Getting Started

The API & Webhook Sections of the documentation guides you through the structure and usage of the API and Webhooks within SmarterPay Cloud.

The following sections contain useful information regarding the SmarterPay Cloud API and Webhooks.

Section
Connecting to the API	API Idempotency
Example Direct Debit Workflow	API Rate Limiting
Verifying Webhook Signature

The SmarterPay Cloud API is based on a REST service using JSON-formatted requests and responses.
The SmarterPay Cloud API is only available over HTTPS. Attempting to access the API over an unsecured HTTP connection will return a TLS_Required error.

To start using the SmarterPay Cloud API, you will require API credentials, which can be found within the SmarterPay Cloud Portal or from your SmarterPay representative.
The API credentials are consumed, in each REST call, by providing it as a Bearer token in the Authorization header.

The “Content-Type” header must also be provided when sending data to the API, using POST and PUT methods, passing either the standard JSON MIME type (application/json), or the JSON-API variant (application/vnd.api+json).

All requests and responses are UTF-8 encoded.

Providing the “Accept-Charset” header is optional, but recommended.

Format of HTTP request header names and values

The name of the HTTP request header you want to send can only contain:

Alphanumeric characters: a-z, A-Z, and 0-9
The following special characters: - and _

The value of the HTTP request header you want to send can only contain:

Alphanumeric characters: a-z, A-Z, and 0-9
The following special characters: _ :;.,\/“'?!(){}[]@<>=-+*#$&`|~^%

Example API Request Header

Authorization: Bearer <token>
Content-Type: application/json
Accept-Charset: utf-8
Idempotency-Key: 8abec541-efca-4efa-856b-50ab8679ec0f

The SmarterPay Cloud API can use idempotency to help prevent accidentally performing the same operation twice. Idempotency can be used on creating (POST) or updating (PUT) a record.

SmarterPay Cloud API's idempotency works by saving the resulting status code and body of the first request made for any given idempotency key, per endpoint. Subsequent requests with the same key, and endpoint, return the same result.

An idempotency key is a unique value generated by the client which the server uses to recognize subsequent retries of the same request. Idempotency keys can be up to 255 characters long, and are case sensitive, for example “ABC123” is not the same as “abc123”.

Idempotency Keys will be removed from the system automatically after they're at least 24 hours old, and a new request is generated if a key is reused after the original has been removed.

To use SmarterPay Clouds API's idempotency, add “Idempotency-Key: <key>” to the header of the request.

If there is a matching idempotency key, for the endpoint, you will receive the response code and response body of the original request, plus an “idempotency-replay: true” in the response header.

Please Note: SmarterPay strongly advises our clients to use the idempotency feature.

SmarterPay Cloud API employs Key-level Global Rate limiting on it's API endpoints.

“Key-level Global Rate limiting” means that each Client's API key is allowed a certain number of API calls in a given time period, before being rejected/limited.

The default rate, for all of our Clients, is 1000 requests per 60 seconds (1 minute).

Once this limit is reached, subsequent requests will recieve a “429 Too Many Requests” response, with the message “Too many requests. Please try again in 60 seconds.”, until the time windows has expired.
Once the time limit has expired request will be accepted again, with their appropriate response, until the limit is reached again for that time period.

If you want to discuss our rate limiting please contact support, either by telephone on +44 (0)1482 240886, or by email at support@smarterpay.com.

Step 1 - Create a Customer Account (Optional)

Only necessary if you're planning on linking several bank accounts or payment types together.

The Customer Account is created using the API - Customer Account - POST method.
System replies to the API call with the Customer Account record details, which includes the Customer ID.
If there is a Webhook Subscription setup, an API Actions - Record Creation Webhook will be sent out.

Step 2 - Create a Bank Account (Necessary)

The Customer ID, from Step 1, can be used in the API POST, if desired, to connect the Bank Account to the Customer. Or it can be left blank.

The Bank Account is created using the API - Bank Account - POST method.
System Modulus Checks the account's sort code and account number and replies with the bank details and bank Account ID
If there is a Webhook Subscription setup, a Bank Account - Record Creation Webhook will be sent out.

Step 3 - Create a Mandate (Necessary)

This step uses the Bank Account ID from Step 2.

The Mandate is created by using the API - Mandate - POST method.
The system replies with the Mandate record details.
If there is a Webhook Subscription setup, a Mandate - Record Creation Webhook will be sent out.

Step 4 - Mandate Submission (Automatic)

This is for any Mandate, with an Active bank Account, set to “New Instruction”.

The system will process the Mandate - Submitting it to Bacs.
If there is a Webhook Subscription setup, a Mandate - Sent to Bacs Webhook will be sent out.

Step 5 - Mandate Update (Automatic)

The default of 3 banking days is used for marking a Mandate as successful.

If a Bacs Rejection is received, usually within 3 banking days
1. The system will process the Bacs Rejection based on the Rejection Profile assigned to the SUN.
2. If there is a Webhook Subscription setup, a Rejection specific Webhook will be sent out.
After, the default of, 3 banking days
1. The system will update the Mandate to successful.
2. If there is a Webhook Subscription setup, a Mandate - Ready for Collection Webhook will be sent out.

Step 6 - Create an "Ongoing Payments" or "Payment Plan" Schedule (Optional)

Only necessary if you want SmarterPay Cloud to automatically take payments on a regular basis or over a set number of instalments.

The Recurrence Schedule is created by using the API - Recurrence Schedule - POST
The system replies with the Recurrence Schedule record details, including upcoming payments.
If there is a Webhook Subscription setup, a Recurrence Schedule - Record Creation Webhook will be sent out.

Step 7a - Payment Creation (Automatic)

This is for any Schedules, with active Mandate and Bank Account, set to active.

The system will create a payment for collection in 2 banking days time.
If there is a Webhook Subscription setup, a DDMS Service - Recurrence Schedule - Record Updated Webhook will be sent out.
If there is a Webhook Subscription setup, a DDMS Service - Payment - Record Creation Webhook will be sent out.

Step 7b - Create a Payment (Optional)

One off payments can be created as necessary. This step uses the Mandate ID from Step 3.

The Payment is created by using the API - Payment - POST method.
The system replies with the Payment record details.
If there is a Webhook Subscription setup, an API - Payment - Record Creation Webhook will be sent out.

Step 8 - Payment Submission (Automatic)

This is for any Payment, with an Active bank Account and Mandate, set to “Pending Submission”.

The system will process the Payment - Submitting it to Bacs.
If there is a Webhook Subscription setup, a DDMS Service - Payment - Sent to Bacs Webhook will be sent out.

Step 9 - Payment Update (Automatic)

The default of 3 banking days is used for marking a Payment as successful.

If a Bacs Rejection is received, usually within 3 banking days
1. The system will process the Bacs Rejection based on the Rejection Profile assigned to the SUN.
2. If there is a Webhook Subscription setup, a Rejection specific Webhook will be sent out.
After, the default of, 3 banking days
1. The system will update the Payment to successful.
2. If there is a Webhook Subscription setup, a DDMS Service - Payment - Set to Successful Webhook will be sent out.

"Signature Auth" Webhook Subscription

SmarterPay Cloud sends a signature with all “Signature Auth” Webhook Subscriptions.
This signature can be used to verify that the contents of the webhook has not been tampered with.

The steps detailed below show one way to verify the Webhook Signature.

Step 1: Extract the Signature from the Webhook

The signature is sent in the “Webhook-Signature” message header of the Webhook.

Step 2: Compute the expected signature

Generate a byte array of the Webhook Key, for the Subscription.
Generate a byte array of the unformatted raw webhook body.
Generate a signature hash, with an instance of HMACSHA256, using the the byte array of the webhook key as the secret key
Remove any “-” characters from the result.
Make the result lowercase.

.NET Code Example:

string secret = "ssecretwebhookkey";

string message ="{ \"events\" :[ {  \"id\" : \"0\" ,  \"created_at\" : \"2021-08-25T17:18:03.000Z\", \"resource_type\": \"mandate\",  \"event_source\" : \"10044000\",  \"customer_account\" : \"\", " +
                " \"AUDDIS\" : \"0\",  \"status\" : \"new_instruction\",  \"description\" : \"Test for webhook Mandate Subscription\",  \"bacs_reason_code\" : \"200 OK\",  \"bacs_description\" : \"Test\", " +
                " \"bacs_reference\" : \"\",  \"bacs_filename\" : \"\" } ] }";

// Get Byte Array From Webhook Key AKA Secret Key
byte[] key = Encoding.UTF8.GetBytes(secret);

// Get Byte Array from message 
byte[] bytes = Encoding.UTF8.GetBytes(message);

//Generate Instance of 256 using the key array
HMACSHA256 hmacsha256 = new HMACSHA256(key); 

// Compute a hash using the instance of the sha256.
byte[] hash = hmacsha256.ComputeHash(bytes);

// Get Hash
string calculatedSignature = BitConverter.ToString(hash).Replace("-", "").ToLower();

Step 3: Compare the Signatures

Compare the signature passed with the Webhook, from Step 1, with the expected signature, from step 2.