External API - Integration Guide
What is the External API
The Avirato Payments External API lets external integrators (ERPs, e-commerce platforms, management systems, etc.) process online payments and POS payments securely, without needing to know the system's internal infrastructure.
With a single integration you can:
- Create online payment sessions and redirect the customer to a secure payment page
- Process POS payments by sending a charge directly to a physical terminal
- Modify payments: full and partial refunds, pre-authorization captures, cancellations, and pre-authorization extensions
- Query payments: get session details, list sessions with filters and pagination, list modifications
Environments: Live and Test
The External API offers two completely independent environments:
| Live | Test | |
|---|---|---|
| Purpose | Process real payments | Integrate and test without real money |
| Base URL | https://aviratopayments.com/external/v1/ | https://aviratopayments.com/external/v1/test/ |
| API Keys | Live environment keys | Test environment keys |
| Online payments | Real processor | Simulation with fictitious cards |
| POS payments | Real physical terminal | Immediate simulation (magic amounts) |
| Webhooks | Sent by the real processor | Generated automatically by the backend |
| Real money | Yes | No |
Recommendation: Integrate first in the Test environment to verify that your system works correctly. Once validated, switch to Live by simply using your production API key and removing
/test/from the URLs.
Base URL
Live: https://aviratopayments.com/external/v1/
Test: https://aviratopayments.com/external/v1/test/All endpoints in this documentation show the full Live environment URL. To use the Test environment, insert /test/ after /v1/. For example:
- Live:
POST https://aviratopayments.com/external/v1/payment/session - Test:
POST https://aviratopayments.com/external/v1/test/payment/session
Quick authentication
All requests require an API key in the X-API-KEY header:
X-API-KEY: your_api_key_hereAPI keys are managed from the Avirato Payments dashboard (Integrations > API Keys section). Each key is linked to a webcode (business identifier) and an environment (Live or Test).
In addition, all POST requests optionally accept the Idempotency-Key header to avoid duplicate operations. We recommend always using it in production. Reusing the same key with a different body or another endpoint returns 409 Conflict (see Authentication and Error handling).
For more detail: Authentication
Response structure
Successful response
All successful responses follow this structure:
{
"success": true,
"data": { ... }
}The content of data varies by endpoint. The success field is always true on 2xx responses.
Error response
{
"success": false,
"error": {
"message": "Error description in English",
"code": 12001,
"statusCode": 400,
"traceId": "abc123..."
}
}The traceId is unique per request. Always include it when contacting technical support. See Error handling for the full catalog.
Key concepts before you start
Session vs Payment (for online payments)
It is essential to understand this distinction:
- Session (
sessionId): The payment intent your system creates. It contains the amount, return URLs, etc. - Payment (
paymentReference): The real transaction authorized by the processor. It only exists when the customer completes the payment successfully.
Practical rule: Use sessionId to query status. Use paymentReference to modify (refund, capture, cancel, extend).
See Online Payments - Session vs Payment for the full explanation.
Asynchronous operations
Modifications (refund, capture, cancel, extend) are asynchronous. The API accepts the request immediately (HTTP 202) but the operation is processed in the background. The initial status is pending (refunds) or received (capture, cancel, extend) and evolves to success or failed as the processor confirms.
POS payments are synchronous: the request waits until the terminal responds.
In the Test environment: Modifications resolve almost immediately (the backend simulates the processor response). You will receive the confirmation webhook within seconds.
Typical integration flow
1. Online payment
Your system Avirato Payments Customer
| | |
|-- POST /payment/session ---------->| |
|<-- 201 { sessionId, paymentUrl } --| |
| | |
|-- Redirect customer -------------->+---------------------------->|
| | (secure payment page) |
| |<-- Completes payment --------|
| | |
| |-- Redirect to urlOk -------->|
| | (with encrypted data) |
| | |
|-- GET /payment/session/{id} ------>| |
|<-- { status: completed, | |
| paymentReference: "..." } ----| |
| | |
| (You can now refund, | |
| capture, etc. with paymentRef) | |2. POS payment
Your system Avirato Payments POS Terminal
| | |
|-- POST /pos/payment ------------->| |
| |-- Send charge ----->|
| | (customer pays |
| | at terminal) |
| |<-- Result -----------|
|<-- 200 { status: success, | |
| paymentReference } --------| |Note: These flows work identically in the Test environment, replacing
/external/v1/with/external/v1/test/. The only difference is that in Test the online payment is completed with fictitious cards and the POS payment is simulated with magic amounts (no real terminal).
Key differences between Test and Live
| Aspect | Live | Test |
|---|---|---|
| Online payment | The customer pays with a real card on the payment form | The customer uses fictitious cards on a simulated form |
| POS payment | The physical terminal processes the charge | The result is simulated immediately based on the amount |
| Webhooks | Sent by the real processor when it confirms the operation | Generated automatically by the backend when the simulation completes |
| Modifications | Processed by the real processor (may take seconds/minutes) | Simulated instantly by the backend |
| References | Prefix -EXT-, -PXT-, -POSX-, -RFX-, -CTX-, etc. | Prefix -EXTT-, -PXTT-, -POSXT-, -RFXT-, -CTXT-, etc. |
| Money | Real transactions | No money movement |
| Data | Completely isolated | Completely isolated (not mixed with live) |
Endpoint index
Online Payments
| Method | Endpoint | Description | HTTP Status |
|---|---|---|---|
| POST | /payment/session | Create payment session | 201 |
| GET | /payment/session/{sessionId} | Get session detail | 200 |
| GET | /payment/sessions | List sessions | 200 |
Modifications (apply to online and POS payments)
| Method | Endpoint | Description | HTTP Status |
|---|---|---|---|
| POST | /payment/refund | Refund payment | 202 |
| POST | /payment/capture | Capture pre-authorization | 202 |
| POST | /payment/cancel | Cancel pre-authorization | 202 |
| POST | /payment/extend | Extend pre-authorization | 202 |
| GET | /payment/session/{sessionId}/modifications | List session modifications | 200 |
| GET | /pos/payment/{posPaymentId}/modifications | List POS payment modifications | 200 |
| GET | /modifications | List all modifications | 200 |
POS Payments
| Method | Endpoint | Description | HTTP Status |
|---|---|---|---|
| GET | /pos/terminals | List active terminals | 200 |
| POST | /pos/payment | Create POS payment | 200 |
| GET | /pos/payments | List POS payments | 200 |
Remember: To use any endpoint in the Test environment, add
/test/after/v1/. Example:POST /external/v1/test/payment/session.