Endpoint Reference Guide
Endpoint Reference Guide
| No | Endpoint | HTTP Method | Authorization | Description |
|---|---|---|---|---|
| 3.1. | /pws/paymentSet | GET | AccessToken required | Lists defined payment sets, POS terminals, and rates. |
| 3.2.1. | /pws/paymentOptions | GET | AccessToken required | Lists POS installment/commission rates for the specified currency and payment set. |
| 3.2.2. | /pws/paymentOptions/{BinNumber} | GET | AccessToken required | Returns a filtered list of POS terminals and rates based on the BIN number. |
| 3.3. | /pws/payment | POST | AccessToken required | Initiates and completes a 3D or non-3D payment request. |
| 3.4. | /pws/payment/transaction | GET / POST | AccessToken required | Retrieves payment transaction details using the specified referenceNumber or transactionId. Compatible with ERP GetPayment. |
| 3.5. | /pws/payment/cancel | POST | AccessToken required | Cancels a successful transaction using the specified referenceCode. |
| 3.6. | /pws/payment/refund | POST | AccessToken required | Performs a full or partial refund using the specified referenceCode. |
Additional Information
| Category | Description |
|---|---|
| Authentication | Bearer Token (AccessToken) is mandatory for all services. The token must be obtained from the Payment service. |
| Data Format | Requests and responses are sent in application/json format with the UTF-8 character set. |
| Security | All requests must be made over HTTPS (TLS 1.2+). Card information is masked in accordance with PCI-DSS requirements. |
| Environment Information | • Sandbox (Test): https://pgw.netahsilatdemo.com • Prod (Live): https://pgw.netahsilat.com |
| Timestamp | Date/time fields are returned in ISO 8601 format (yyyy-MM-ddTHH:mm:ss.fffZ). |
| Currency | The currencyCode parameter follows the ISO 4217 standard (e.g., TRY, USD, EUR). |
| Installment Limits | Vary by POS; returned under commRates with the installment and processCommRate fields. |
Security Warnings
-
Card data must be sent only at the time of payment; storage is prohibited under KVKK and PCI-DSS.
-
Real card information must not be used in the test environment.
-
Tokens must be generated only with authorized user or dealer credentials.
-
Fields such as
cardNumber,email, andfullNameincluded in responses must be anonymized in test scenarios.
Documentation Structure Recommendation
In the full integration documentation, the following order is recommended:
- Basic Information
- Authentication (Obtaining an AccessToken)
- Service Endpoints All payment APIs from 3.1 to 3.6
- General Error Model & CodesPagination & Filtering Rules
- FAQ (Frequently Asked Questions)
- Appendix: Endpoint Reference Guide (this section)