Technical Documentation SNAP - Linking and Payments

SNAP Open API v1.0.7

Overview of OpenAPI for Linking and Payments

Host :

• Staging : https://app.byte-stack.net
• Production : https://apigw.ovo.id

Method	Endpoint	Usage
POST	/OVOSNAP/v2.0/oauth/account/registration-account-binding	Account Binding
POST	/OVOSNAP/v2.0/access-token/b2b2c	Access Token Request
POST	/OVOSNAP/v2.0/access-token/b2b2c	Access Token Refresh
POST	/OVOSNAP/v1.0/access-token/b2b	Generate System Token (B2B)
GET	/user/v2/account/lookup	Lookup Phone No
POST	/OVOSNAP/v2.0/oauth/account/registration-account-unbinding	Account Unbinding
POST	/OVOSNAP/v2.0/balance-inquiry	Balance Inquiry
POST	/OVOSNAP/v2.0/debit/payment-host-to-host	Direct Debit
POST	/OVOSNAP/v2.0/debit/refund	Direct Debit Refund
POST	/OVOSNAP/v2.0/debit/status	Direct Debit Inquiry Status

Signature   API Header

API Headers

All the APIs mentioned are to follow the standard header format mentioned here, unless stated otherwise

Parameter	Description	Attribute	Example
Content-Type	String represents indicating the media type of the resource	Mandatory	application/json, application/pdf
Authorization	Represents access_token of a request; string starts with keyword “Bearer ” followed by accessToken (e.g. Bearer eyJraWQiOi...JzcIiwiY)	No Need For Request B2B Access Token API Refresh B2B2C Access Token API Account Binding API Mandatory For Request New B2B2C Access Token API linkageToken → From Account Binding API Response Account Unbinding API 1st API Call: B2B2C Access Token 2nd API Call: use the token received in the first call Direct Debit API B2B2C Access Token Refund API B2B2C Access Token B2B Access Token Direct Debit Status API B2B2C Access Token	Bearer gp9HjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a
X-CLIENT-KEY	Client's client_id. Use this for B2B2C Access Token B2B Access Token	Conditional	oamerchantg
X-PARTNER-ID	Client's client_id. Use this for Account Binding Account Unbinding Direct Debit Refund Direct Debit Status	Conditional	oamerchantg
X-TIMESTAMP	Client's current local time in yyyyMMddTHH:mm:ss.SSSTZD format	Mandatory
X-SIGNATURE	Use Asymmetric for Token request & Account Binding Use Symmetric for Payment, Balance Inquiry, Check Status, Account Unbinding Use Specific Signature for Generate SingleUseToken and Lookup API	Mandatory	Please check Signature Section
X-DEVICE-ID	Device identification on which the API services are currently being accessed by the end-user (customer) - String (400)	Mandatory
X-EXTERNAL-ID	Unique ID to avoid duplication. ID reset for every 24 hours. String (36)	Mandatory

Signature Asymetric

Signature asymmetric is used by OVO to verify that your access token request is not altered by attackers. Generate Signature Asymmetric for Header of Access Token B2B / B2B2C SHA256withRSA is used to generate the signature with your Private Key as the key.

Signature Symmetric

Signature is used to verify that your open API service request is not altered by attackers.

Generate Signature Symmetric

SHA-512 HMAC is used to generate the signature with your Client Secret as the key.

Specific Signature

Signature is used to verify that your open API service request is not altered by attackers.

JAVA
Signature Calculation Util

Usage

Notes:

1. Endpoint URL complete including all parameters on URL related
2. For parameters minify(Request Body), in case there is no Request Body then use the empty string

Error Code

Here is the list of error codes that can be returned.

HTTP Code	Error Code	Error Message (Indonesian)
401	4017300	Unauthorized. [HMAC mismatch]
400	4007301	Invalid timestamp format [X-TIMESTAMP]
504	5047300	Timeout
400	4007300	Invalid field format [clientId/clientSecret/grant_type]

How to Generate PKCS1 Private Key and Public Key

SNAP Auth Validator Utility

This snippet code is an example on how to check SNAP Auth validity

Account Section

Binding Process

This is the process of linking a 3rd party service to use OVO as a service. The process involves necessary user authorizations to authorize client actions on behalf of the user.

Lookup Phone No

This is to check the status of a user by sending their phone number to the below mentioned endpoint. OVO requires an Indonesian phone number to activate the account.

User status definition :

Status	Definition
ACTIVE	User is an active OVO user ( Linkage Allowed)
ACTIVE_NO_PIN	User is an active OVO user with NO PIN ( Linkage Allowed)
CAN_REGISTER	User does not have OVO account ( Linkage Not Allowed)
BLOCKED_MSISDN	User is blocked by OVO ( Linkage not allowed)
LINKED	User is already linked with the partner.

Key Header

signature

Query Param

Key	Value
phone	<phone>

Response

ResponseCode	Response	Remarks
200	{     "account": {          "account_status": "ACTIVE"     } }	ACTIVE ACTIVE_NO_PIN CAN_REGISTER BLOCKED_MSISDN LINKED
400/500	{     "error": {          "code": "OV00003",          "message": "User exceeds OTP attempt limit"     } }

The following is the specific error code for this API

HTTP Status	Error Code	Error Description
5xx	OV00001	Internal Server Error
4xx	OV00002	Bad/Incomplete Request
4xx	OV00013	Client ID not valid/enabled
5xx	OV00061	Something unexpected happen in server
4xx	OV00001	HMAC signature does not match

Account Binding

This API will be used by Merchants to bind OVO Merchant ID and OVO User Phone No

Body Request

Parameter		Data Type	Mandatory	Description
phoneNo		String	M	Phone Number of the user Format: 08xxxxxx
additionalInfo		Object
e-mail		Object	O	User email registered on merchant’s platform. For example [email protected]
merchantId		String	M	Unique merchant identifier
device		Object	O	Device related info
	ID	String	O
	Manufacturer	String	O
	Model	String	O
	OS	String	O
	OsVersion	String	O
position		Object	O	Position related info
	Lat	String	O
	Lon	String	O

Body Response

Parameter			Data Type	Description
responseCode			String	Internal OVO error/success codes
responseMessage			String	Response Description
referenceNo			String	Reference number to refer to the webview session, sending upon succesful binding. (refid)
linkageToken			String	Token to access webview
redirectUrl			String	URL to redirect user to OVO webview
additionalInfo			Object
	account		Object
		accountStatus	String	Current account status for the user’s OVO account
	qparams		Object
		action	String	Action type
		authType	String	Type of authentication
		client-id	String	Registered client-id of the client
		refid	String	Reference id to refer the webview session
		phoneNumber	String	Phone number of the user

Sample Request

Sample Response

Special Case

In case the user is blocked at our end (due to multiple wrong OTP/Pin attempts or other reasons) the error like below would be returned with HTTP code 403

Partners can also add additional state parameter in the query parameters while opening the webview.

Opening Webview

Sample Webview URL

The query param value must follow Account Binding API Response

Set/Verify PIN Response

After successful PIN verification, following query parameter will be received after redirection to partner domain

Body Response

Parameter	Data Type	Description
authCode	String	AuthCode sent to partner after successful user verification
state	String	State parameter(optional) as received from partner in query parameters while opening the OVO webview
displayMessage	String	Message presenting the final status of verification process
displayHeader	String	Can Ignore this
retryAttemptsLeft	String	Number of remaining PIN challenge maximum attemp
errorCode	String	Error Code
enable_redirection	Boolean	Redirection toggle to do redirection to callback URL

Sample Response

After successful PIN verification, the following query parameter will be received post redirection. The parameters relevant to the partner are mentioned in the table above.

In case error redirection is enabled for a partner, the following query parameter will be received after redirection to partner domain.

errorResponse={"code":"OV00006","state":"1234"}

Notes : This required a special config from OVO and not all merchants used this, meaning this only returned for clients who expect a redirection in case of certain failures in webview

Error Code	Error Description
OV00521	Too many wrong OTP
OV00003	Exceeds attempt limit, Not allowed request otp for 30min
OV00529	Your account is fully blocked
OV00527	Your account is blocked. Please try after 60min

Error redirection is the capability to redirect user back to client domain from OVO webview for terminating error use cases; by default error redirection is disabled meaning user will be redirected to client domain only after success user verification in OVO webview

Account Binding Error Code

HTTP status	Error Code	Status	Message
500	5000701	FAILED	Unknown Error
400	4000700	FAILED	Bad Request
400	4000700	FAILED	Invalid Merchant
404	4040716	FAILED	Partner not found
404	4040701	FAILED	Transaction Not found
429	4290700	FAILED	Too Many Requests
403	4030705	FAILED	Do Not Honor
500	5000702	FAILED	Unknown Error
500	5000700	FAILED	General Error
401	4010700	FAILED	Unauthorized
401	4010701	FAILED	Invalid Token
404	4040712	FAILED	Invalid Bill/Virtual Account
400	4000701	FAILED	Invalid Field Format
403	4030715	FAILED	Transaction Not Permitted
404	4040715	FAILED	Invalid OTP
403	4030718	FAILED	Inactive Card/Account/Customer
405	4050700	FAILED	Requested Function Is Not Supported
405	4050701	FAILED	Requested Operation Is Not Allowed
403	4030707	FAILED	Card/User Blocked

Access Token Request (B2B2C)

This API call is required to be made using the linkageToken received from Account Creation/Binding Response. Use the token in Authorisation header

Body Request

Parameter	Data Type	Mandatory	Description
authCode	String(256)	C	AuthCode received after PIN challenge(Conditional)
refreshToken	String(512)	C	Refresh token to get a new accessToken where the User doesn't need to provide the consent again. mandatory if grantType = refresh_token. Refresh Token should be less than access token validity and will be managed by the PJP's application to generate a new access_token(Conditional)
grantType	String	M	Apply token request key type, can be authorization_code or refresh_token

Body Response

Parameter		Data Type	Description
responseCode		String	Internal OVO error/success codes
responseMessage		String	Response Description
accessToken		String(2048)	A string representing an authorization issued to the client that used to access protected resources
accessTokenExpiryTime		String	Datetime of token expiration. Format: ISO8601
tokenType		String	The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes) Token Type Value: "Bearers”: includes the access token string in the request "Mac": issuing a Message Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests
	refreshToken	String	A random string that can be used by specific client to get a refreshed accessToken to prolong the access to the User's resources.
	refreshTokenExpiryTime	String	Time when the refreshToken will be expired. Refresh Token should be less than access token validity and will be managed by the PJP's application to generate a new access_token
additionalInfo		Object
	ilp	String	Ovo identifier for a particular linkage. Can be later used for unlink, troubleshooting/debugging issues, sharing information, translating to OVO channel user ID etc with ovo.

Sample Request

• This API will serve the functionality of both refreshing the old tokens and generating new tokens using authCode
• If grantType is authorization_code API generates new access token and Refresh Token
• If grantType is refresh_token API refreshes the old tokens without any need for user authorisation

Sample Response

ILP id is a unique identifier for OVO to identify the user for a particular partner linkage. Partners need to store the ILP id at their end which could be later used to share information relating to a user

As per BI requirements, the token expiry for the access token received in this API should be 15 days

Refresh Access Token Logic

Partner can refresh the expired tokens, call the API B2B2C Access Token with grantType = refresh_token

For responseCode: OV00502 or 401XX00, partner are required to regenerate access tokens

If data.error.code == OV00502 or 401XX01, we expect clients to refresh the old tokens.
This reactive approach is to be applied for refreshing all types of tokens

How to Handle Token Expired

For expired token condition, please use below flow

• if access token invalid/expired then call refresh token API
• if refresh token API get success => use new access token to continue the process/transaction
• if refresh token API get error (401) unathorized => revoke all token for this customer( mark customer as unlinked)

B2B2C Error Code

HTTP status	Error Code	Status	Message
500	5007401	FAILED	Unknown Error
400	4007400	FAILED	Bad Request
404	4047416	FAILED	Partner not found
404	4047401	FAILED	Transaction Not found
429	4297400	FAILED	Too Many Requests
403	4037405	FAILED	Do Not Honor
500	5007402	FAILED	Unknown Error
500	5007400	FAILED	General Error
401	4017400	FAILED	Unauthorized
401	4017401	FAILED	Invalid Token
404	4047412	FAILED	Invalid Bill/Virtual Account
400	4007401	FAILED	Invalid Field Format
403	4037415	FAILED	Transaction Not Permitted
404	4047415	FAILED	Invalid OTP
403	4037418	FAILED	Inactive Card/Account/Customer
405	4057400	FAILED	Requested Function Is Not Supported
405	4057401	FAILED	Requested Operation Is Not Allowed
403	4037407	FAILED	Card/User Blocked

Generate System Token (B2B)

This API will be used by Merchants to trigger Refund API

Partner with client-specific use cases (non-user-related use-case) can use the below API to generate system tokens.

Before generating the token, partners are requested to address this as a requirement, so OVO can configure the necessary.

As per BI requirements, the token expiry for B2B token should be 15 minutes

Body Request

Parameter	Data Type	Mandatory	Description
grant_type	String	M	"client_credentials”: The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control

Body Response

Parameter	Data Type	Description
responseCode	string	Response Code
responseMessage	string	Response Message
accessToken	string	A string representing an authorization issued to the client that used to access protected resources
tokenType	string	The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes) Token Type Value: "Bearers”: includes the access token string in the request "Mac": issuing a Message Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests
expiresIn	string	Time in seconds

Sample Request

Sample Response

Refresh System token Logic

There are two ways in which a partner can refresh the expired tokens

1. Proactive approach: Partner proactively generates a new B2B token every 15 min, just when the old token is about to expire. This requires partner to be aware of the expiry beforehand
2. Reactive approach: Partner reacts to the responseCode returned by OVO. If responseCode corresponding to expiredToken is received while using the B2B token, partner regenerates the tokens using the above API.
3. Refer to Refresh Access Token Logic for more information on how to regenerate token using reactive approach
4. Merchant should refrain from generating multiple B2B tokens before the expiry. A single token should be created and reused throughout the expiry

B2B Error Code

HTTP status	Error Code	Status	Message
500	5007301	FAILED	Unknown Error
400	4007300	FAILED	Bad Request
404	4047316	FAILED	Partner not found
404	4047301	FAILED	Transaction Not found
429	4297300	FAILED	Too Many Requests
403	4037305	FAILED	Do Not Honor
500	5007302	FAILED	Unknown Error
500	5007300	FAILED	General Error
401	4017300	FAILED	Unauthorized
401	4017301	FAILED	Invalid Token
404	4047312	FAILED	Invalid Bill/Virtual Account
400	4007301	FAILED	Invalid Field Format
403	4037315	FAILED	Transaction Not Permitted
404	4047315	FAILED	Invalid OTP
403	4037318	FAILED	Inactive Card/Account/Customer
405	4057300	FAILED	Requested Function Is Not Supported
405	4057301	FAILED	Requested Operation Is Not Allowed
403	4037307	FAILED	Card/User Blocked

Unbinding

To allow a user to unlink/unbind an existing binding with OVO, client needs to engage user with necessary authorisations before asking OVO to unlink the account.

To allow a user to unlink/unbind an existing binding with OVO, the client needs to engage the user with necessary authorizations before asking OVO to unlink the account.

If multiple bindings are allowed for a client, all the bindings for a user through such a client (for instance GooglePlay) will be unbinded.

Body Request

Parameter	Data Type	Mandatory	Description
partnerReferenceNo	String	M	phone Number
merchantId	String	M	Unique merchant identifier

Body Response

Parameter	Data Type	Description
responseCode	String	Internal OVO error/success codes
responseMessage	String	Response Description
referenceNo	String	Reference number to refere to the webview session, sending upon successful binding. (refid)
unlinkResult	String	The status of the unbinding request

Sample Request

Sample Response

Account Unlink Error Code

HTTP status	Error Code	Status	Message
500	5000901	FAILED	Unknown Error
400	4000900	FAILED	Bad Request
404	4040916	FAILED	Partner not found
404	4040901	FAILED	Transaction Not found
429	4290900	FAILED	Too Many Requests
403	4030905	FAILED	Do Not Honor
500	5000902	FAILED	Unknown Error
500	5000900	FAILED	General Error
401	4010900	FAILED	Unauthorized
401	4010901	FAILED	Invalid Token
404	4040912	FAILED	Invalid Bill/Virtual Account
400	4000901	FAILED	Invalid Field Format
403	4030915	FAILED	Transaction Not Permitted
404	4040915	FAILED	Invalid OTP
403	4030918	FAILED	Inactive Card/Account/Customer
405	4050900	FAILED	Requested Function Is Not Supported
405	4050901	FAILED	Requested Operation Is Not Allowed
403	4030907	FAILED	Card/User Blocked

Payment Section

Balance Inquiry

This API will be used by Merchants to get OVO Balance for a specific user

Body Request

Parameter		Data Type	Mandatory	Description
partnerReferenceNo		String	O	Transaction identifier on service consumer system
bankCardToken		String	O	Card token for payment
accountNo		String	M	OVO Phone No
[balanceType]		Array of Object	O	["CASH","POINTS"] Please use capital letter
additionalInfo		Object	O
	deviceId	String	O
	channel	String	O

Body Response

Parameter			Data Type	Mandatory	Description
responseCode			String	M	Response code
responseMessage			String	M	Response description
referenceNo			String	O	Transaction identifier on service provider system. Must be filled upon successful transaction
partnerReferenceNo			String	O	Transaction identifier on service consumer system
accountNo			String	O	Registered account number
name			String	O	Customer account name
[accountInfos]			Array of Object
	balanceType		String	O	Account type name
	amount		Object	O
		value	String (ISO4217)	M	Net amount of the transaction. If it’s IDR then the value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00
		currency	String	M	Currency
	floatAmount		Object	O
		value	String (ISO4217)	C	Amount of deposit that is not effective yet (due to holiday, etc.). If it’s IDR then the value includes 2 decimal digits. e.g. IDR 50.000,- will be placed with 50000.00 Must be filled if the floatAmout data exist
		currency	String	C	Currency Must be filled if the flagAmout data exist
	holdAmount		Object	O
		value	String (ISO4217)	C	Hold amount that cannot be used. If it’s IDR then the value includes 2 decimal digits. e.g. IDR 20.000,- will be placed with 20000.00 Must be filled if the floatAmout data exist
		currency	String	C	Currency Must be filled if the floatAmout data exist
	availableBalance		Object	O
		value	String (ISO4217)	C	Account balance that can be used for financial transaction Must be filled if the availableBalance data exist
		currency	String	C	Currency Must be filled if the availableBalance data exist
	ledgerBalance		Object	O
		value	String (ISO4217)	C	Account balance at the beginning of each day Must be filled if the ledgerBalance data exist
		currency	String	C	Currency
	currentMultilateralLimit		Object	O
		value	String (ISO4217)	C	Credit limit of the account / plafon Must be filled if the currentMultilateralLimit data exist
		currency	String	C	Currency Must be filled if the currentMultilateralLimit data exist
	registrationStatusCode		String	O	Customer registration status
	status		String	O	Account Status 1 = Active Account 2 = Closed Account 4 = New Account 6 = Restricted Account 7 = Frozen Account 9 = Dormant Account
	additionalInfo		Object	O
		deviceId	String	O
		channel	String	O

Sample Request

Sample Response

Response Code

HTTP status	Error code	Status	Message
200	2001100	SUCCESS	Request has been processed successfully
400	4001100	FAILED	Bad Request. the accountNo allowed max length is 16
400	4001100	FAILED	Bad Request. the accountNo field is required
400	4001100	FAILED	Bad Request. invalid format accountNo field
409	4091100	FAILED	Conflict

Generate SingleUseToken

This endpoint is able to give you SingleUseToken .The token returned will depend on the <auth_code> given from the PIN WebView after successful PIN verification.

This will be used only for Direct Debit API

Request

Method	URL
POST	/user/v1/oauth/token

Header

Key
Authorization: Bearer <access_token> signature

Query Param

Key	Value
grantType	authorization_code
code	<auth_code>

Response

Status	Response
grantType	{    "tokens" : [       {         "name" : "SingleUseToken",         "accessToken" : "f4ed830026bb11ae91cc4ba8f2e1ea84502073a59ee1e"       }    ] }
code	{    "error": {       "code": "OV00002",       "message": "Bad Request"    } }

Direct Debit

This API will be used by Merchants to initiate Payment to OVO with Cash and Points

Body Request

Parameter			Data Type	Mandatory	Description
partnerReferenceNo			String	M	Transaction identifier on service consumer system
bankCardToken			String	O
merchantId			String	M	Merchant identifier that is unique per each merchant
terminalId			String	O	Terminal ID
journeyId			String	O	Merchant ID
subMerchantId			String	O	Sub-merchant ID
amount			Object	O
	value		String	M	Net amount of the transaction. If it’s IDR then the value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00
	currency		String	M	Currency
urlParam			Object	O
	url		String	M	The URL
	type		String	M	URL Type PAY_RETURN/PAY_NOTIFY
	isDeeplink		String	M	Whether the URL is a deep link URL or not Y/N
externalStoreId			String	O	Store ID to indicate to which store this payment belongs to.
validUpTo			String	O	The time when the payment will be automatically expired. ISO 8601
pointOfInitiation			String	O	used for getting more info regarding source of request of the user
feeType			String	O	to whom the fee will be charged 1. OUR Fee is charged to the sender (default) 2. BEN Fee is charged to the recipient 3. SHA|1000 Fee is shared between sender and recipient, with sender is charged Rp 1.000,00 and the recipient will be charged the rest
disabledPayMethods			String	O	Payment method(s) that cannot be used for this payment
payOptionDetails			Object	M
	payMethod		String	M	[“CASH”,”POINTS”] Please use capital letter
	payOption		String	M	Payment option which shows the provider of this payment e.g. CREDIT_CARD_VISA
	transAmount		Object	M
		value	String	M	Transaction amount that will be paid using this paymentmethod If it’s IDR then value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00
		currency	String	M	Currency
	feeAmount		Object	O
		value	String (ISO 4217 )	C	Fee amount that will be paid using this payment method If it’s IDR then value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00Must be filled if the feeAmount data exist
		currency	String	C	CurrencyMust be filled if the feeAmount data exist
	cardToken		String	O	Card token used for this payment
	chargeToken		String	M	Use default value “OVO”
	merchantToken		String	O	Merchant token used for this payment
	additionalInfo		Object	O	Additional information
		deviceId	String	O
		channel	String	O
additionalInfo			Object	O	Additional information
	deviceId		String	O
	channel		String	O
	subTransactionType		String	C	Conditional for Auto Debit Feature. Please refer to below section for Auto Debit
	issuingMerchantName		String	O
	notes		String	O

Auto Debit

The feature is used to allow Direct Debit API to be used without PIN process, e.g. in the recurring payment process. In the request payload, to allow this process, the field “subTransactionType” must be present. Currently supported field value:

1. “MANUAL” : this is the default value for Direct Debit API, which means the PIN process will be executed for every transaction (i.e. API Call). If the “subTransactionType” is not present in the request payload, this default value will be used
2. “AUTO” : this is the value, to be set, for Direct Debit API that will not check for PIN process, which means the transaction will be executed accordingly
3. This capability needs OVO special approval (OVO Security Team) and needs to be configured first by OVO to whitelist the merchant ID

Body Response

Parameter		Data Type	Mandatory	Description
responseCode		String	M	Response Code
responseMessage		String	M	Response Description
referenceNo		String	C	Transaction identifier on service provider system. Must be filled upon successful transaction
partnerReferenceNo		String	O	Transaction identifier on service consumer system
appRedirectUrl		String	O	Returns an URL scheme to the PJP AIS payment page in native app.
webRedirectUrl		String	O	Returns a universal link to PJP AIS payment page. This link is recommended when the Client is unable to implement a check for whether PJP AIS app is installed on the user’s device before redirect.
additionalInfo		Object	O	Additional information
	deviceId	String	O
	channel	String	O

Sample Request

Sample Response 1st call using Access Token

Opening Webview for Direct Debit 1st API Call

Sample Webview URL

Sample Response 2nd call using single use token

Response Code

HTTP status	Error code	Status	Message
200	2005400	SUCCESS	Request has been processed successfully
400	4005400	FAILED	Bad Request. the partnerReferenceNo field is required
500	5005400	FAILED	General Error. request not valid
400	4005400	FAILED	Bad Request. the merchantId field is required
400	4005400	FAILED	Bad Request. the amount field is required
400	4005400	FAILED	Bad Request. can't convert {amount} to decimal: too many .s
400	4005400	FAILED	Bad Request. request not valid
500	5005400	PENDING	General Error. Transaction pending
403	4035414	FAILED	Insufficient Funds
403	4035401	FAILED	Feature Not Allowed
400	4005400	FAILED	Bad Request. the payOption is not valid
409	4095400	FAILED	Conflict

Direct Debit Refund

This API will be used by Merchants to initiate Payment Refund to OVO

Body Request

Parameter			Data Type	Mandatory	Description
merchantId			String	O	Merchant identifier that is unique per each merchant
subMerchantId			String	O	Sub-merchant ID
originalPartnerReferenceNo			String	M	Original transaction identifier on service consumer system
originalReferenceNo			String	O	Original transaction identifier on service provider system
originalExternalId			String	O	Original Customer Reference Number
partnerRefundNo			String	M	Reference Number from PJP AIS for the refund
refundAmount			Object	M
	value		String (ISO 4217)	M	Fee amount that will be paid using this payment method If it’s IDR then value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00
	currency		String	M	Currency
externalStoreId			String	O	External Store ID
reason			String	O	Refund reason.
additionalInfo			Object	M	JSON object which contains array of the detail refund amount (per Source of Fund) Example: {   "sof": [     {     "accType": "CASH",     "amt": {       "value": "1000.00",       "currency": "IDR"      }     },     {     "accType": "POINTS",     "amt": {       "value": "1000.00",       "currency": "IDR"      }     }   ] }
	accType		String	M	Current supported values: "CASH" for cash refund, "POINTS" for point refund
	amt		String	M	Detail amount
		value	Numeric	M	Refund amount
		currency	String	M	Currently supported value: "IDR"

Body Response

Parameter				Data Type	Mandatory	Description
responseCode				String	M	Response Code
responseMessage				String	M	Response Description
originalPartnerReferenceNo				String	O	Transaction identifier on service provider system. Must be filled upon successful transaction
originalReferenceNo				String	C	Transaction identifier on service consumer system
originalExternalId				String	O	Original Customer Reference Number
partnerTrxId				String	O	Partner Transaction ID
refundNo				String	M	Reference Number
partnerRefundNo				String	M	Reference Number from PJP AIS for the refund.
refundAmount				Object	M
	value			String (ISO 4217)	M	Fee amount that will be paid using this payment method. If it’s IDR then value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00 Must be filled if the refundAmount data exist
	currency			String	M	Currency Must be filled if the refundAmount data exist
refundTime				String	M	Refund time. ISO 8601
additionalInfo				Object	M	JSON object which contains array of the detail refund amount (per Source of Fund) Example: {   "sof": [     {     "accType": "CASH",     "amt": {       "value": "1000.00",       "currency": "IDR"      }     },     {     "accType": "POINTS",     "amt": {       "value": "1000.00",       "currency": "IDR"      }     }   ] }
	sof			Array	M	Array which contains accType and amt
		accType		String	M	Current supported values: "CASH" for cash refund "POINTS" for point refund
		amt		Object	M	Detail amount
			value	Numeric	M	Refund amount
			currency	String	M	Currently supported value: "IDR"

Sample Request

Sample Response

Response Code

HTTP status	Error code	Status	Message
200	2005800	SUCCESS	Request has been processed successfully
400	4005800	FAILED	Bad Request. the originalPartnerReferenceNo field is required
404	4045801	FAILED	Transaction Not Found. ledger system resource not found
400	4005800	FAILED	Bad Request. the partnerRefundNo field is required
400	4005800	FAILED	Bad Request. the refundAmount.amount field is required
400	4005800	FAILED	Bad Request. can't convert {amount} to decimal: too many .s
400	4005800	FAILED	Bad Request. request not valid
404	4045811	FAILED	Customer Not Match
400	4005802	FAILED	Exceeds Transaction Amount Limit
400	4005815	FAILED	Transaction Not Permitted
403	4035802	FAILED	Exceeds Transaction Amount Limit. the amount requested exceeds refundable amount
409	4095800	FAILED	Conflict

Direct Debit Inquiry Status

This API will be used by Merchants to get the specific transaction Status

Body Request

Parameter		Data Type	Mandatory	Description
originalPartnerReferenceNo		String	M	Original transaction identifier on service consumer system
originalReferenceNo		String	O	Original transaction identifier on service provider system
originalExternalId		String	O	Original ExternalID on header message
serviceCode		String	M	Transaction type indicator (service code of the original transaction request) Code 54 (Direct Debit Service Code) If it is not 54, return 400
transactionDate		String	O	transaction date : ISO 8601
amount		Object	O
	value	String (ISO 4217)	M	Net amount of the transaction. If it’s IDR then the value includes 2 decimal digits. e.g. IDR 10.000,- will be placed with 10000.00
	currency	String	M	Currency
merchantId		String	O	Merchant identifier that is unique per each merchant
subMerchantId		String	O	Sub-merchant ID
externalStoreId		String	O	External Store ID for merchant
additionalInfo		Object	O
	deviceId	String	O
	channel	String	O

Body Response

Parameter			Data Type	Mandatory	Description
responseCode			String	M	Response Code
responseMessage			String	M	Response Description
originalPartnerReferenceNo			String	O	Transaction identifier on service provider system. Must be filled upon successful transaction
originalReferenceNo			String	C	Transaction identifier on service consumer system
originalExternalId			String	O	Original ExternalID on header message
serviceCode			String	M	Transaction type indicator (service code of the original transaction request)
latestTransactionStatus			String	M	00 - Success 01 - Initiated 02 - Paying 03 - Pending 04 - Refunded 05 - Canceled 06 - Failed 07 - Not found
transactionStatusDesc			String	O	Description status transaction
originalResponseCode			String	M	Response code
originalResponseMessage			String	O	Response description
sessionId			String	O	Transaction invoice ID
requestID			String	O	Transaction invoice ID
refundHistory			Array of Object	C	If refund data exist, then the field must be filled
	refundNo		String	C	Transaction Identifier on Service Provider System
	partnerReferenceNo		String	C	Reference Number from PJP AIS for the refund
	refundAmount		Object
		value	String (ISO 4217)	C	Net amount of the refund
		currency	String	C	Currency
	refundStatus		String	C	00 - Success 03 - Pending 06 - Failed
	refundDate		String	C	(ISO 8601) transaction date : dd-MMyyyy (Mandatory ) HH:mm:ss (Optional)
	reason		String	C	Refund reason
paidTime			String	C	transaction date : ISO 8601
additionalInfo			Object	O
	deviceId		String	O
	channel		String	O

Sample Request

Sample Response

Response Code

HTTP status	Error code	Status	Message
200	2005500	SUCCESS	Request has been processed successfully
400	4005500	FAILED	Bad Request. the originalPartnerReferenceNo field is required
400	4005500	FAILED	Bad Request. the serviceCode field is required
400	4005500	FAILED	Bad Request. the given serviceCode was invalid
404	4045501	FAILED	Transaction Not Found
409	4095500	FAILED	Conflict

Token Conversion to SNAP Token (Optional)

This API will be used to convert Payment Token generated from API Linkage V1 to V2/SNAP Access Token and Refresh Token without any relinking activity needed from the users

Request

Method	URL
POST	/v1/oauth/token/linkageMigrate?grantType=authorization_code

Header

Key
Authorization: Bearer <Linkage V1 Payment Token> signature

Sample Request

Sample Response

ILP id is a unique identifier for OVO to identify the user for a particular partner linkage. Partners need to store the ILP id at their end which could be later used to share information relating to a user

1. It is to be noted that the old v1 tokens (payment and identity tokens) expire 5 minutes after newer tokens are issued.
2. For signature use specific Hmac
3. The API is supposed to be used in an incremental way, 1% rollout of existing users followed by a validation, then 5% rollout, 10% and 25%. If sanity yields no negative results, can roll it to 50% and finally 100%
4. The expected RPS is 20
5. The token to be used in the authorisation header is supposed to be the old(v1) payment token.