UNSUPPORTED: This backend implementation is at an early stage of development and is not supported as of yet by Swedbank Pay. It is provided as a convenience to speed up your development, so please feel free to play around. However, if you need support, please wait for a future, stable release.
This repository holds information about how to implement a Merchant Backend application to act as an endpoint between a merchant's mobile application and the Swedbank Pay APIs.
It features a rough guide on what the merchant backend MUST do and also offers insights on what the merchant backend SHOULD do to complete its function in an efficient and secure manner.
Implementation examples in some popular programming languages are included.
This document uses the following terminology:
- SDK - refers to the Swedbank Pay mobile SDK
- PSP - refers to Swedbank Pay eCommerce platform
- Merchant - refers to the party using the mobile payments SDK (and implementing the corresponding merchant backend)
This chapter addresses the things to consider when implementing a Merchant Backend. A Merchant Backend is a server-side application that implements the Swedbank Pay Mobile Backend REST API and contains functionality for further invoking the PSP system APIs and any proprietary business logic the Merchant requires.
First of all you MUST implement the Swedbank Pay Mobile Backend REST API. Pick a suitable technology stack for your programming language of choice.
See the Swedbank Pay Mobile Backend API Reference for more info.
Your mobile application and the merchant backend SHOULD implement an authentication / authorization scheme. In the Mobile SDK, this is enabled by allowing you to supply custom HTTP headers into the requests which your backend may then process.
If this authentication should fail, the merchant backend MUST then reply with 401 Unauthorized and return a Content-Type: application/json response with a body object describing the error. This response body will in turn be delivered to the mobile application by the SDK for handling (eg. for launching a re-login).
The POST /paymentorders API call takes a parameter called merchantData. This is to be a free-form JSON object, passed through the API call transparently from the calling mobile SDK to your backend. The contents of this object are arbitrary data used by the Merchant; typically this data would include the used currency along with the purchase amounts and VAT amounts (eg. shopping basket contents).
Your merchant backend will likely want to have an intermediate data storage for storing purchases. Typically you would write the received purchase into a data storage and then make a call to the PSP APIs. And then the PSP responds, you would update the purchase data by adding the status (success/fail) of the action as well as noting the ID of a successful purchase.
Your merchant backend MUST integrate to the Swedbank Pay eCommerce API. For this purpose you will need a Merchant ID as well as a Merchant Token which you will receive from Swedbank.
These API calls are not instantaneous; consider this for performance purposes of your backend. Implement the HTTP requests using the best practices of your programming language / platform.
See the Swedbank Pay Developer Portal for more info.
Your merchant backend MUST store the Merchant ID and Merchant Token somewhere. This MUST be done in a secure manner to avoid them ever leaking to external audiences.
The API MUST be implemented in a secure manner over an encrypted TLS connection. The mobile SDK also supports TLS Certificate Pinning for added security against Man-in-the-Middle attacks.
Here are listed the essential resources needed for the implementation work:
See the subdirectory examples/ for implementation examples in some popular programming languages. Currently examples exist for:
- Java
- Node.js