บริการชำระค่าสินค้าและบริการ แบบ App to App

บริการรับชำระค่าสินค้าและบริการ ที่มีการเชื่อมต่อระหว่าง Company App กับ Bangkok Bank Mobile App (Deep Link) ในรูปแบบ API

API Security

Bangkok Bank leverages several security and authentication protocols for the safeguard of all parties involved. This section describes the OAuth (open-standard Authorization) protocol and JWT (JSON Web Token) standards that we require you to adhere to harness this API.

Prerequisites:

  • Merchants must be registered with Bangkok Bank developer portal to obtain the Consumer ID and Consumer secret keys for application integration purposes.
  • Always use HTTPS (TLS 1.2) to ensure the security of data in transit.
  • Keep your consumer secret and access tokens always secure.
  • Access tokens should be handled and stored securely, and never exposed to unauthorized parties.

Digital Signature & Structure (JWT)

JSON Web Token (JWT) is a fundamental security component for Bangkok Bank APIs. In every API request to the Bangkok Bank API Gateway, inclusion of a JWT in the header is crucial. This token, resulting from payload encryption using the merchant's private key, undergoes verification by Bangkok Bank using the merchant-provided public key. This process ensures the validity of the request, augmenting our OAuth Authentication for dual-layer security against cyber threats such as man-in-the-middle attacks.

In general, JSON Web Tokens (JWTs) consist of three main components: the Token Header, the Token Payload, and the Signature. These components work together to encode information securely for transmission between parties.

Understanding how Bangkok Bank implements JWT is crucial for successful integration. The following steps outline what are required from a developer's perspective:

  1. Preparing the Public and Private Key pair
    • Before initiating any API requests, merchants need to generate a secure Public and Private Key pair. These keys will be crucial for the cryptographic operations involved in JWT processing.
  2. Preparing the Payload
    • As part of an API request, merchants construct a JSON payload containing essential information. This JSON payload serves as the basis for the JWT claim and carries details pertinent to the specific request.
    • This JSON payload is used as the JWT claim.
  3. Generating the JWT
    • The merchant uses their private key to sign the JWT. This involves encoding the header and payload, concatenating them, and then applying the signature algorithm using the private key.
    • The result is the JWT.
  4. Verifying the JWT
    • Bangkok Bank, upon receiving the API request, uses the merchant's public key to verify the JWT.
    • The signature is verified, and claims within the payload are extracted and validated.

Remark:

  • The signature token follows the standard JSON Web Token format RFC 7519

By following these steps, merchants can seamlessly integrate JWT authentication with Bangkok Bank's API, ensuring secure and reliable communication. It is recommended to securely store and manage the generated keys throughout the implementation process.

For more details on how to generate JWT for Digital Signature, please refer to our guide here.

Generate Access Token (OAuth Client Credential)

Bangkok Bank’s Authorization follows OAuth v2.0 client credentials grant type to secure authentication between servers. The following flow diagram illustrates the client’s credentials flow with Bangkok Bank API Gateway serving as the authorization server.

A request is made to Bangkok Bank API Gateway (the API proxy), and Bangkok Bank API Gateway is responsible for validating the access token before passing the API call along to the target backend systems.

Here is the summary of the steps required to implement the client credentials code grant type.

  1. Client requests an access token
    To receive an access token, the client POSTs an API call to Bangkok Bank API Gateway with the values for consumer ID and consumer secret obtained from a registered developer app.
  2. Bangkok Bank API Gateway validates the credential
    The API calls are sent to the OAuth service. This endpoint has a policy attached to it that validates the app's credentials from the client. This policy validates whether a client application is authorized or not.
  3. Bangkok Bank API Gateway validates the credential
    If the credentials are valid, Gateway then returns an access token to the client valid for 24 hours. If not, an error is returned.

With a valid access token, the client can make calls to the protected API.

POST /oauth/accesstoken

Web Services: RESTful JSON

HTTP Method: POST

Character encoding: UTF-8

Content Type: application/x-www-form-urlencoded

Request URL

  • Sandbox:
    https://api-sandbox.bangkokbank.com/oauth/accesstoken
  • PROD:
    https://api.bangkokbank.com/oauth/accesstoken

Request Headers

ParameterTypeSizeMandatoryDescriptionExample/Values
AuthorizationString100YBasic authentication

Token encode with Base64
String = {consumerKey}:{consumerSecret}

Basic {token}
Basic c3FIOG9vSGV4VHoAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ

Request Body

ParameterTypeSizeMandatoryDescriptionExample/Values
grant_typeString20YOAuth grant typeclient_credentials
scopeString50NScope of access proxyREAD CREATE

Request Example

curl --request POST 'https://{{api-host}}/oAuth/accesstoken' \
--header 'Authorization: Basic QkF6V29tNGxLa3VVTjdNVVYxTFlPR2hyMllkS0ZoUVc6R01idmJScVRYN3NrT1FWVQ==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=CREATE READ' \
--data-urlencode 'grant_type=client_credentials'

Response Body

ParameterTypeSizeMandatoryDescriptionExample/Values
accessTokenString100YToken for call APIds9PIkzbNwXffsDHLPW4auli0NAN
expiresInString100YTime to expire token86399
scopeString100YScope tokenREAD CREATE

Response Body Example (Success)

{
    "accessToken": "ds9PIkzbNwXffsDHLPW4auli0NAN",
    "expiresIn": "86399",
    "scope": "READ CREATE"
}

Response Body Example (Failure)

{
    "responseCode": "1001",
    "responseMesg": "grant_type not found"
}
 

API Overview & Specification

App2App Payment Initiation

Using App2App payment initiation API, Merchants can request to create payment deep links for their order transaction in order to allow their customers to pay via Bangkok Bank mobile application.

App2App Notification

Using App2App Notification API, Bangkok Bank system will send the payment confirmation notification to merchant's system via provided notification endpoint during onboarding. This API provides merchant's system with near real-time status about the status of payment transactions completed through the deep-link.

App2App Get Payment Request

Using this API, Merchants can request to inquire payment status for particular payment request ID.

POST /apptoapp/v1/paymentinitiation/payment-requests

Web Services: RESTful JSON

HTTP Method: POST

Character encoding: UTF-8

Content Type: application/json

Authorization: Bearer authentication (OAuth token Client Credential grant type)

Request URL

  • Sandbox:
    https://api-sandbox.bangkokbank.com/apptoapp/v1/paymentinitiation/payment-requests
  • PROD:
    https://api.bangkokbank.com/apptoapp/v1/paymentinitiation/payment-requests

Request Headers

ParameterTypeSizeMandatoryDescriptionExample/Values
AuthorizationString100YAccess token of OAuth token Client Credential type

Bearer {accessToken}
Bearer 3CMwLhLwOZL3mKOI6iJoKNs3Q4NA
SignatureString YDigital Signature sign with JWT RSA256eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJqadEIuNEPkxgfD8fzh2TlfOKVXwNGVr_p9TTCGkJ672MbkSoJZqcQVi-Pm-IaVX7hE8…

Request Body

ParameterTypeSizeMandatoryDescriptionExample/Values
serviceCodeString12YService code of the PayeeBBLTest
billerIdString15YTaxId and Suffix of the Payee123456789012345
reference1String20YFirst Reference number of the transaction from Partner1124579998
reference2String20NSecond Reference number of the transaction from Partner22555347
totalAmountDecimal11YTotal amount (2 decimal digits), support Thai currency only

Max is 999999999.99
114.00
shopImageFileString NShop Image in base64 format, photo size is not more than 30 KB 
shopNameString75YShop nameABC Shop
osPlatformString10Y
Mobile OS platform

(Capital Letter and Sensitive Case)
Android:
ANDROID
iOS:
IOS
currencyCodeString3YCurrency CodeTHB
shippingFeeDecimal8NOrder shipping fee (2 decimal digits)

Max is 999999.99
30.00
buyerNameString75NName of CustomerCustomer
promotionCodeString255NPromotion CodeBBLSAV10
partnerAppUrlString512N
Android:
Always send this value "APP2APP"
iOS:
Format BundleID://Path_Destination
WebSite:
Must start with https
Android:
APP2APP
iOS:
com.bangkokbank.mobilepartnersandbox://payment
WebSite:
https://payment.BBLTest/result
transTypeString20Y
Transaction type:
  • If Client is Mobile Application(Android,iOS) then always send this value "APP2APP"
  • If Client is WebSite then always send this value "WEB2APP"
Android:
APP2APP
iOS:
APP2APP
WebSite:
WEB2APP
additionalInfoObject N  
additionalInfo[]
.name
String32YKey

Not allowed emoji and these characters $?!{}#%=|~<>;•
Exchange Rate
additionalInfo[]
.value
String255YValue

Not allowed emoji and these characters $?!{}#%=|~<>;•
32.123THB

Request Body Example

{
    "transType": "APP2APP",
    "serviceCode": "BBLTest",
    "billerId": "123456789012345",
    "reference1": "123456789",
    "reference2": "78897",
    "totalAmount": 114.00,
    "shopName": "ABC Shop",
    "osPlatform": "ANDROID",
    "currencyCode": "THB",
    "buyerName": "Customer",
    "shippingFee": 30.00,
    "partnerAppUrl": "APP2APP",
    "promotionCode": "BBLSAV10",
    "shopImageFile": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIACAMAAADDpiTIAAAAA3NCSVQICAjb4U/gAAAACXBIWXMAAJOjAACTowHRsvDGAAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAvFQTFRF////AAAAAAAAAAA==",
    "additionalInfo": [
        {
            "name": "Exchange Rate",
            "value": "32.123THB"
        }
    ]
}

Request Example

curl --request POST 'https://{{api-host}}/apptoapp/v1/paymentinitiation/payment-requests' \
--header 'Authorization: Bearer {{access-token}}' \
--header 'Signature: {{request-signature}}' \
--header 'Content-Type: application/json' \
--data-raw '{
    "serviceCode":"BBLTest",
    "billerId":"123456789012345",
    "reference1":"1124579998",
    "reference2":"78897",
    "totalAmount":114.00,
    "shopImageFile": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIACAMAAADDpiTIAAAAA3NCSVQICAjb4U/gAAAACXBIWXMAAJOjAACTowHRsvDGAAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAvFQTFRF////ErkJxxx==",
    "shopName":"ABC Shop",
    "osPlatform":"ANDROID",
    "currencyCode":"THB",
    "shippingFee":30.00,
    "buyerName":"Customer",
    "promotionCode":"BBLSAV10",
    "partnerAppUrl":"APP2APP",
    "transType":"APP2APP"
}'

Response Body

ParameterTypeSizeMandatoryDescriptionExample/Values
responseCodeString3YResponse Code000
responseMesgString50YResponse Messagesuccess
paymentRequestIdString50NPayment request reference ID generated by BBL8E17E5D0-4B67-4BFB-AC48-4C57DF8369E
bankAppUrlString512NURL for partner application use to switch to the mobile banking applicationbualuangmbanking://mbanking.payment?paymentRequestId={0}&app2appToken={1}
expiryDateDatetime512NThe transaction will be expired within 24 hours2017-03-15T15:23:11.001+07:00
additionalInfoObject[] N  
additionalInfo[]
.name
String32YKey

Not allowed emoji and these characters $?!{}#%=|~<>;•
Exchange Rate
additionalInfo[]
.value
String255YValue

Not allowed emoji and these characters $?!{}#%=|~<>;•
32.123THB
apptoappTokenString2048N eyJbGci0iJSUzI1NiIsImtpZCI6IkY5MUJ
 

POST {MERCHANT_NOTIFICATION_URL}

Web Services: RESTful JSON

HTTP Method: POST

Character encoding: UTF-8

Content Type: application/json

Authorization: Basic Authentication. Format Basic (Base64Encode(username:password))

Request URL

  • PROD:
    {MERCHANT_NOTIFICATION_URL}

Request Headers

ParameterTypeSizeMandatoryDescriptionExample/Values
AuthorizationString100YBasic authentication

Token encode with Base64
String = {username}:{password}

Basic {token}
Basic c3FIOG9vSGV4VHoAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ
SignatureString YDigital Signature sign with JWT RSA256 

Request Body

ParameterTypeSizeMandatoryDescriptionExample/Values
dataObject    
data
.paymentRequestId
String50YPayment request reference ID generated by BBL8E17E5D0-4B67-4BFB-AC48-4C57DF8369E
data
.serviceCode
String12YService code of the PayeeBBLTest
data
.billerId
String15YTaxId and Suffix of the Payee123456789012345
data
.reference1
String30YFirst Reference number of the transaction from Partner123456789
data
.reference2
String30NSecond Reference number of the transaction from Partner20171106151550
data
.totalAmount
Decimal11NTotal amount (2 decimal digits), support Thai currency only

Max is 999999999.99
114.00
data
.currencyCode
String3NCurrency CodeTHB
data
.paymentStatus
String10YA customer payment transaction statusrejected
data
.paymentDateTime
String NData and Time of the successful payment transaction2023-03-31T15:23:11.001+07:00
data
.paymentReferenceID
String6NReference ID of the successful payment transaction from BBL234ABB58CC000
data
.slipImage
String NBBL slip in base64 format of the successful payment transaction 
typeString  Application type

Fixed Value: AppToApp
AppToApp

Request Body Example

{
    "data": {
        "paymentRequestId": "8E17E5D0-4B67-4BFB-AC48-4C57DF8369E",
        "serviceCode": "BBLTest",
        "billerId": "123456789012345",
        "reference1": "123456789",
        "reference2": "78897",
        "totalAmount": 114.00,
        "currencyCode": "THB",
        "paymentStatus": "rejected",
        "paymentDateTime": "2023-03-31T15:23:11.001+07:00",
        "paymentReferenceID": "234ABB58CC000",
        "slipImage": null
    },
    "type": "AppToApp"
}

Response Body

ParameterTypeSizeMandatoryDescriptionExample/Values
responseCodeString3YResponse Code000
responseMesgString50YResponse Messagesuccess

Response Body Example

{
    "responseCode": "000",
    "responseMesg": "Success"
}
 

GET /apptoapp/v1/paymentinitiation/payment-requests/{paymentRequestId}

Web Services: RESTful JSON

HTTP Method: GET

Character encoding: UTF-8

Content Type: application/json

Authorization: Bearer authentication (OAuth token Client Credential grant type)

Request URLs

  • Sandbox:
    https://api-sandbox.bangkokbank.com/apptoapp/v1/paymentinitiation/payment-requests/{paymentRequestId}
  • PROD:
    https://api.bangkokbank.com/apptoapp/v1/paymentinitiation/payment-requests/{paymentRequestId}

Request URL Path and Query Parameter

ParameterTypeSizeMandatoryDescriptionExample/Values
paymentRequestIdString50YPayment request reference ID generated by BBL4D13BE6A-DAAF-4E2F-A7A9-2558160C8422

Request Headers

ParameterTypeSizeMandatoryDescriptionExample/Values
AuthorizationString100YBearer {accessToken}Bearer 6LJQPMEMnrSGgEr7aAWszZaTAnZL

Request Example

curl --request GET 'https://api-sandbox.bangkokbank.com/apptoapp/v1/paymentinitiation/payment-requests/4D13BE6A-DAAF-4E2F-A7A9-2558160C8422' \
--header 'Authorization: Bearer 6LJQPMEMnrSGgEr7aAWszZaTAnZL'

Response Body

ParameterTypeSizeMandatoryDescriptionExample/Values
responseCodeString4YResponse Code10003
responseMesgString100YResponse Messageinvalid format
dataObject    
data
.partnerInfo
Object NPartner Info Detail 
data
.partnerInfo
.partnerName
String   app2apppayment
data
.partnerInfo
.partnerId
String   BBLTest
data
.partnerInfo
.serviceCode
String  Service code of the PayeeBBLTest
data
.partnerInfo
.taxIdSuffix
String  TaxId and Suffix of the Payee123456789012345
data
.paymentInfo
Object NPayment Info Detail 
data
.paymentInfo
.paymentRequestId
String  Payment request reference ID generated by BBL in the “Payment Initiation” API8E17E5D0-4B67-4BFB-AC48-4C57DF8369E
data
.paymentInfo
.paymentReferenceId
String  Reference ID of the successful payment transaction from BBL234ABB58CC000
data
.paymentInfo
.paymentStatus
String  A customer payment transaction statusrejected
data
.paymentInfo
.transType
String  
Transaction type:
  • If Client is Mobile Application(Android,iOS) then always send this value "APP2APP"
  • If Client is WebSite then always send this value "WEB2APP"
Android:
APP2APP
iOS:
APP2APP
WebSite:
WEB2APP
paymentInfo
.createdDateTime
Datetime  Data and Time of the payment creation2022-05-05T18:05:30.68
data
.paymentInfo
.paymentDateTime
Datetime  Data and Time of the successful payment transaction2023-03-31T15:23:11.001+07:00
data
.paymentInfo
.expiryDate
Datetime  The transaction will be expired within 24 hours2022-05-05T18:05:30.68
data
.paymentInfo
.slipImage
String  BBL slip in base64 format of the successful payment transaction 
data
.paymentInfo
.shopName
String  Shop nameABC Shop
data
.paymentInfo
.currencyExponent
Decimal  Decimal0
data
.paymentInfo
.reference1
String  First Reference number of the transaction from Partner1124579998
paymentInfo
.reference2
String  Second Reference number of the transaction from Partner22555347
data
.paymentInfo
.totalAmount
Decimal  Total amount (2 decimal digits), support Thai currency only

Max is 999999999.99
114.00
data
.paymentInfo
.currencyCode
String  Currency CodeTHB
data
.paymentInfo
.shopImage
String    
data
.paymentInfo
.shopImageFile
String  Shop Image in base64 format 
data
.additionalInfo
Object[]    
data
.additionalInfo[]
.name
String  Key

Not allowed emoji and these characters $?!{}#%=|~<>;•
Exchange Rate
data
.additionalInfo[]
.value
String  Value

Not allowed emoji and these characters $?!{}#%=|~<>;•
32.123THB
data
.callback
Object    
data
.callback
.osPlatform
String  
Mobile OS platform

(Capital Letter and Sensitive Case)
Android:
ANDROID
iOS:
IOS
data
.additionalInfo[]
.partnerAppUrl
String  
Android:
Always send this value "APP2APP"
iOS:
Format BundleID://Path_Destination
WebSite:
Must start with https
Android:
APP2APP
iOS:
com.bangkokbank.mobilepartnersandbox://payment
WebSite:
https://payment.BBLTest/result

Response Body Example (Success)

{
    "responseCode": "000",
    "responseMesg": "Success",
    "data": {
        "partnerInfo": {
            "partnerName": "app2apppayment",
            "partnerId": "BBLTest",
            "serviceCode": " BBLTest",
            "taxIdSuffix": "123456789012345"
        },
        "paymentInfo": {
            "paymentRequestId": "8E17E5D0-4B67-4BFB-AC48-4C57DF8369E",
            "paymentReferenceId": "234ABB58CC000",
            "paymentStatus": "rejected",
            "transType": "APP2APP",
            "createdDateTime": "2022-05-05T18:05:30.68",
            "paymentDateTime": null,
            "expiryDate": "2022-05-05T18:05:30.68",
            "slipImage": null,
            "paymentAccount": null,
            "shopName": "ABC Shop",
            "currencyExponent": 0,
            "reference1": "123456789",
            "reference2": "78897",
            "totalAmount": 114.00,
            "currencyCode": "THB",
            "shopImage": "https://www.image.com/mockup/123456",
            "shopImageFile": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIACAMAAADDpiTIAAAAA3NCSVQICAjb4U/gAAAACXBIWXMAAJOjAACTowHRsvDGAAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAvFQTFRF////U5ErkJxxx=="
        },
        "additionalInfo": [
            {
                "name": "Exchange Rate",
                "value": "32.123THB"
            }
        ],
        "callback": {
            "osPlatform": "ANDROID",
            "partnerAppUrl": "com.bangkokbank.mobilepartnersandbox://payment"
        }
    }
}

Response Code

HTTP Status CodeResponse CodeResponse Message
2000000Success
2000215Invalid Token
4001001Required field not found (specific field name in error message)
4001002Field exceed maximum length (specific field name in error message)
4001003Invalid format (specific field name in error message)
4001005Payment request id not found
4001006Shop image to large
500500Others
 

Response HTTP Status

HTTP StatusReason Phrase
200Success
400Bad Request
401Unauthorized
403Forbidden
400Bad Request
404Resource not found
429Too many requests
500Internal Error
503/504Service Unavailable