**Last updated**: 14 June 2025 | [**Change log**](/products/hosted-payment-pages/changelog/)
# Setup a payment
SMB (Worldpay eCommerce)
Our Hosted Payment Pages API generates a URL in the response. Redirect your customer to this URL to take a payment.
## Integration overview
```mermaid
graph LR
Get-your-credentials --> Set-your-headers --> Post-your-request --> Redirect-your-customer --> Payment-is-autosettled
```
## Prerequisites
Pull your credentials from your [dashboard](https://dashboard.worldpay-bsh.securedataplatform.com/).
## Set your headers
Setting your headers is an important part of an API request. The headers represent the meta-data associated with your
API request.
```
Authorization: {your_credentials}
Content-Type: application/vnd.worldpay.payment_pages-v1.hal+json
Accept: application/vnd.worldpay.payment_pages-v1.hal+json
```
| Header | Description |
| --- | --- |
| `Authorization` | The mandatory `Authorization` header is used for authentication and identification of our merchants within Access Worldpay. Replace `{your_credentials}` with your base64-encoded Basic Auth username and password you have received from us. |
| `Content-Type` | The `Content-Type` header is required if the request you're sending includes a request body, and if the HTTP method is a `POST` or a `PUT`. |
| `Accept` | Use the mandatory `Accept` header to identify which version of our Hosted Payment Pages API you are using. |
Info
If you're using both the `Content-Type` and `Accept` headers, they **must** match.
## Take a guest card payment
`POST` your request to the `payment_pages:setup` action link to setup a payment.
POST `https://try.access.worldpay-bsh.securedataplatform.com/payment_pages`
#### Example with mandatory fields:
### Mandatory parameters
| Parameter | Description | Data type | Field length |
| --- | --- | --- | --- |
| `transactionReference` | A unique reference generated by you that is used to identify a payment throughout its lifecycle. See [transaction reference format](/products/reference/formatting). | String | Must be between 1 to 64 characters. |
| `merchant` | An object that contains information about the merchant. | Object | N/A |
| `merchant.entity` | You can find your entity in your [Dashboard](https://dashboard.worldpay-bsh.securedataplatform.com/) under "Developer Tools". Using your own entity reference causes the transaction to fail. | String | Must be between 1 and 32 characters. |
| `narrative` | An object that helps your customers better identify you on their statement. | Object | N/A |
| `narrative.line1` | An object that helps your customers better identify you on their statement. | String | Must be between 1 and 24 characters |
| `value` | An object that contains information about the payment transaction. | Object | N/A |
| `value.currency` | The 3 character [ISO currency code](/products/reference/supported-countries-currencies#iso-currency-codes). | String | 3 character ISO currency code |
| `value.amount` | The payment amount. This is a whole number with an exponent e.g. if exponent is two, 250 is 2.50. You can find the relevant exponent in our [currency table](/products/reference/supported-countries-currencies#iso-currency-codes). | Integer | N/A |
## Store a card
You can save your customer's card as part of a payment request by creating a token which you can use to take subsequent payments.
These subsequent payments are distinguished between two core transaction types:
* **Customer Initiated Transactions** (CITs)
* **Definition:** The customer is present and actively involved in the transaction. This is also known as `cardOnFile` in the API request.
* **Example**: Storing card details (card on file) with an online retailer for future use.
br
* **Merchant Initiated Transactions** (MITs)
* **Definition:** The merchant initiates the transaction without the customer being actively involved at that moment. This is also known as `subscription` in the API request.
* **Examples:** Subscriptions, installments, delayed charges, no-show fees.
Visit our [stored credentials article](/products/articles/stored-credentials) for an overview of Customer Initiated Transactions and Merchant Initiated Transactions.
Note
With our Hosted Payment Pages API you can setup MIT agreements and take a `first` payment. To manage your agreement and take subsequent payments, you must use a direct integration through our [Payments API](/products/payments/recurring-subsequent).
#### Examples
CIT - all fields
MIT - all fields
### Parameters
| Value | Required? | Description |
| --- | --- | --- |
| `createToken` | ✅ | An object that instructs us to create a token for the payment details supplied. |
| `type` | ✅ | The type of token. The value is "worldpay". |
| `namespace` | ✅ | A namespace is used to group up to 16 cards, e.g. for one customer. A card can exist in more than one namespace. |
| `description` | ✅ | A description of your token. If not supplied, a default description is created for you. |
| `optIn` | ✅ | **"Silent"** - (default value) The card details will always be saved (you must already have their consent to do this)**"Notify"** - The card details will always be saved (you must already have their consent to do this) and your customer will see this within our hosted payment pages**"Ask"** - The card details will be saved if your customer provides their consent. This adds a "Save payment details" tickbox to the page, which they tick to opt-in, or ignore to opt-out. If your customer does not consent, then no card details are saved. |
The below table contains fields required to setup a repeat agreement.
| Value | Required? | Description |
| --- | --- | --- |
| `customerAgreement` | ✅ | An object that contains specific customer agreements for the transaction. |
| `storedCardUsage` | ✅ | Defines when in the agreement the card is used`first` - use this when initially storing a card. Applicable when `type` is `"cardOnFile"` or `"subscription"`. `subsequent` - Use this when taking payment with a previously stored card. Only applicable for `type` `"cardOnFile"`. |
| `type` | ✅ | The processing arrangement agreed with your customer. `"cardOnFile"` - Use this for Cardholder Initiated Transactions (CITs).`"subscription"` - Use this where subsequent payments are processed without the cardholder being present aka Merchant Initiated Transactions (MITs). Subsequent payments must be submitted directly through the [Payments API](/products/payments/openapi).. |
Note
We return the token via a [webhook](/products/hosted-payment-pages/webhooks#webhook-values-for-tokencreated).
## Take a payment from a stored card (CIT)
Use a previously stored card to take a `cardOnFile` payment. We capture the CVC as part of this flow.
##### Examples
Mandatory fields only
All fields
| Value | Required | Description |
| --- | --- | --- |
| `paymentInstrument` | ✅ | An object that contains the payment type and details. |
| `type` | ✅ | The payment type details. Value is "card/tokenized". |
| `href` | ✅ | We return this after token creation via the webhook. |
### Optional/conditional parameters
We handle 3DS authentication and fraud assessments on your behalf. However, supplying the additional optional fields below, increases the chance of a frictionless flow for your customer.
Info
The result URLs are required to redirect your customer to your defined URL at the end of their payment journey.
| Parameter | Required? | Description | Data type | Field length |
| --- | --- | --- | --- | --- |
| `description` | ❌ | An optional text, when supplied is displayed to your customer on payment pages. | String | Maximum of 128 characters. |
| `billingAddress` | ❌ | An object containing the billingAddress information. | Object | N/A |
| `billingAddress.firstName` | ❌ | Customer's first name. | String | Maximum of 22 characters |
| `billingAddress.lastName` | ❌ | Customer's last name. | String | Maximum of 22 characters |
| `billingAddress.address1` | ✅ | Only required when billing address is provided. | String | Maximum of 85 characters. |
| `billingAddress.address2` | ✅ | Only required when billing address is provided. | String | Maximum of 85 characters. |
| `billingAddress.address3` | ✅ | Only required when billing address is provided. | String | Maximum of 85 characters. |
| `billingAddress.postalCode` | ✅ | Only required when billing address is provided. | String | Maximum of 15 characters. |
| `billingAddress.city` | ✅ | Only required when billing address is provided. | String | Maximum of 50 characters. |
| `billingAddress.state` | ✅ | Only required when billing address is provided. For the United States or China (must be ISO-3611-2, only provide two characters after "US-" or "CN-", e.g. FL for Florida or BJ for Beijing). | String | Maximum of 50 characters. |
| `billingAddress.countryCode` | ✅ | Only required when billing address is provided. | String | Must be a valid [ISO3166-1 alpha-2 country code](/products/reference/supported-countries-currencies#iso-country-codes). |
| `resultURLs` | ❌ | An object containing the different URLs we redirect your customers to when we receive the payment result. We recommend that you provide us with your custom result URLs. | Object | N/A |
| `resultURLs.successURL` | ❌ | When we receive the payment result for a successful payment, we redirect your customer to the success URL. | String | N/A |
| `resultURLs.pendingURL` | ❌ | When we receive the payment result for a pending payment transaction, we redirect your customer to the pending URL. | String | N/A |
| `resultURLs.failureURL` | ❌ | When a payment fails, we redirect your customer to the failure URL. | String | N/A |
| `resultURLs.errorURL` | ❌ | When we receive the payment result for an erroneous payment, we redirect your customer to the error URL. | String | N/A |
| `resultURLs.cancelURL` | ❌ | When your customer cancels a transaction, we redirect that customer to the cancel URL. | String | N/A |
| `resultURLs.expiryURL` | ❌ | When a customer leaves the payment transaction uncompleted within the maximum allowed time frame, we redirect your customer to the expiry URL. | String | N/A |
| `custom` | ❌ | An object containing all data that can be used to configure manual fraud rules. | Object | N/A |
| `custom.string1-9` | ❌ | 9 available slots for custom string values you can use to configure manual fraud rules. | String | N/A |
| `riskData` | ❌ | To increase the chances of a frictionless flow, we recommend sending additional data in the `riskData` object. | Object | N/A |
| `settlement` | ❌ | An object containing information relating to whether auto settlement is turned on or off. | Object | N/A |
| `settlement.auto` | ✅ | A value when specified allows you to turn auto settlement off. The default behaviour is always on and there is nothing to specify. | Boolean | N/A |
| `cancelOn` | ❌ | An object containing configuration for when a payment is sent for cancellation automatically. | Object | N/A |
| `cancelOn.cvcNotMatched` | ✅ | A value when specified allows you to continue to sent for settlement. By default a payment will be sent for cancellation if the CVC is not matched and there is nothing to specify for the default behaviour. | String | N/A |
| `expiry` | ❌ | Allows you to configure the duration your customer can access the payment link. If not provided, defaults to 3600 seconds. | Object | min 300 seconds - max 2,592,000 seconds |
| `customisation_id` | ❌ | A unique value that identifies which customization should be used for this transaction. Set it to null to use the default customization. | String | 21 characters |
| `locale` | ❌ | When we receive one of the supported locale values, the payment pages are loaded in the language of the locale. If locale is not specified, the payment pages load in English. | String | Maximum of 5 characters |
| `hostedCustomization` | ❌ | An object containing CSS customization. | String | N/A |
| `hostedProperties` | ❌ | An object containing functional properties customization. | String | N/A |
### Risk data
There are three `riskData` objects you can include in your request:
#### Account
| Parameter | Description |
| --- | --- |
| `account` | Object containing all customer account related risk data. |
| `account.previousSuspiciousActivity` | truefalse |
| `account.type` | `guestUser` - Order placed without full merchant account registration (no password) `registeredUser`- Order placed with full merchant account registration (password entered)`federatedAccount` - Using a Federated ID `issuerCredentials`- Using issuer credentials`thirdPartyAuthentication` - Using third party authentication`fidoAuthenticator` - FIDO authentication standard |
| `account.email` | The customer's email address. |
| `account.history.createdAt` | When the account was created. |
| `account.history.modifiedAt` | When the account was last modified. |
| `account.history.passwordModifiedAt` | When the account password was last changed. |
| `account.history.paymentAccountEnrolledAt` | Date the payment account was added to the cardholder account. |
#### Transaction
| Parameter | Description |
| --- | --- |
| `transaction` | Object containing all customer transaction related risk data. |
| `transaction.reorder` | Repeat of a previous order :truefalse |
| `transaction.preOrderDate` | Expected date that a pre-ordered purchase will be available. |
| `transaction.firstName` | Customer's first name. |
| `transaction.lastName` | Customer's last name. |
| `transaction.phoneNumber` | Customer's phone number. |
| `transaction.history` | Object containing details of the last transaction. |
| `history.attemptsLastDay` | Number of transactions (successful or abandoned) for this cardholder account within the last 24 hours. |
| `history.attemptsLastYear` | Number of transactions (successful or abandoned) for this cardholder account within the last year. |
| `history.completedLastSixMonths` | Number of purchases with this customer account during the previous six months. |
| `history.addCardsLastDay` | Number of attempts to add a card in the last 24hrs. |
| `history.shippingAddressFirstUsedAt` | When the shipping address used for the transaction was first used. |
| `transaction.giftCardsPurchase` | If the order is being used to purchase a gift card. |
| `giftCardsPurchase.totalValue.currency` | The three digit currency code. See list of [supported currencies. If provided must include `totalValue.amount`. |
| `giftCardsPurchase.totalValue.amount` | The amount being placed on the gift card. If provided, must include `totalValue.currency`. |
| `giftCardsPurchase.quantity` | The number of gift cards being purchased. |
| `transaction.threeDS` | Object containing information relating to whether 3DS is turned off. |
| `threeDS.type` | A value allowing you to turn off 3DS. The default is "on". |
| `transaction.fraud` | Object containing information relating to whether FraudSight is turned off. |
| `fraud.type` | A value allowing you to turn off FraudSight. The default is "on". |
#### Shipping
| Parameter | Description |
| --- | --- |
| `shipping` | Object containing all data related to how the order will be shipped. |
| `shipping.nameMatchesAccountName` | Customer name on account is identical to the shipping name:
|
| `shipping.method` | - `billingAddress` - Ship to customers billing address
- `verifiedAddress`- Ship to another verified address on file with merchant
- `otherAddress`- Ship to address that is different than billing address
- `store` - Ship to store (store address should be populated on request)
- `digital` - Digital goods
- `unshippedTickets` - Travel and event tickets, not shipped
- `other` - Other
|
| `shipping.timeFrame` | - `electronic`
- `sameDay`
- `nextDay`
- `twoDaysPlus`
|
| `shipping.email` | The email address used for an electronic delivery. |
| `shipping.address` | An object containing the shipping address information. **If included, you must send** at least:- `address1`
- `city`
- [countryCode](/products/reference/supported-countries-currencies#iso-country-codes)`postalCode` |
#### Example
{
"transactionReference": "MyTransaction123",
"merchant": {
"entity": "POxxxxxxxxx"
},
"narrative": {
"line1": "line1"
},
"value": {
"currency": "GBP",
"amount": 123
},
"description": "Mind Palace Ltd",
"billingAddressName": "Sherlock Holmes",
"billingAddress": {
"firstName": "John",
"lastName": "Watson",
"address1": "221B Baker Street",
"address2": "Marylebone",
"address3": "Westminster",
"postalCode": "NW1 6XE",
"city": "London",
"state": "Greater London",
"countryCode": "GB"
},
"resultURLs": {
"successURL": "https://mindpalace-website/result/success",
"pendingURL": "https://mindpalace-website/result/pending",
"failureURL": "https://mindpalace-website/result/failure",
"errorURL": "https://mindpalace-website/result/error",
"cancelURL": "https://mindpalace-website/result/cancel",
"expiryURL": "https://mindpalace-website/result/expiry"
},
"riskData": {
"shipping": {
"firstName": "James",
"lastName": "Moriarty",
"address": {
"city": "Durham",
"address1": "The Palatine Centre",
"address2": "Durham University",
"address3": "Stockton Road",
"state": "County Durham",
"countryCode": "GB",
"postalCode": "DH1 3LE",
"phoneNumber": "01189998819999197253"
},
"method": "verifiedAddress",
"nameMatchesAccountName": false,
"email": "james.moriarty@example.com",
"timeFrame": "nextDay"
},
"custom": {
"string1": "foo",
"number1": "1",
"string2": "foo",
"number2": "1",
"string3": "foo",
"number3": "1",
"string4": "foo",
"number4": "1",
"string5": "foo",
"number5": "1",
"string6": "foo",
"number6": "1",
"string7": "foo",
"number7": "1",
"string8": "foo",
"number8": "1",
"string9": "foo",
"number9": "1"
},
"account": {
"shopperId": "1234",
"dateOfBirth": "1835-04-01",
"history": {
"createdAt": "1876-06-01",
"modifiedAt": "1876-08-13",
"paymentAccountEnrolledAt": "1876-06-01",
"passwordModifiedAt": "1876-06-01"
},
"type": "fidoAuthenticator",
"previousSuspiciousActivity": false,
"email": "sherlock.holmes@example.com"
},
"transaction": {
"firstName": "James",
"lastName": "Moriarty",
"phoneNumber": "01189998819999197253",
"preOrderDate": "1876-08-13",
"reorder": false,
"history": {
"attemptsLastYear": 3,
"completedLastSixMonths": 4,
"attemptsLastDay": 2,
"shippingAddressFirstUsedAt": "1876-06-01",
"addCardsLastDay": 1
},
"giftCardsPurchase": {
"totalValue": {
"amount": 10000,
"currency": "GBP"
},
"quantity": 1
}
}
},
"hostedCustomization": {
"fonts": {
"family": [
"Comic Sans MS"
]
},
"buttons": {
"backgroundColor": "#ff0",
"border": {
"style": "solid",
"color": "#0ff",
"width": "3px",
"radius": "0px"
},
"hover": {
"backgroundColor": "#ddf"
},
"focus": {
"backgroundColor": "#dfd"
}
},
"inputs": {
"backgroundColor": "#ffffff",
"border": {
"style": "solid",
"width": "2px",
"radius": "2px",
"color": "#fff"
},
"placeholder": {
"color": "#001"
},
"hover": {
"backgroundColor": "#ff0000",
"color": "#7f0000",
"border": {
"color": "#0ff"
}
},
"focus": {
"backgroundColor": "#0240ff",
"color": "#001f7f",
"border": {
"color": "#0ff"
}
},
"validation": {
"ok": {
"color": "#00f"
},
"error": {
"color": "#f00"
}
}
},
"page": {
"backgroundColor": "#333",
"color": "#fff"
}
},
"hostedProperties": {
"showBillingAddress": "EDIT",
"showShippingAddress": "HIDE",
"showCountryList": "false",
"showLanguageList": "false",
"showContactDetails": "HIDE",
"sendURLParameters": "true",
"showPoweredByWorldPay": "true",
"showCancelButton": "true",
"showChangePaymentMethodButton": "false",
"disableStrictUrls": "true",
"showHeader": "true",
"showFooter": "true",
"showCardIcons": "false",
"paymentButtonLabel": "makePayment",
"showCardholderName": "true",
"showPaymentDetailsHeader": "true",
"passBackErrorReasons": "true",
"maskCardDetails": "false",
"googlePayButtonColour": "black",
"googlePayButtonLabel": "long",
"applePayButtonType": "plain",
"applePayButtonStyle": "black"
},
"settlement": {
"auto": true,
"cancelOn": {
"cvcNotMatched": "disabled"
}
},
"expiry": "600"
}
## Response
You receive:
* a `url` element to redirect your customer to the payment pages and complete the payment
* a `href` element to query for next action links once a payment has been made
Important
Worldpay's Hosted Payment Pages use and switch traffic between multiple domains. To prevent disruptions in service, do not whitelist domains.
Info
In case of an error, you can get further information in our [error reference](/products/reference/worldpay-error-responses).
**Next steps**
[Redirect your customer](/products/hosted-payment-pages/redirect-your-customer)