardCharsets.UTF_8);
                                    os.write(input, 0, input.length);
                                    BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream(), StandardCharsets.UTF_8));
                                    StringBuilder response = new StringBuilder();
                                    String responseLine = null;
                                    while ((responseLine = br.readLine()) != null) {

                                    //close your stream and connection

                                public static String hmacSHA512(final String data, final String secureKey) throws Exception{
                                    byte[] bytesKey = secureKey.getBytes();
                                    final SecretKeySpec secretKey = new SecretKeySpec(bytesKey, "HmacSHA512");
                                    Mac mac = Mac.getInstance("HmacSHA512");
                                    final byte[] macData = mac.doFinal(data.getBytes());
                                    byte[] hex = new Hex().encode(macData);
                                    return new String(hex, StandardCharsets.UTF_8);
                            using System;
                            using System.IO;
                            using System.Linq;
                            using System.Net;
                            using System.Text;
                            using Newtonsoft.Json;
                            namespace OPayRequest
                                public class Program
                                    static void Main(string[] args)
                                        PostJson("https://testapi.opaycheckout.com/api/v1/international/payment/create", new opay_request
                                            reference    = '12312321324',
                                            amount= {
                                                "total"= '400',
                                                "currency"= 'NGN',
                                            product= {
                                                "name"= 'Iphone X',
                                                "description"= 'xxxxxxxxxxxxxxxxx',
                                            returnUrl  = 'your returnUrl',
                                            callbackUrl  = 'your callbackUrl',
                                            userClientIP = '',
                                            country = 'NG';
                                            cvv = '123';
                                            enable3DS = 'true';
                                            expireAt = ':30';
                                            expiryMonth = '11';
                                            expiryYear = '25';
                                            merchantName = 'your merchant name';
                                            payMethod = 'BankCard';

                                    private static void PostJson(string uri, opay_request postParameters)
                                        string postData = JsonConvert.SerializeObject(postParameters);
                                        byte[] bytes = Encoding.UTF8.GetBytes(postData);
                                        var httpWebRequest = (HttpWebRequest) WebRequest.Create(uri);
                                        httpWebRequest.Method = "POST";
                                        httpWebRequest.ContentLength = bytes.Length;
                                        httpWebRequest.ContentType = "text/json";
                                        using (Stream requestStream = httpWebRequest.GetRequestStream())
                                            requestStream.Write(bytes, 0, bytes.Count());
                                        var httpWebResponse = (HttpWebResponse) httpWebRequest.GetResponse();
                                        if (httpWebResponse.StatusCode != HttpStatusCode.OK)
                                            string message = String.Format("GET failed. Received HTTP {0}", httpWebResponse.StatusCode);
                                            throw new ApplicationException(message);

                                public class opay_request
                                    public string reference { get; set; }
                                    public string returnUrl { get; set; }
                                    public string callbackUrl { get; set; }
                                    public string userClientIP { get; set; }
                                    public string expireAt { get; set; }
                                    public string country { get; set; }
                                    public string cvv { get; set; }
                                    public string enable3DS { get; set; }
                                    public string expireAt { get; set; }
                                    public string expiryMonth { get; set; }
                                    public string expiryYear { get; set; }
                                    public string merchantName { get; set; }
                                    public string payMethod { get; set; }
                                    public product product;
                                    public amount amount;
                                public class amount
                                     public string total { get; set; }
                                     public string currency { get; set; }
                            public class product
                                     public string name { get; set; }
                                     public string description { get; set; }



Header must contain the "Signature" and "MerchantId"

Signature is calculated using SHA-512 HMAC signed with your Private Key. See API Calls Signature section for more details.

3DS Card Payment Response

- Response Parameters:

the parameters contained in the response received whenever you call the 3DS payment API as a JSON Object.

                        "code": "00000",
                        "message": "SUCCESSFUL",
                        "data": {
                            "reference": "937102167",
                            "orderNo": "211004140885521681",
                            "nextAction": {
                                "actionType": "REDIRECT_3DS",
                                "redirectUrl": "https://testapi.opaycheckout.com/api/v1/international/transaction/3ds/e9f25ec9bd4139329aaa9ab784775220aed5ca97f9021578df2ab4287e0f8175"
                            "status": "PENDING",
                            "amount": {
                                "total": 400,
                                "currency": "NGN"
                            "vat": {
                                "total": 0,
                                "currency": "NGN"

- Here is a detailed description for the parameters received in the response:

Parameter type Description example
reference String Unique merchant payment order number. 937102167
orderNo String Unique Opay payment order number. 211004140885521681
actionType String Next action type, enum[REDIRECT_3DS] REDIRECT_3DS
redirectUrl String 3ds redirect url. https://testapi.opaycheckout.com/api/v1/international/transaction/3ds/e9f25ec9bd4139329aaa9ab784775220aed5ca97f9021578df2ab4287e0f8175
total Integer amount(cent unit). 400
currency String currency type.See full list here NGN
total Integer amount(cent unit). 10
currency String currency type.See full list here NGN
failureCode String fail error code. payment fail error code, not blank when status [FAIL/CLOSE]
failureReason String fail error message. payment fail error message, not blank when status [FAIL/CLOSE]

Error Handling

After submitting an API call to OPay, you receive a response back to inform you that your request was received and processed. A successful OPay API should return a status code 00, meanwhile, in a situation where any payment processing error occurred, you will receive an error code with a message to describe the reason of the error. A sample error response can be found below.

                            "code": "02004",
                            "message": "the payment reference already exists."

Depending on the HTTP status code of the response, you should build some logic to handle any errors that a request or the system may return. A list of possible potential error codes that you may receive can be found below.

Error Code Error Message
02000 authentication failed.
02001 request params not valid.
02003 payMethod not support.
02004 the payment reference already exists.
02002 merchant not configured with this function.
02007 merchant not available.
50003 service not available, please try again.

What's Next?

User Profile 12 messages

James Jones
Application Developer
Recent Notifications
Another purpose persuade Due in 2 Days
Would be to people Due in 2 Days
The best product Due in 2 Days