RapidPay

Compact payment modal · Iframe-based · No card data on your servers · 3D Secure built-in

Summary

RapidPay is the RapidCents compact payment API for processing card-not-present transactions. RapidPay provides a lightweight, RapidCents-hosted payment modal that loads inside an iframe on your page. The customer enters their card details directly on the RapidCents secure form — your server and your frontend never handle or see card data.

🔒

Zero PCI scope for you. Card data is entered directly on the RapidCents-hosted form inside the iframe. Your servers never receive, process, or store card numbers, CVVs, or any sensitive payment data. RapidCents handles all tokenization, 3D Secure, and payment processing securely.

RapidPay vs Checkout Sessions

RapidCents offers three ways to accept payments. All three keep card data off your servers:

RapidPay (Compact Modal)

Compact payment modal in an iframe
Minimal footprint on your page
Card data entered on RapidCents form
No PCI scope for you
Best for: quick payments, in-page checkout, POS

Checkout Sessions

Hosted: Full-page redirect to RapidCents
Embedded: Full checkout form in an iframe
Card data entered on RapidCents form
Supports saved cards, Google Pay, subscriptions
Best for: e-commerce, SaaS, invoicing

ⓘ

Key difference: RapidPay shows a compact payment modal (amount + card fields only), while Checkout Sessions provide a full checkout experience with order summary, line items, customer info, shipping address, and more. Choose RapidPay when you want a lightweight, fast payment form. Choose Checkout Sessions when you need the full checkout flow.

Processing Flow

Here is how a RapidPay payment flows — card data never touches your servers:

Your ServerPOST /rapid-checkout/create

→

RapidCentsReturns checkout_url

→

IframeLoads payment modal

↓

CustomerEnters card on RapidCents form

→

RapidCentsTokenize, 3DS & process

↔

Card NetworksVisa / MC / Amex / Discover

↓

RapidCentsRecord & receipt

→

postMessagePayment result to your page

What Happens During a Payment

Your server creates a session — You POST the amount, currency, and customer email to the RapidCents API with your Bearer token. RapidCents returns a checkout_url.
The RapidPay modal loads in an iframe — Your frontend opens the checkout_url in an iframe using the RapidPay JavaScript library (rapid.js). The customer sees a compact payment modal hosted entirely by RapidCents.
Customer enters card details on RapidCents — The card number, expiry, CVV, and billing address are entered directly on the RapidCents-hosted form. Your page never has access to this data.
RapidCents processes the payment — The card is tokenized, 3D Secure is applied (if enabled), and the payment is submitted to the card networks for authorization.
Your page receives the result — RapidCents sends a postMessage to your parent page with the payment result (success/failure, transaction ID, receipt ID). You handle this in your JavaScript callbacks.

ⓘ

If the payment gateway does not respond within 15 seconds, RapidCents returns a timeout error (HTTP 400). Implement retry logic or show a “processing” state and reconcile later using the recordID.

Authentication

All RapidPay endpoints require OAuth 2.0 Bearer token authentication. Every request must include a valid access token in the Authorization header.

Required Headers

Authorization: Bearer {access_token}
Content-Type: application/json
Accept: application/json

Base URL Pattern

All RapidPay endpoints follow the pattern /api/{business_id}/... where {business_id} is your RapidCents Business UUID.

Credentials Provided During Onboarding

During merchant onboarding, RapidCents provides the following credentials. Store them securely on your server — never expose them in client-side code.

Credential	Description	Lifetime
`client_id`	OAuth application identifier	Permanent
`client_secret`	OAuth application secret	Permanent
`access_token`	Bearer token for API authentication	24 hours
`refresh_token`	Used to obtain new access tokens	Long-lived (single-use)
`business_id`	Your Business UUID used in all API paths	Permanent

⚠

3D Secure endpoints (/ddd/init and /ddd/authenticate) are public routes — they do not require a Bearer token. They are scoped under /api/{business_id}/ and use the business ID from the URL to load 3DS credentials.

OAuth Token Flow

RapidCents uses OAuth 2.0 for authentication. The token endpoint supports both Password Grant (initial login) and Refresh Token grant.

Refresh Access Token

POST /api/oauth/token

Access tokens expire after 24 hours. Use the refresh token to obtain a new access token without re-authenticating.

Request

POST /api/oauth/token
Content-Type: application/json

{
  "grant_type": "refresh_token",
  "refresh_token": "{your_refresh_token}",
  "client_id": "{your_client_id}",
  "client_secret": "{your_client_secret}",
  "redirect_uri": "",
  "scope": ""
}

Response — 200 OK

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "refresh_token": "def50200a3c2f7...",
  "token_type": "Bearer",
  "expires_in": 86400
}

⚠

Critical: Store both the new access_token and refresh_token from the response. The previous refresh token is invalidated after use — it cannot be reused. If you lose the new refresh token, you will need to re-authenticate from scratch. Refresh proactively before the 24-hour expiry to avoid failed API calls.

Token Refresh Strategy

We recommend implementing automatic token refresh in your backend:

Store token expiry — When you receive a token response, calculate the absolute expiry time (now + expires_in) and persist it alongside the tokens.
Check before each API call — Before making any RapidPay API call, compare the current time against your stored expiry. If the token expires within the next 5 minutes, refresh it first.
Handle 401 gracefully — If you receive a 401 Unauthorized response, attempt a token refresh and retry the request once. If the refresh also fails, alert your operations team.
Secure storage — Store credentials in encrypted environment variables or a secrets manager. Never commit tokens to source control.

IP Whitelisting

🛡

Required: Before you can process any transactions, you must provide your server’s static IP address(es) to RapidCents for whitelisting. API requests from non-whitelisted IPs will be rejected.

RapidCents enforces IP-based access control on all RapidPay endpoints. Only requests originating from your whitelisted server IPs are permitted to create checkout sessions and process saved card sales.

How to Whitelist

Identify your server IPs — Determine the static/elastic IP address(es) of the server(s) that will make API calls to RapidCents. If you use a load balancer or NAT gateway, provide the outbound IP.
Submit to RapidCents — Provide your IP address(es) to the RapidCents integration team during onboarding or via your account manager.
Confirmation — RapidCents will whitelist your IPs and confirm. You can then begin making API calls.
Update when IPs change — If your server infrastructure changes and your outbound IP changes, contact RapidCents to update the whitelist before migrating.

ⓘ

You may whitelist multiple IPs (e.g., for redundancy, staging, and production). Each environment has its own whitelist. Contact RapidCents support to manage your whitelisted IPs.

Environment	Base URL	Whitelist
Staging	`https://uatstage00-api.rapidcents.com`	Separate whitelist — add your dev/staging server IPs
Production	`https://api.rapidcents.com`	Separate whitelist — add your production server IPs

Step 1 — Create a RapidPay Session

From your server, call the RapidPay API to create a checkout session. This returns a checkout_url which you'll load in an iframe on your page. You only need to send the amount, currency, and customer email — no card data is needed from your server.

Request

POST /api/{business_id}/rapid-checkout/create
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "amount_total": 150.00,
  "currency": "CAD",
  "customer_email": "[email protected]"
}

Request Fields

Field	Type	Required	Description
`amount_total`	Number	Yes	Total payment amount
`currency`	String	No	Currency code (defaults to business currency)
`customer_email`	String	Yes	Customer email address
`amount_subtotal`	Number	No	Subtotal before tax and discount
`amount_tax`	Number	No	Tax amount
`amount_discount`	Number	No	Discount amount
`surcharge`	Boolean	No	Apply surcharge (uses business-configured rate)

Response — 201 Created

{
  "ok": true,
  "checkout_session": {
    "id": "session-uuid",
    "token": "a1b2c3d4e5f6...",
    "checkout_url": "https://dashboard.rapidcents.com/customer/checkout-rapid/a1b2c3d4e5f6...",
    "ui_mode": "rapid",
    "amount_total": 150.00,
    "currency": "CAD"
  }
}

🔒

No card data touches your server. The session creation only requires the amount and customer email. The customer will enter their card details directly on the RapidCents-hosted payment modal in the next step.

Step 2 — Load the Payment Modal

On your frontend, include the RapidPay JavaScript library and use it to open the payment modal in an iframe. The customer enters their card details directly on the RapidCents-hosted form — your page never has access to card data.

Include the Script

HTML

<!-- RapidPay JavaScript Library -->
<script src="https://api.rapidcents.com/js/rapid.js"></script>

Initialize and Open Modal

JavaScript

// Initialize RapidPay with your business credentials
RapidCentsCheckout.init({
  businessId: 'your-business-id',
  authToken: 'your-access-token',

  // Callbacks
  onSuccess: function(data) {
    console.log('Payment successful!', data.session_id, data.transaction_id);
    // Verify on your server, then fulfill the order
  },
  onCancel: function(data) {
    console.log('Payment cancelled', data.session_id);
  },
  onError: function(error) {
    console.error('Payment error:', error.message);
  }
});

// When the customer clicks "Pay Now"
document.getElementById('pay-button').addEventListener('click', function() {
  RapidCentsCheckout.create({
    ui_mode: 'rapid',
    amount_total: 150.00,
    currency: 'CAD',
    customer_email: '[email protected]'
  });
});

🔒

Card data security: The payment modal is loaded in a sandboxed iframe from dashboard.rapidcents.com. Card number, expiry, CVV, and billing address are entered directly on the RapidCents form. Your JavaScript code, your page, and your server never have access to this sensitive data. RapidCents handles 3D Secure, tokenization, and payment processing inside the iframe.

How the Modal Works

Session creation — The library calls POST /api/{business_id}/rapid-checkout/create with the amount and customer email. RapidCents validates the OAuth client origin and returns a checkout_url.
Iframe loads — The library opens the checkout_url in a secure iframe. The customer sees a compact payment form with the amount, card fields, and a “Pay” button.
Customer enters card — The card number, expiry, CVV, and billing address are entered on the RapidCents form. If 3D Secure is enabled, the bank authentication challenge appears inside the same iframe.
Result via postMessage — After payment processing, RapidCents sends a postMessage to your page with the result. Your onSuccess, onCancel, or onError callback fires accordingly.

Origin Validation

⚠

RapidCents validates that the request origin matches the OAuth client redirect URL configured for your API credentials. If your page domain is not in the allowed origins, session creation will fail with a 422 error. Ensure your OAuth client redirect URL matches the domain where you load the RapidPay modal.

Step 3 — Handle Payment Result

When the payment completes (or is cancelled/fails), RapidCents sends a postMessage from the iframe to your parent page. The RapidPay library automatically parses this and fires your registered callbacks.

Success Callback

onSuccess callback data

{
  "session_id": "a1b2c3d4e5f6...",
  "transaction_id": "txn-uuid-5678",
  "receipt_id": "receipt-uuid-9012",
  "amount": 150.00,
  "currency": "CAD"
}

Error / Failure Callback

onError callback data

{
  "message": "Payment declined",
  "error_code": "ND",
  "session_id": "a1b2c3d4e5f6..."
}

If the customer exceeds the maximum payment attempts (3), RapidCents returns error_code: "max_attempts_reached" and automatically closes the session.

What to Do After Payment

Verify on your server — Always verify the payment status from your backend using the session token (see next section). Never trust client-side data alone.
Store the references — Save transaction_id and receipt_id in your database for reconciliation, refunds, and support.
Update order status — Mark the order as paid and trigger fulfillment.
Notify the customer — Send a confirmation email or in-app notification.

Verify Payment (Server-Side)

GET /api/{business_id}/checkout/{session_token}/details

After the onSuccess callback fires, always verify the payment on your server before fulfilling the order. This prevents fraud from manipulated client-side data.

Request

GET /api/{business_id}/checkout/{session_token}/details
Authorization: Bearer {access_token}

Response — Paid

{
  "ok": true,
  "checkout_session": {
    "session_status": "COMPLETED",
    "payment_status": "PAID",
    "amount_total": 150.00,
    "currency": "CAD",
    "customer_email": "[email protected]"
  },
  "transaction": {
    "id": "txn-uuid-5678",
    "receipt_id": "receipt-uuid-9012",
    "response_code": "AA",
    "card": "411111******1111",
    "association": "Visa"
  }
}

⚠

Only fulfill orders when session_status is "COMPLETED" and payment_status is "PAID". Any other combination means the payment has not been successfully processed.

Saved Card Sale (Card on File)

POST /api/{business_id}/customer/{customer_id}/sale

Process a payment using a previously tokenized card. When a customer pays through the RapidPay modal, their card is automatically tokenized by RapidCents. You receive a cardId which you can use for future charges without the customer re-entering their card details.

ⓘ

No card data required. You only need the cardId and amount. The customer’s card was securely tokenized by RapidCents during the original payment — your server never had access to the raw card data.

Request Fields

Field	Type	Required	Description
`amount`	number	Yes	Payment amount
`cardId`	string	Yes	Stored card UUID (from a prior transaction)
`ip_address`	string	No	Customer’s IP address
`user_agent`	string	No	Customer’s browser user agent

Request

POST /api/{business_id}/customer/{customer_id}/sale
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "amount": 29.99,
  "cardId": "card-uuid-abcd-1234",
  "ip_address": "203.0.113.42"
}

Response — Approved

{
  "ok": true,
  "status": "Approved",
  "code": "AA",
  "message": "Approved Transaction (Auths / Reversals)",
  "receiptID": "receipt-uuid-9012",
  "recordID": "txn-uuid-5678"
}

Automatic Card Tokenization

When a customer completes a payment through the RapidPay modal, their card is automatically tokenized by RapidCents. You receive a cardId in the transaction details which you can use for future saved card operations.

🔒

You never need to handle raw card data for tokenization. The customer enters their card on the RapidCents-hosted form, and RapidCents automatically stores it as a secure token. Use the returned cardId for saved card sales.

All Endpoints

RapidPay Checkout

Method	Endpoint	Auth	Description
POST	`/api/{business_id}/rapid-checkout/create`	Bearer	Create a RapidPay checkout session
GET	`/api/{business_id}/checkout/{token}/details`	Bearer	Verify payment status

Saved Card Endpoints

Method	Endpoint	Auth	Description
POST	`/api/{business_id}/customer/{customer}/sale`	Bearer	Sale with saved card (card on file)

Authentication Endpoints

Method	Endpoint	Auth	Description
POST	`/api/oauth/token`	None	Issue or refresh access token

Environment Configuration

Environment	Base URL	Purpose
Staging	`https://uatstage00-api.rapidcents.com`	Development, testing, and integration
Production	`https://api.rapidcents.com`	Live transactions

ⓘ

Each environment has separate OAuth credentials, separate IP whitelists, and separate terminal configurations. Do not use staging credentials in production or vice versa.

Response Codes

The code field in the response indicates the transaction outcome:

Code	Status	Description	Action
`AA`	Approved	Transaction approved	Save `recordID`, `receiptID`, `issuer_reference`
`AP`	Partial Approval	Approved for partial amount	Auto-voided by system. Treat as declined.
`AC`	Partial Approval	Approved for partial amount (alternate)	Auto-voided by system. Treat as declined.
`NC`	Declined	Stolen card / Pick up card	Do not retry. Flag for fraud review.
`ND`	Declined	Standard decline	Show generic decline message to customer
`NF`	Declined	Record not found	Check card data or retry
`NR`	Declined	Referral — contact issuing bank	Show “Please contact your bank” to customer
`N7`	Declined	CVV2/AVS verification failed	Customer may have entered wrong billing info

Error Handling

HTTP Code	Scenario	Description
`200`	Transaction processed	Check `code` field — `AA` = approved, others = declined
`400`	Transaction timeout	Payment gateway did not respond within 15 seconds
`400`	3DS failed	3DS authentication returned `N`, `U`, or `R`
`401`	Unauthorized	Missing, expired, or invalid access token
`403`	3DS not supported	Card does not support 3DS 2.x (`DDD_NOT_SUPPORTED`)
`404`	Not found	Invalid business ID, customer ID, or card ID
`408`	Session expired	3DS session has expired or is invalid
`417`	Expectation failed	Batch balance or settle request failed at gateway level
`422`	Validation error	Missing required fields, invalid data, or duplicate card
`500`	Server error	Unexpected error — retry or contact support
`502`	Gateway error	3DS server returned an error response

Security Best Practices

Card data never touches your servers — All card entry happens on the RapidCents-hosted payment modal. Your servers only handle session creation (amount + email) and receive payment results (transaction IDs).
Use HTTPS exclusively — All API communication must use TLS/HTTPS. The RapidPay modal is served over HTTPS.
Rotate tokens proactively — Refresh access tokens before the 24-hour expiry. Store both new access_token and refresh_token from each refresh response.
Store only references — Persist transaction_id, receipt_id, and session_id — never card details. Use cardId for saved card operations.
Verify payments server-side — Always verify payment status from your backend using GET /checkout/{token}/details before fulfilling orders. Never trust client-side callbacks alone.
Validate OAuth origins — Ensure your OAuth client redirect URL matches the domain where the RapidPay modal is loaded. Origin mismatches will block session creation.
Whitelist your server IPs — Ensure all server IPs making API calls are whitelisted with RapidCents. Update the whitelist before infrastructure changes.

Integration Checklist

☑

Complete all items before going live with production transactions.

Authentication & Setup

OAuth token refresh is implemented and tokens are stored securely
Token expiry is tracked and refreshed proactively (before 24-hour expiry)
Both access_token and refresh_token are persisted on each refresh
Server IP(s) have been submitted to RapidCents and confirmed whitelisted
Staging and production credentials are stored separately
OAuth client redirect URL matches the domain where RapidPay modal loads

Frontend Integration

RapidPay JavaScript library (rapid.js) is loaded on your page
RapidCentsCheckout.init() is called with correct businessId and authToken
onSuccess, onCancel, and onError callbacks are implemented
Session creation (create()) is triggered by a user action (button click)
Payment modal loads correctly in the iframe

Payment Verification

Server-side payment verification is implemented (GET /checkout/{token}/details)
session_status: "COMPLETED" and payment_status: "PAID" are checked before fulfilling orders
transaction_id and receipt_id are stored for reconciliation and refunds
Error scenarios (cancelled, failed, expired sessions) are handled gracefully

Saved Card Operations (Optional)

Saved card sale works using cardId from previous transactions
All decline codes (ND, NC, NR, N7) are handled gracefully