Checkout Sessions
Embeddable checkout · Hosted payment pages · One-time & subscription payments · Saved cards & Google Pay
Summary
Checkout Sessions let merchants create secure, pre-configured payment sessions that customers complete through a RapidCents-hosted payment page (hosted mode) or an embedded iframe on the merchant’s website (embedded mode). In both modes, the customer enters their card details directly on the RapidCents-hosted form — your server and your frontend never handle or see card data.
Zero PCI scope for you. Card data is entered directly on the RapidCents-hosted checkout form. Whether you use hosted mode (full-page redirect) or embedded mode (iframe on your page), your servers never receive, process, or store card numbers, CVVs, or any sensitive payment data. RapidCents handles all card entry, tokenization, 3D Secure, and payment processing.
Checkout Sessions support card entry on RapidCents form, saved cards (card on file), and Google Pay. 3D Secure is automatically applied when enabled on the business. Sessions expire after 24 hours and enforce a maximum of 3 payment attempts.
Checkout Session Lifecycle
- Create — Merchant creates a checkout session via the API with amount, customer, URLs, and configuration. A unique
session_tokenandcheckout_urlare returned. - Present — For hosted mode, the customer is redirected to the checkout URL. For embedded mode, the checkout form loads in an iframe on the merchant’s page.
- Pay — Customer enters payment details directly on the RapidCents-hosted form (card, saved card, or Google Pay) and submits. 3D Secure step-up is triggered if enabled. The merchant’s server never receives card data.
- Complete — On approval, the session status changes to
COMPLETEDand payment status toPAID. The customer is redirected to thesuccess_urlwith thesession_tokenappended. - Verify — Merchant retrieves the session details via the API to confirm payment status and get transaction details.
Session Statuses
Session Status
PENDING
Session created, awaiting payment
COMPLETED
Payment flow finished (check payment_status for result)
EXPIRED
Session expired (24 hours elapsed)
CANCELLED
Session was cancelled by the merchant
FAILED
Maximum payment attempts exceeded
Payment Status
UNPAID
No successful payment yet
PAID
Payment approved successfully
FAILED
All payment attempts failed
UI Modes
| Mode | Description | Card Data Entry | Use Case |
|---|---|---|---|
hosted | Customer is redirected to a full-page RapidCents checkout page | Customer enters card on RapidCents page | Simple integration — no frontend work needed |
embedded | Checkout form loads in an iframe on your page | Customer enters card in RapidCents iframe | Seamless branded experience within your site |
In both modes, the merchant never collects card data. The customer enters their card details directly on the RapidCents-hosted form. In hosted mode, this is a full-page checkout on dashboard.rapidcents.com. In embedded mode, this is a secure iframe loaded from dashboard.rapidcents.com within your page. Your JavaScript, your page DOM, and your server never have access to card numbers, CVVs, or expiry dates.
Processing Flow
Hosted Mode
Embedded Mode
Authentication
All merchant-facing Checkout Session endpoints require OAuth 2.0 Bearer token authentication. Customer-facing (public) endpoints use the session token in the URL as an implicit access token.
| Scope | Auth Required | Details |
|---|---|---|
| Merchant API (create, list, details) | Yes | Bearer token + business ID in URL |
| Customer (Public) (view, pay) | No | Session token in URL acts as access token |
Required Headers
Authorization: Bearer {access_token}
Content-Type: application/json
Accept: application/jsonObtaining an Access Token
RapidCents uses OAuth 2.0 with the Password Grant and Refresh Token flows. You will receive the following credentials during merchant onboarding:
| Credential | Description |
|---|---|
| Client ID | OAuth application identifier |
| Client Secret | OAuth application secret |
| Access Token | Bearer token for API authentication (expires in 24 hours) |
| Refresh Token | Used to obtain new access tokens (long-lived) |
| Business UUID | Your business identifier used in all API paths |
Checkout session creation requires an OAuth client with a valid HTTPS redirect URL. The request Origin header, success_url, and cancel_url must match the registered OAuth redirect URL origin.
IP Whitelisting
Required: Before you can process any transactions, you must provide your server’s static IP address(es) to RapidCents for whitelisting. API requests from non-whitelisted IPs will be rejected.
RapidCents enforces IP-based access control on all payment processing endpoints. Only requests originating from your whitelisted server IPs are permitted to create checkout sessions and process payments.
How to Whitelist
- Identify your server IPs — Determine the static/elastic IP address(es) of the server(s) that will make API calls to RapidCents. If you use a load balancer or NAT gateway, provide the outbound IP.
- Submit to RapidCents — Provide your IP address(es) to the RapidCents integration team during onboarding or via your account manager.
- Confirmation — RapidCents will whitelist your IPs and confirm. You can then begin making API calls.
- Update when IPs change — If your server infrastructure changes and your outbound IP changes, contact RapidCents to update the whitelist before migrating.
You may whitelist multiple IPs (e.g., for redundancy, staging, and production). Each environment (staging and production) has its own whitelist. Contact RapidCents support to manage your whitelisted IPs.
| Environment | Base URL | Whitelist |
|---|---|---|
| Staging | https://uatstage00-api.rapidcents.com | Separate whitelist — add your dev/staging server IPs |
| Production | https://api.rapidcents.com | Separate whitelist — add your production server IPs |
OAuth Token Flow
Refresh Access Token
POST /api/oauth/token
Access tokens expire after 24 hours. Use the refresh token to obtain a new access token without re-authenticating.
POST /api/oauth/token
Content-Type: application/json
{
"grant_type": "refresh_token",
"refresh_token": "{your_refresh_token}",
"client_id": "{your_client_id}",
"client_secret": "{your_client_secret}",
"redirect_uri": "",
"scope": ""
}{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
"refresh_token": "def50200a3c2f7...",
"token_type": "Bearer",
"expires_in": 86400
}Store both the new access_token and refresh_token from the response. The previous refresh token is invalidated after use. Refresh proactively before expiry to avoid failed API calls.
Create Checkout Session
POST /api/{business_id}/checkout/create
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
amount_total | number | Yes | Total payment amount (min: 0.01) |
amount_subtotal | number | No | Subtotal before tax and discount |
amount_tax | number | No | Tax amount |
amount_discount | number | No | Discount amount |
currency | string | No | USD or CAD. Defaults to merchant’s currency. |
customer_id | string | Conditional | Customer UUID. Required if customer_email not provided. |
customer_email | string | Conditional | Customer email. Required if customer_id not provided. |
customer_name | string | No | Customer display name |
success_url | string | Yes | HTTPS URL for successful payment redirect |
cancel_url | string | Yes | HTTPS URL for cancellation redirect |
ui_mode | string | No | hosted (default) or embedded |
mode | string | No | payment (default) or subscription |
description | string | No | Payment description (max 255 chars) |
client_reference_id | string | No | Your internal reference ID |
metadata | object | No | Custom key-value pairs |
surcharge | boolean | No | Enable surcharge (must be configured on business) |
line_items | array | Conditional | Required when mode is subscription |
discounts | array | No | Discount details |
billing_address_collection | string | No | auto or required |
shipping_address_collection | string | No | auto or required |
consent_collection | object | No | Consent requirements |
subscription | object | Conditional | Required when mode is subscription |
When amount_subtotal is provided: amount_total = amount_subtotal + amount_tax − amount_discount. Maximum 10 line items per session.
POST /api/{business_id}/checkout/create
Content-Type: application/json
Authorization: Bearer {access_token}
{
"amount_total": 150.00,
"amount_subtotal": 130.00,
"amount_tax": 20.00,
"currency": "CAD",
"customer_email": "[email protected]",
"customer_name": "John Doe",
"success_url": "https://yoursite.com/success",
"cancel_url": "https://yoursite.com/cancel",
"ui_mode": "hosted",
"description": "Order #1234",
"line_items": [
{ "name": "Widget Pro", "quantity": 2, "unit_amount": 50.00, "total": 100.00 },
{ "name": "Premium Support", "quantity": 1, "unit_amount": 30.00, "total": 30.00 }
],
"billing_address_collection": "required",
"metadata": { "order_id": "1234" }
}{
"ok": true,
"message": "Checkout session created successfully",
"status": "PENDING",
"checkout_session": {
"id": "session-uuid",
"token": "a1b2c3d4e5f6...64chars",
"checkout_url": "https://dashboard.rapidcents.com/customer/checkout/a1b2c3...",
"session_status": "PENDING",
"payment_status": "UNPAID",
"amount_total": 150.00,
"currency": "CAD",
"expires_at": "2026-06-09T12:00:00.000000Z",
"ui_mode": "hosted",
"success_url": "https://yoursite.com/success",
"cancel_url": "https://yoursite.com/cancel"
},
"transaction": null
}Line Items
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Item name (max 255 chars) |
quantity | integer | Yes | Quantity (min: 1) |
unit_amount | number | Yes | Unit price (min: 0.01) |
total | number | Yes | Line total (quantity × unit_amount) |
image | string | No | Product image URL |
Subscription Mode
{
"amount_total": 49.99,
"customer_email": "[email protected]",
"success_url": "https://yoursite.com/success",
"cancel_url": "https://yoursite.com/cancel",
"mode": "subscription",
"line_items": [
{ "name": "Pro Plan", "quantity": 1, "unit_amount": 49.99, "total": 49.99 }
],
"subscription": {
"interval": "Monthly",
"start_date": "2026-07-01",
"name": "Pro Plan Monthly"
}
}Subscription Intervals
| Interval | Frequency |
|---|---|
Weekly | Every week |
Bi-Weekly | Every 2 weeks |
Monthly | Every month |
Quarterly | Every 3 months |
Twice a year | Every 6 months |
Annual | Every year |
Get Checkout Session Details
GET /api/{business_id}/checkout/{session_token}/details
Retrieve full session details including transaction information after payment. Use this endpoint on your success_url page to verify the payment.
{
"ok": true,
"status": "COMPLETED",
"checkout_session": {
"session_status": "COMPLETED",
"payment_status": "PAID",
"amount_total": 150.00
},
"transaction": {
"code": "AA",
"message": "Approved Transaction (Auths / Reversals)",
"receiptID": "receipt-uuid",
"transactionID": "transaction-uuid",
"details": {
"association": "Visa",
"amount": 150.00,
"issuer_reference": "ref-123456",
"source": "checkout_session"
}
}
}List Checkout Sessions
GET /api/{business_id}/checkout-sessions
Returns a paginated list of checkout sessions with optional filters.
| Parameter | Type | Description |
|---|---|---|
fromDate | date | Filter from this date |
toDate | date | Filter up to this date |
customer | string | Search by customer name or email |
status | string | Filter by session status |
perPage | integer | Results per page (default: 10) |
Internal Checkout Endpoints: The following public endpoints are used internally by the RapidCents checkout form (hosted page or embedded iframe). You do not need to call these from your server or frontend — they are documented here for reference only. Card data is submitted directly from the RapidCents-hosted form to the RapidCents API, never through your systems.
Get Session Data (Internal)
GET /api/checkout/{session_token}/data
Used by the RapidCents checkout form to load session details, business info, saved cards, and 3DS configuration. No authentication required (session token in URL acts as implicit access).
Create Customer for Session (Internal)
POST /api/checkout/{session_token}/customer
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Customer full name (max 255) |
email | string | Yes | Customer email |
phone | string | No | Phone number (10-15 digits) |
Process Payment (Internal)
POST /api/checkout/{session_token}/pay
Called by the RapidCents checkout form when the customer submits payment. Card data is sent directly from the RapidCents-hosted form to this endpoint — it never passes through the merchant’s server or frontend.
Payment Methods
New Card
{
"payment_method_type": "new_card",
"amount": 150.00,
"customerId": "customer-uuid",
"cardData": {
"cardNumber": "4111111111111111",
"month": "12",
"year": 2028,
"nameOnCard": "John Doe",
"cvv": "123",
"saveCard": false,
"address": { "postalCode": "M5V 2T6", "line1": "123 Main St" }
}
}Saved Card
{
"payment_method_type": "saved_card",
"amount": 150.00,
"customerId": "customer-uuid",
"cardId": "stored-card-uuid"
}Google Pay
{
"payment_method_type": "google_pay",
"amount": 150.00,
"customerId": "customer-uuid",
"googlePayToken": "{\"signature\":\"...\",\"protocolVersion\":\"ECv2\",...}"
}{
"ok": true,
"message": "Payment successful",
"result": { "code": "AA", "recordID": "txn-uuid", "receiptID": "receipt-uuid" },
"success_url": "https://yoursite.com/success?session_token=a1b2c3d4..."
}{
"ok": false,
"message": "Payment failed. Please check your payment details and try again.",
"attempt_count": 1,
"max_attempts": 3,
"cancel_url": "https://yoursite.com/cancel?session_token=a1b2c3d4..."
}RapidCents Checkout.js Library
For embedded and hosted checkout integrations, RapidCents provides a client-side JavaScript library that handles session creation, iframe management, and payment result callbacks.
Installation
<script src="https://api.rapidcents.com/js/rapidcents-checkout.js"></script>Initialization
RapidCentsCheckout.init({
businessId: 'your-business-uuid',
authToken: 'your-oauth-access-token',
apiBaseUrl: 'https://api.rapidcents.com/api',
defaultUiMode: 'embedded',
containerId: 'rc-checkout',
// Session verification (recommended)
verifySessionUrl: '/api/rapidcents/checkout-session',
autoVerify: true,
// Callbacks
onSuccess: function(data) {
console.log('Payment successful!', data.session_id);
},
onCancel: function(data) {
console.log('Payment cancelled', data.session_id);
},
onError: function(error) {
console.error('Payment error:', error.message);
}
});Embedded Mode Example
<!-- HTML -->
<div id="rc-checkout"></div>
<button onclick="startCheckout()">Pay Now</button>
<script src="https://api.rapidcents.com/js/rapidcents-checkout.js"></script>
<script>
RapidCentsCheckout.init({
businessId: 'your-business-uuid',
authToken: 'your-oauth-access-token',
containerId: 'rc-checkout',
defaultUiMode: 'embedded',
onSuccess: function(data) {
window.location.href = '/order-confirmed?session=' + data.session_id;
},
onError: function(error) {
alert('Payment failed: ' + error.message);
}
});
function startCheckout() {
RapidCentsCheckout.create({
amount_total: 99.99,
customer_email: '[email protected]',
success_url: 'https://yoursite.com/success',
cancel_url: 'https://yoursite.com/cancel'
});
}
</script>Library Methods
| Method | Description |
|---|---|
RapidCentsCheckout.init(options) | Initialize the checkout library with configuration |
RapidCentsCheckout.create(data) | Create a checkout session and open checkout |
RapidCentsCheckout.close() | Close the embedded checkout iframe |
RapidCentsCheckout.setHeight(px) | Manually set the iframe height |
RapidCentsCheckout.getState() | Get current state (isOpen, sessionId) |
RapidCentsCheckout.handleReturnPage() | Verify session on success/cancel return page |
PostMessage Events (Embedded Mode)
| Event Type | Status | Description |
|---|---|---|
rc:checkout_result | succeeded | Payment approved |
rc:checkout_result | canceled | Customer cancelled checkout |
rc:checkout_result | failed | Payment failed or max attempts reached |
rc:checkout_height | — | Auto-resize iframe to content height |
Step-by-Step: Hosted Mode
- Create a Checkout Session (Server-Side) — From your server, call
POST /api/{business_id}/checkout/createwith the payment details,success_url, andcancel_url. No card data is needed at this step. - Redirect the Customer — Use the
checkout_urlfrom the response to redirect:window.location.href = response.checkout_session.checkout_url. The customer is taken to a RapidCents-hosted checkout page where they enter their card details directly. - Customer Pays on RapidCents — The customer enters their card number, expiry, CVV, and billing info on the RapidCents-hosted page. Your server and your frontend never handle or see this data. 3D Secure is applied automatically if enabled.
- Handle the Return — On your
success_urlpage, thesession_tokenis appended as a query parameter. Extract it from the URL. - Verify Payment (Server-Side) — Call
GET /api/{business_id}/checkout/{session_token}/detailsto confirmsession_statusisCOMPLETEDandpayment_statusisPAID.
Step-by-Step: Embedded Mode
- Add the container and script — Add
<div id="rc-checkout"></div>and include the Checkout.js script on your page. - Initialize and create checkout — Call
RapidCentsCheckout.init()with yourbusinessId,authToken, and callbacks. Then callRapidCentsCheckout.create()when the user clicks “Pay Now”. - Customer Pays in Iframe — A secure iframe from RapidCents loads inside your page. The customer enters their card details directly on the RapidCents form within the iframe. Your page’s JavaScript and DOM cannot access the card data inside the sandboxed iframe.
- Handle callbacks — The
onSuccesscallback receives the session data (session ID, transaction ID, receipt ID). Verify the payment on your server before fulfilling the order.
All Endpoints
Merchant API (Authenticated)
| Method | Endpoint | Description |
|---|---|---|
| POST | /{business_id}/checkout/create | Create checkout session |
| GET | /{business_id}/checkout/{token}/details | Get session details + transaction |
| GET | /{business_id}/checkout-sessions | List checkout sessions |
Customer API (Public)
| Method | Endpoint | Description |
|---|---|---|
| GET | /checkout/{token} | Validate session and get checkout URL |
| GET | /checkout/{token}/data | Get session data for payment form |
| POST | /checkout/{token}/customer | Create/find customer |
| POST | /checkout/{token}/pay | Submit payment |
Session Expiry & Limits
| Setting | Value | Description |
|---|---|---|
| Session lifetime | 24 hours | Sessions expire 24 hours after creation |
| Max payment attempts | 3 | Session is marked FAILED after 3 failed attempts |
| URL scheme | HTTPS only | Both success_url and cancel_url must use HTTPS |
| Max line items | 10 | Maximum 10 line items per session |
| Origin validation | Required | Request origin must match OAuth client redirect URL |
Error Handling
| HTTP Code | Scenario | Description |
|---|---|---|
200 | Payment approved | ok: true with transaction details |
200 | Payment declined | ok: false with decline reason and attempt count |
400 | Session invalid | Session is expired, paid, cancelled, or failed |
404 | Not found | Session token or customer does not exist |
422 | Validation error | Missing required fields, invalid URLs, or origin mismatch |
500 | Server error | Unexpected processing error |
After Payment
When the customer completes a payment, the outcome depends on the checkout mode:
Hosted Mode
The customer is automatically redirected to the URL you specified when creating the session:
| Outcome | Redirect | Query Parameter |
|---|---|---|
| Payment successful | Redirected to success_url | ?session_id={session_token} |
| Payment cancelled | Redirected to cancel_url | ?session_id={session_token} |
| Payment failed (max attempts) | Redirected to cancel_url | ?session_id={session_token} |
On your success_url page, extract the session_id from the query string and verify the payment on your server before fulfilling the order.
Embedded Mode
The RapidCents iframe sends a postMessage to your parent page. Your registered callbacks fire automatically:
| Outcome | Callback | Data Received |
|---|---|---|
| Payment successful | onSuccess(data) | session_id, transaction_id, receipt_id, amount |
| Payment cancelled | onCancel(data) | session_id |
| Payment failed | onError(error) | message, error_code, session_id |
Always verify server-side. Whether you receive a redirect or a callback, always call GET /api/{business_id}/checkout/{session_token}/details from your server to confirm the payment status before fulfilling the order. Never rely on client-side data alone.