Core APIs (latest)

Introduction

The Rebilly API is built on HTTP and is RESTful. It has predictable resource URLs and returns HTTP response codes to indicate errors. It also accepts and returns JSON in the HTTP body. Use your favorite HTTP/REST library in your programming language when using this API, or use one of the Rebilly SDKs, which are available in PHP and JavaScript.

Every action in the Rebilly UI is supported by an API which is documented and available for use, so that you may automate any necessary workflows or processes. This API reference documentation contains the most commonly integrated resources.

Authentication

This topic describes the different forms of authentication that are available in the Rebilly API, and how to use them.

Rebilly offers four forms of authentication: secret key, publishable key, JSON Web Tokens, and public signature key.

  • Secret API key: Use to make requests from the server side. Never share these keys. Keep them guarded and secure.
  • Publishable API key: Use in your client-side code to tokenize payment information.
  • JWT: Use to make short-life tokens that expire after a set period of time.

Manage API keys

To create or manage API keys, select one of the following:

For more information on API keys, see API keys.

Errors

Rebilly follows the error response format proposed in RFC 9457, which is also known as Problem Details for HTTP APIs. As with any API responses, your client must be prepared to gracefully handle additional members of the response.

SDKs

Rebilly provides a JavaScript SDK and a PHP SDK to help interact with the Rebilly API. However, no SDK is required to use the API.

Rebilly also provides FramePay, a client-side iFrame-based solution, to help create payment tokens while minimizing PCI DSS compliance burdens and maximizing your customization ability. FramePay interacts with the payment tokens creation operation.

JavaScript SDK

For installation and usage instructions, see SDKs. All JavaScript SDK code examples are included in the API reference documentation.

PHP SDK

For installation and usage instructions, see SDKs. All SDK code examples are included in the API reference documentation. To use them, you must configure the $client as follows:

$client = new Rebilly\Client([
    'apiKey' => 'YourApiKeyHere',
    'baseUrl' => 'https://api.rebilly.com',
]);

Get started

The full Rebilly API has over 500 operations. This is likely more than you may need to implement your use cases. If you would like to implement a particular use case, contact Rebilly for guidance and feedback on the best API operations to use for the task.

To integrate Rebilly, and learn about related resources and concepts, see Get started.

Rate limits

Rebilly enforces rate limits on the API to ensure that no single organization consumes too many resources. Rate limits are applied to the organization, and not to the API key. In sandbox environment, rate limits are enforced for non-GET endpoints and are set at 3000 requests per 10 minutes. You can find the exact number of consumed requests in the X-RateLimit-Limit and X-RateLimit-Remaining headers in the response. If the rate limit is exceeded, the API returns a 429 Too Many Requests response and a X-RateLimit-Retry-After header that includes a UTC timestamp of when the rate limit resets.

Download OpenAPI description
Languages
Servers
Mock server
https://www.rebilly.com/_mock/docs/dev-docs/api/
Sandbox server
https://api-sandbox.rebilly.com/organizations/{organizationId}/
Live server
https://api.rebilly.com/organizations/{organizationId}/

Customers

Use these operations to manage customers. A customer is an entity that purchases goods or services from you (a merchant), and is the payee in any transaction that is credited to you. Customers are associated with payment instruments, subscriptions, invoices, and other related resources.

In other systems, customers may be referred to as accounts, clients, members, patrons, or players. For information on the customer resource, see Resources.

Operations

Customer authentication

Use these operations to validate the identity of users and manage authentication credentials.

Operations

Tags

Use tags to organize and categorize customers or KYC documents based on keywords.

Operations

Customers timeline

Use customer timelines to maintain an audit trail of changes and activity for each customer.

Operations

Payment instruments

Use these operations to manage payment instruments. Payment instrument is a term which describes any means of making a digital payment, such as: credit cards, debit cards, direct debits, payment service providers, and digital wallets.

For more information on payment instruments, see Payment instruments.

OperationsWebhooks

Payment tokens

Use payment tokens to reduce the scope of PCI DSS compliance.

A payment token can be made using a different authentication scheme (public key authentication), which enables you to create a payment token directly from the browser. This bypasses the need to send sensitive cardholder info to your servers. We recommend using this with the FramePay library, which helps you integrate a form into this API resource and create payment tokens.

Operations

Transactions

Use these operations to:

  • set up payment instruments for payments
  • authorize and hold funds
  • capture funds
  • make payments
  • make payouts
  • refund transactions.
Operations

Ready to pay

Request

Retrieves available payment methods for a specific transaction or purchase.

The order in which the payment methods are displayed to the customer should be the same as the order in the response.

The list of payment methods is generated from available gateway accounts and the last matched adjust-ready-to-pay action on the ready-to-pay-requested event. If no rules match for the specific request, all methods supported by the gateway accounts are sent.

To invert this behavior, place an all matching rule at the end of the ready-to-pay-requested event in the rules engine, and include an empty paymentMethods property for the adjust-ready-to-pay action.

For more information, see Update event rules and Gateway accounts.

Bodyapplication/json
One of:
websiteIdstring(WebsiteId)<= 50 charactersrequired
currencystring(CurrencyCode)= 3 charactersrequired

Currency code in ISO 4217 format.

amountnumber(double)required

Amount to pay.

billingAddressobject(ContactObject)write-only

Billing address.

riskMetadataobject(RiskMetadata)required

Risk metadata used for 3D Secure and risk scoring.

riskMetadata.​ipAddressstring or null(ipv4 or ipv6)

Customer's IP address.

Example: "93.92.91.90"
riskMetadata.​fingerprintstring or null<= 50 characters

Customer's device fingerprint. A device fingerprint is a unique token that is used to identify the customer. The device fingerprint is generated based on device attributes, such as: hardware, software, IP address, language, browser, and more.

Example: "pIUt3xbgX3l9g3YDiLbx"
riskMetadata.​httpHeadersHttpHeaders (object) or null
One of:

HTTP headers.

riskMetadata.​browserDataobject or null

Browser data used for 3D Secure and risk scoring.

riskMetadata.​extraDataobject or null

Third-party data used for risk scoring.

customerIdstring(CustomerId)<= 50 characters

ID of the customer resource.

curl -i -X POST \
  https://www.rebilly.com/_mock/docs/dev-docs/api/ready-to-pay \
  -H 'Content-Type: application/json' \
  -H 'REB-APIKEY: YOUR_API_KEY_HERE' \
  -d '{
    "websiteId": "web_0YV7DE4Z26DQSA1AC92FBJ7SEG",
    "currency": "USD",
    "amount": 0.1,
    "billingAddress": {
      "firstName": "Benjamin",
      "lastName": "Franklin",
      "organization": "Rebilly",
      "address": "36 Craven St",
      "address2": "string",
      "city": "Austin",
      "region": "Texas",
      "country": "GB",
      "postalCode": "WC2N 5NF",
      "phoneNumbers": [
        {
          "label": "main",
          "value": "512-710-1640",
          "primary": true
        }
      ],
      "emails": [
        {
          "label": "main",
          "value": "rebilly@example.com",
          "primary": true
        }
      ],
      "dob": "1980-04-01",
      "jobTitle": "CEO"
    },
    "riskMetadata": {
      "ipAddress": "93.92.91.90",
      "fingerprint": "pIUt3xbgX3l9g3YDiLbx",
      "httpHeaders": {
        "Content-Type": "application/json",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
      },
      "browserData": {
        "colorDepth": 24,
        "isJavaEnabled": true,
        "language": "en-US",
        "screenWidth": 1920,
        "screenHeight": 1080,
        "timeZoneOffset": 300,
        "isAdBlockEnabled": true
      },
      "extraData": {
        "kountFraudSessionId": "abcdefg12345abababab123456789012",
        "payPalMerchantSessionId": "dd65ratxc5qv15iph3vyoq7l6davuowa",
        "threatMetrixSessionId": "dd65ratxc5qv15iph3vyoq7l6davuowadd65ratxc5qv15iph3vyoq7l6davuowa"
      }
    },
    "customerId": "cus_0YV7DDSDD1C8DA64KHH2W33CPF"
  }'

Responses

Payment methods retrieved.

Headers
X-RateLimit-Limitinteger

Total number of rate limit tokens for this request within a rate limit period. For more information, see Rate limits.

Example: 3600
X-RateLimit-Remaininginteger

Remaining number of rate limit tokens for this request within the rate limit period. For example, in the sandbox environment, rate limits for non-GET endpoints are set at 3000 requests per 10 minutes.

Example: 3600
Bodyapplication/jsonArray [
methodstringrequired

Payment method.

Value"payment-card"
Discriminator
featurePaymentCardFeature (object) or null

Specific feature of this method. For example, a digital wallet. If the method does not have any features, this value is null.

One of:

Specific feature of this method. For example, a digital wallet. If the method does not have any features, this value is null.

brandsArray of strings(PaymentCardBrand)non-empty

List of supported brands.

Items Enum"Visa""MasterCard""American Express""Discover""Maestro""Solo""Electron""JCB""Voyager""Diners Club"
filtersArray of strings(ReadyToPayMethodFilters)

For the method to be applicable, one or more of the following filters must match. If no filters are sent, no restrictions are applied. For more information, see Using filters.

]
Response
application/json
[ { "method": "payment-card", "feature": { … }, "brands": [ … ], "filters": [ … ] } ]

Create a transaction

Request

Creates a transaction of type sale, authorize or setup.

Use this operation for the following transactions.

Real-time decision and response

In this transaction, you send a request and inspect the result of the response for approved or declined.

User approval/interaction required

In this transaction, user approval is required to complete the transaction. User approval generally requires the user to interact with a third party, and is common in many transactions for alternative methods. For example, PayPal requires user permission to complete a payment or to accept a billing agreement. Payment cards may also require user approval for 3D secure authentication.

If approval is required, you receive a response with a result value of unknown and a status value of waiting-approval. The _links property of the response has a link for the approvalUrl. Open the approvalUrl in an iframe or in a pop. A pop is a better workflow for mobile devices.

Query
expandstring

Expands a request to include embedded objects within the _embedded property of the response. This field accepts a comma-separated list of objects.

For more information, see Expand to include embedded objects.

Bodyapplication/jsonrequired

Transaction resource.

upsertCustomerbooleanwrite-only

Specifies whether to create or update (upsert) a customer. If this value is true, the operation creates or updates (upserts) a customer. If this value is false, the customerId already exists, and the related customer is not updated.

Default false
typestringrequired

Type of transaction.

This field supports a limited subset of transaction types. To refund or void, see Refund a transaction.

To capture, use the sale type. If any existing authorize transactions are eligible, they are captured and the sale converts to a capture type.

The setup type sets up the payment instrument by following the setupInstruction in the selected gateway account. If the instruction is to do-nothing, a transaction with result approved of type setup returns.

Enum"sale""authorize""setup"
limitsobject or null(TransactionLimitAmount)

Transaction amount limit information.

websiteIdstring(WebsiteId)<= 50 charactersrequired
customerIdstring(CustomerId)<= 50 charactersrequired

ID of the customer resource.

currencystring(CurrencyCode)= 3 charactersrequired

Currency code in ISO 4217 format.

amountnumber(double)required

Amount of the transaction.

Example: 97.97
invoiceIdsArray of strings or null(ResourceId)

Array of invoice IDs.

Example: ["4f6cf35x-2c4y-483z-a0a9-158621f77a21"]
paymentInstructionPayment token (object) or Payment instrument (object) or Payment Methods (object) or Payment card (object) or Bank account (object)(PaymentInstruction)
One of:

Payment instruction for the purchase. If this value is not supplied, the customer's default payment instrument is used.

billingAddressContactObject (object) or null

Billing address. If this value is not supplied, the billing address associated with the payment instrument is used. If no billing address is associated with the payment instrument, the customer's billing address is used.

One of:

Billing address. If this value is not supplied, the billing address associated with the payment instrument is used. If no billing address is associated with the payment instrument, the customer's billing address is used.

requestIdstring or null<= 50 characters^[\-\w]+$

Use this field to prevent duplicate transaction requests that may occur within a short period of time. If a duplicate request is sent with the same requestId, it is ignored to prevent double-billing. This value must be unique within a 24-hour period.

Important: This field is recommended.

Example: "44433322-2c4y-483z-a0a9-158621f77a21"
gatewayAccountIdstring or null<= 50 characters

ID of the gateway account. Rebilly selects the payment gateway account for the transaction based on transaction properties and the rules configuration of the gateway-account-requested event. To prevent Rebilly from making the gateway account selection, supply a gateway account ID in this field. Only use this field if you intend to override the settings.

Example: "gw_acc_0YVCXMF26DDNKAERE5NW727S34"
descriptionstring or null<= 255 characters

Payment description.

notificationUrlstring or null(uri)

URL where a server-to-server POST notification is sent. This notification is sent when the transaction result is finalized after a timeout or an offsite interaction.

Do not interpret this notification as a confirmation, complete a GET request to confirm the result of the transaction. To ensure the request is not reattempted, when the result is confirmed, respond with a 2xx HTTP status code.

The following placeholders are available to use in this URI: {id} and {result}. These placeholders are replaced the with the transaction ID and result accordingly.

redirectUrlstring or null(uri)

URL to redirect the end-user when an offsite transaction is completed. Defaults to the configured URL of the website. You may use {id} or {result} as placeholders in the URL, these are replaced the with the transaction ID and result accordingly.

customFieldsobject(ResourceCustomFields)

Use custom fields to extend a resource scheme to include custom data that is not provided as a common field. For more information, see Custom fields.

riskMetadataobject(RiskMetadata)

Risk metadata used for 3D Secure and risk scoring.

isProcessedOutsideboolean

Specifies when the transaction is processed outside Rebilly.

Default false
isMerchantInitiatedboolean

Specifies when the transaction is initiated by the merchant.

Default false
processedTimestring(date-time)

Time the transaction is processed. This field is only specified if the transaction is processed outside Rebilly.

curl -i -X POST \
  'https://www.rebilly.com/_mock/docs/dev-docs/api/transactions?expand=string' \
  -H 'Content-Type: application/json' \
  -H 'REB-APIKEY: YOUR_API_KEY_HERE' \
  -d '{
    "upsertCustomer": false,
    "type": "sale",
    "limits": {
      "amount": 275.35,
      "currency": "USD",
      "resetTime": "2019-08-24T14:15:22Z"
    },
    "websiteId": "web_0YV7DE4Z26DQSA1AC92FBJ7SEG",
    "customerId": "cus_0YV7DDSDD1C8DA64KHH2W33CPF",
    "currency": "USD",
    "amount": 97.97,
    "invoiceIds": [
      "4f6cf35x-2c4y-483z-a0a9-158621f77a21"
    ],
    "paymentInstruction": {
      "token": "string"
    },
    "billingAddress": {
      "firstName": "Benjamin",
      "lastName": "Franklin",
      "organization": "Rebilly",
      "address": "36 Craven St",
      "address2": "string",
      "city": "Austin",
      "region": "Texas",
      "country": "GB",
      "postalCode": "WC2N 5NF",
      "phoneNumbers": [
        {
          "label": "main",
          "value": "512-710-1640",
          "primary": true
        }
      ],
      "emails": [
        {
          "label": "main",
          "value": "rebilly@example.com",
          "primary": true
        }
      ],
      "dob": "1980-04-01",
      "jobTitle": "CEO"
    },
    "requestId": "44433322-2c4y-483z-a0a9-158621f77a21",
    "gatewayAccountId": "gw_acc_0YVCXMF26DDNKAERE5NW727S34",
    "description": "string",
    "notificationUrl": "http://example.com",
    "redirectUrl": "http://example.com",
    "customFields": {
      "foo": "bar"
    },
    "riskMetadata": {
      "ipAddress": "93.92.91.90",
      "fingerprint": "pIUt3xbgX3l9g3YDiLbx",
      "httpHeaders": {
        "Content-Type": "application/json",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
      },
      "browserData": {
        "colorDepth": 24,
        "isJavaEnabled": true,
        "language": "en-US",
        "screenWidth": 1920,
        "screenHeight": 1080,
        "timeZoneOffset": 300,
        "isAdBlockEnabled": true
      },
      "extraData": {
        "kountFraudSessionId": "abcdefg12345abababab123456789012",
        "payPalMerchantSessionId": "dd65ratxc5qv15iph3vyoq7l6davuowa",
        "threatMetrixSessionId": "dd65ratxc5qv15iph3vyoq7l6davuowadd65ratxc5qv15iph3vyoq7l6davuowa"
      }
    },
    "isProcessedOutside": false,
    "isMerchantInitiated": false,
    "processedTime": "2019-08-24T14:15:22Z"
  }'

Responses

Transaction created.

Headers
Locationstring(uri)

Location of the related resource.

Example: "https://api.rebilly.com/example"
X-RateLimit-Limitinteger

Total number of rate limit tokens for this request within a rate limit period. For more information, see Rate limits.

Example: 3600
X-RateLimit-Remaininginteger

Remaining number of rate limit tokens for this request within the rate limit period. For example, in the sandbox environment, rate limits for non-GET endpoints are set at 3000 requests per 10 minutes.

Example: 3600
Bodyapplication/json
idstring(TransactionId)<= 50 charactersread-only

ID of the transaction.

websiteIdstring<= 50 charactersread-only
Example: "web_0YV7DE4Z26DQSA1AC92FBJ7SEG"
customerIdstring<= 50 characters

ID of the customer resource.

Example: "cus_0YV7DDSDD1C8DA64KHH2W33CPF"
typestringread-only

Type of transaction.

Enum"3ds-authentication""authorize""capture""credit""refund""sale""setup""void"
statusstringread-only

Status of the transaction.

Enum"completed""conn-error""disputed""never-sent""offsite""partially-refunded""pending""refunded""sending""timeout"
resultstringread-only

Result of the transaction.

Enum"abandoned""approved""canceled""declined""unknown"
amountnumber(double)read-only

Total amount of the transaction.

currencystring(CurrencyCode)= 3 charactersread-only

Currency code in ISO 4217 format.

purchaseAmountnumber(double)read-only

Amount by which the purchase is completed. If an adjustment occurs, the purchased amount may differ from the requested amount.

purchaseCurrencystring(CurrencyCode)= 3 charactersread-only

Currency code in ISO 4217 format.

requestAmountnumber(double)read-only

Amount of the payment request. If an adjustment occurs, the purchase amount may differ from the billing amount.

requestCurrencystring(CurrencyCode)= 3 charactersread-only

Currency code in ISO 4217 format.

parentTransactionIdstring(TransactionId)<= 50 characters

ID of the transaction.

Example: "txn_0YVDTQJ8YWDGQACV2N2N5SPWQ0"
childTransactionsArray of strings(ResourceId)read-only

IDs of child transactions.

Example: ["4f6cf35x-2c4y-483z-a0a9-158621f77a21"]
invoiceIdsArray of strings(ResourceId)read-only

Related invoice IDs.

Example: ["4f6cf35x-2c4y-483z-a0a9-158621f77a21"]
subscriptionIdsArray of strings(ResourceId)read-only

Subscription IDs of invoices that are related to the transaction.

Example: ["4f6cf35x-2c4y-483z-a0a9-158621f77a21"]
planIdsArray of strings(ResourceId)read-only

Plan IDs of orders that are related to the transaction.

Example: ["4f6cf35x-2c4y-483z-a0a9-158621f77a21"]
isRebillbooleanread-only

Specifies if the transaction is one of a number of recurring payments in a subscription, excluding trials or setup fees.

rebillNumberintegerread-only

Rebill number of the transaction. A rebill number is the number of recurring payments in a subscription, excluding trials or setup fees.

billingAddressobject(ContactObject)

Billing address.

has3dsbooleanread-only

Specifies if the transaction uses 3D Secure.

3dsobjectread-only