Skip to content

API Integration Guidelines

Follow these guidelines when integrating with the Payment Gateway API. They reflect common HTTP and security best practices and help your requests pass through our edge protections without being rejected.

  • Always send a User-Agent header identifying your client (for example, MyShop/1.4 (+https://myshop.example)). Requests without a User-Agent, or with an empty one, may be rejected at the edge before reaching the API. Most HTTP clients send a default User-Agent automatically — make sure it is not stripped or overridden with an empty value.
  • Use HTTPS only. Plain HTTP requests are not accepted.
  • Send a correct Content-Type. For JSON payloads use application/json; charset=utf-8.
  • Send a sensible Accept header, typically application/json.
  • Use a standard, up-to-date HTTP client. Avoid hand-crafted raw sockets and keep TLS settings current. Do not disable default request headers your client sets for you.
  • Keep request bodies and query strings clean. Send only the fields documented for each endpoint. Avoid embedding HTML, scripts, SQL fragments, or path traversal sequences (../) inside field values — even when they appear in free-text fields such as descriptions or names. URL-encode values placed in the query string.
  • Do not send unusually large payloads. Stick to the documented request schema; do not attach unrelated binary data.
  • Authenticate every request. See Authentication for how to obtain and use access tokens.

Troubleshooting blocked requests

If a request is rejected with HTTP 403 and an empty response body, it was blocked by our edge firewall before reaching the API (a normal API authorization failure returns a JSON error body instead).

The most common cause is a missing User-Agent header. Review the guidelines above first.

If your request already follows all of the recommendations and you still receive a 403 with an empty body, contact support with:

  • The HTTP method and full request path
  • The approximate timestamp (with timezone) of the request
  • The User-Agent your client sent
  • The source IP address you were calling from

This information lets us correlate the request on our side and help unblock you quickly.