Documentación para clientes API STANDAR

Integra RiskPayGo en tu web y empieza a crear pagos seguros.

Esta guía explica la integración estándar: cómo usar tus credenciales, cómo crear una transacción, cómo redirigir al comprador al checkout y cómo validar la notificación de pago en tu sistema.

10 USDimporte mínimo por transacción estándar

Sin límitesin máximo interno para clientes estándar

API + Webhookcrea pagos y confirma el estado automáticamente

🔌

Integración directa

Usa la API desde WooCommerce, Laravel, PHP, Node.js o cualquier sistema propio que pueda enviar peticiones HTTPS.

🧾

Checkout alojado

Tu web crea el pago y RiskPayGo devuelve una checkout_url. El comprador se redirige a esa URL para pagar.

🔐

Firma de webhooks

RiskPayGo firma las notificaciones con HMAC SHA-256 para que puedas validar que el evento es legítimo.

1. Credenciales necesarias

Entra en tu panel de RiskPayGo y abre la pestaña API. Ahí verás los datos que debes copiar en tu integración.

API Base URLURL base para llamar a la API. En producción normalmente será https://riskpaygo.com/portal/api/plugin.

Merchant IDIdentificador de tu comercio. Se envía en la cabecera X-RPG-Merchant.

API TokenToken privado de autorización. Se envía como Authorization: Bearer TU_API_TOKEN.

Webhook SecretSecreto usado para verificar la firma X-RPG-Signature de las notificaciones entrantes.

Importante: nunca pegues el API Token ni el Webhook Secret en JavaScript público del navegador. Deben vivir en tu servidor, plugin o backend.

2. Flujo recomendado de cobro

La integración estándar evita que tengas que construir una pantalla de pago completa. Tu sistema solo crea la operación y redirige al comprador.

Pedido creadoTu web genera el pedido con importe, divisa y datos del comprador.

API RiskPayGoEnvías una petición a /payments/create con tus credenciales.

Checkout URLRiskPayGo responde con una URL segura de pago.

RedirecciónRediriges al comprador a la URL recibida.

WebhookTu web recibe la confirmación y actualiza el pedido.

Dominio aprobado: antes de vender en real, añade tu web en Proyectos dentro del panel. RiskPayGo validará que el dominio enviado en site.url pertenece a un proyecto aprobado.

3. Comprobar conexión con ping

Este endpoint sirve para comprobar que las credenciales son correctas y que la cuenta está usando el perfil estándar.

GEThttps://riskpaygo.com/portal/api/plugin/ping

Ejemplo cURL

curl -X GET 'https://riskpaygo.com/portal/api/plugin/ping' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer TU_API_TOKEN' \
  -H 'X-RPG-Merchant: TU_MERCHANT_ID'

Respuesta orientativa

{
  "success": true,
  "merchant_id": "mer_XXXXXXXX",
  "api_profile": "standard",
  "account_status": "approved",
  "currency": "USD",
  "limits": {
    "min_amount": 10,
    "max_amount": null,
    "max_label": "Sin límite"
  },
  "required_customer_fields": ["customer_name", "customer_email"]
}

4. Crear un pago

Envía una petición POST con el pedido. Para API STANDAR, los datos mínimos del comprador son nombre y email.

POSThttps://riskpaygo.com/portal/api/plugin/payments/create

Campos obligatorios

merchant_order_idID único del pedido en tu sistema.

amountImporte en USD. Mínimo 10.00.

currencyUsa USD.

customer_nameNombre del comprador.

customer_emailEmail válido del comprador.

site.urlDominio de la tienda o web aprobada en RiskPayGo.

Campos recomendados

notify_urlURL donde recibirás el webhook de confirmación.

return_urlURL para volver después de un pago completado.

cancel_urlURL para volver si el comprador cancela.

order_idID numérico o interno del pedido.

order_keyClave interna del pedido si tu plataforma la usa.

site.platformEjemplo: woocommerce, shopify, custom.

Crear pago con cURL

curl -X POST 'https://riskpaygo.com/portal/api/plugin/payments/create' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer TU_API_TOKEN' \
  -H 'X-RPG-Merchant: TU_MERCHANT_ID' \
  -d '{
    "merchant_order_id": "PED-1001",
    "order_id": 1001,
    "order_key": "wc_order_abc123",
    "amount": "149.99",
    "currency": "USD",
    "customer_name": "Nombre Cliente",
    "customer_email": "cliente@ejemplo.com",
    "site": {"url": "https://tu-dominio.com/", "name": "Mi tienda", "platform": "custom"},
    "notify_url": "https://tu-dominio.com/wp-json/riskpaygo/v1/webhook",
    "return_url": "https://tu-dominio.com/pago/completado",
    "cancel_url": "https://tu-dominio.com/pago/cancelado"
  }'

Crear pago con PHP

<?php
$apiBase = 'https://riskpaygo.com/portal/api/plugin';
$merchantId = 'TU_MERCHANT_ID';
$apiToken = 'TU_API_TOKEN';

$payload = [
    'merchant_order_id' => 'PED-1001',
    'order_id' => 1001,
    'order_key' => 'wc_order_abc123',
    'amount' => '149.99',
    'currency' => 'USD',
    'customer_name' => 'Nombre Cliente',
    'customer_email' => 'cliente@ejemplo.com',
    'site' => ['url' => 'https://tu-dominio.com/', 'name' => 'Mi tienda', 'platform' => 'custom'],
    'notify_url' => 'https://tu-dominio.com/wp-json/riskpaygo/v1/webhook',
    'return_url' => 'https://tu-dominio.com/pago/completado',
    'cancel_url' => 'https://tu-dominio.com/pago/cancelado',
];

$ch = curl_init($apiBase . '/payments/create');
curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_HTTPHEADER => ['Accept: application/json','Content-Type: application/json','Authorization: Bearer ' . $apiToken,'X-RPG-Merchant: ' . $merchantId], CURLOPT_POSTFIELDS => json_encode($payload, JSON_UNESCAPED_SLASHES), CURLOPT_TIMEOUT => 30]);
$response = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error || $status >= 400) { throw new RuntimeException('Error creando pago: ' . ($error ?: $response)); }
$data = json_decode($response, true);
header('Location: ' . $data['data']['checkout_url']);
exit;

Crear pago con Node.js

const apiBase = 'https://riskpaygo.com/portal/api/plugin';
const merchantId = 'TU_MERCHANT_ID';
const apiToken = 'TU_API_TOKEN';

const payload = {
  merchant_order_id: 'PED-1001', order_id: 1001, order_key: 'wc_order_abc123', amount: '149.99', currency: 'USD',
  customer_name: 'Nombre Cliente', customer_email: 'cliente@ejemplo.com',
  site: {url: 'https://tu-dominio.com/', name: 'Mi tienda', platform: 'custom'},
  notify_url: 'https://tu-dominio.com/wp-json/riskpaygo/v1/webhook', return_url: 'https://tu-dominio.com/pago/completado', cancel_url: 'https://tu-dominio.com/pago/cancelado'
};
const response = await fetch(`${apiBase}/payments/create`, {method: 'POST', headers: {'Accept':'application/json','Content-Type':'application/json','Authorization':`Bearer ${apiToken}`,'X-RPG-Merchant':merchantId}, body: JSON.stringify(payload)});
const data = await response.json();
if (!response.ok || !data.success) throw new Error(data.message || 'No se pudo crear el pago');
console.log(data.data.checkout_url);

5. Respuesta de creación de pago

Cuando el pago se crea correctamente, RiskPayGo devuelve una referencia interna y una URL de checkout. Tu integración debe redirigir al comprador a checkout_url.

Respuesta JSON

{
  "success": true,
  "data": {
    "payment_ref": "RPG-20260621-ABC12345",
    "checkout_url": "https://riskpaygo.com/portal/checkout.php?ref=RPG-20260621-ABC12345",
    "fee_percent": 20,
    "plan_slug": "free",
    "api_profile": "standard",
    "language": "es"
  }
}

Qué debes guardar: guarda payment_ref asociado a tu pedido. Te servirá para conciliar el pago cuando llegue el webhook.

6. Webhooks de confirmación

Cuando RiskPayGo confirma un cambio de estado, enviará una petición POST a tu notify_url. Tu endpoint debe responder con HTTP 200 cuando procese correctamente el evento.

Cabeceras recibidas

Cabecera	Uso
`Content-Type`	`application/json`
`X-RPG-Signature`	Firma HMAC SHA-256 en base64 calculada sobre el cuerpo JSON sin modificar.

Payload habitual

Campo	Descripción
`merchant_id`	Merchant ID de RiskPayGo.
`order_id`	ID del pedido enviado por tu web.
`order_key`	Clave del pedido si la enviaste.
`payment_ref`	Referencia RiskPayGo.
`transaction_id`	Referencia interna de la transacción.
`status`	Estado final o actualizado. Por ejemplo: `paid`.

Ejemplo de webhook recibido

{
  "merchant_id": "mer_XXXXXXXX",
  "order_id": 1001,
  "order_key": "wc_order_abc123",
  "payment_ref": "RPG-20260621-ABC12345",
  "transaction_id": "TX-789456123",
  "status": "paid",
  "event": "payment_confirmed",
  "source": "riskpaygo_checkout"
}

Validar firma en PHP

<?php
$webhookSecret = 'TU_WEBHOOK_SECRET';
$rawBody = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_RPG_SIGNATURE'] ?? '';
$expected = base64_encode(hash_hmac('sha256', $rawBody, $webhookSecret, true));
if (!hash_equals($expected, $signature)) { http_response_code(401); exit('invalid_signature'); }
$event = json_decode($rawBody, true);
if (!is_array($event)) { http_response_code(400); exit('invalid_json'); }
if (($event['status'] ?? '') === 'paid') {
    // Busca tu pedido por order_id, order_key o payment_ref y márcalo como pagado una sola vez.
}
http_response_code(200);
echo 'ok';

Validar firma en Node.js

import crypto from 'crypto';
const webhookSecret = 'TU_WEBHOOK_SECRET';
export async function riskpaygoWebhook(req, res) {
  const rawBody = req.rawBody;
  const signature = req.headers['x-rpg-signature'] || '';
  const expected = crypto.createHmac('sha256', webhookSecret).update(rawBody).digest('base64');
  if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))) return res.status(401).send('invalid_signature');
  const event = JSON.parse(rawBody.toString('utf8'));
  if (event.status === 'paid') {
    // Marca tu pedido como pagado de forma idempotente.
  }
  return res.status(200).send('ok');
}

Consejo: procesa los webhooks de forma idempotente. Si recibes dos veces el mismo payment_ref o transaction_id, no dupliques el pedido ni el saldo.

7. Errores frecuentes y cómo resolverlos

Código	Mensaje habitual	Solución
`403`	Merchant no autorizado	Revisa `Merchant ID`, `API Token` y cabecera `Authorization: Bearer`.
`403`	Dominio no aprobado	Añade el dominio en Proyectos y espera aprobación antes de vender en real.
`422`	Importe no permitido	En API STANDAR el importe mínimo es 10 USD.
`422`	Email o nombre requerido	Envía `customer_name` y `customer_email`, o los equivalentes dentro de `customer`.
`500`	Error interno al crear la transacción	Reintenta y contacta con soporte si persiste, incluyendo hora, dominio y `merchant_order_id`.

8. Buenas prácticas de seguridad

Protege tus claves

Guarda el API Token y el Webhook Secret en variables de entorno, ajustes privados del plugin o configuración segura del servidor.

Valida siempre el webhook

No marques pedidos como pagados solo porque llegue una petición a tu endpoint. Comprueba X-RPG-Signature.

Usa HTTPS

Tus URLs notify_url, return_url y cancel_url deben usar HTTPS en producción.

No muestres detalles internos

Al comprador solo debes mostrar el checkout de RiskPayGo y mensajes claros. No expongas tokens ni rutas internas.

9. Checklist antes de activar pagos reales

Credenciales copiadasAPI Base URL, Merchant ID, API Token y Webhook Secret están configurados en tu servidor o plugin.

Dominio aprobadoLa URL enviada en site.url aparece como proyecto aprobado en RiskPayGo.

Ping correctoEl endpoint /ping responde con success: true y muestra API STANDAR.

Pago de pruebaLa petición a /payments/create devuelve checkout_url y el comprador puede abrirla.

Webhook validadoTu web valida la firma y marca el pedido como pagado solo cuando recibe status: paid.

Listo: si todos los puntos están correctos, la integración estándar ya está preparada para operar con RiskPayGo.

Documentation for API STANDARD clients

Integrate RiskPayGo into your website and start creating secure payments.

This guide explains the standard integration: how to use your credentials, create a transaction, redirect the buyer to checkout and validate the payment notification in your own system.

10 USDminimum amount per standard transaction

No limitno internal maximum for standard clients

API + Webhookcreate payments and confirm status automatically

🔌

Direct integration

Use the API from WooCommerce, Laravel, PHP, Node.js or any custom system that can send HTTPS requests.

🧾

Hosted checkout

Your website creates the payment and RiskPayGo returns a checkout_url. The buyer is redirected to that URL to pay.

🔐

Webhook signature

RiskPayGo signs notifications with HMAC SHA-256 so you can verify that the event is legitimate.

1. Required credentials

Log in to your RiskPayGo dashboard and open the API tab. You will find the details you need to copy into your integration.

API Base URLBase URL for API requests. In production it is usually https://riskpaygo.com/portal/api/plugin.

Merchant IDYour merchant identifier. Send it in the X-RPG-Merchant header.

API TokenPrivate authorization token. Send it as Authorization: Bearer YOUR_API_TOKEN.

Webhook SecretSecret used to verify the X-RPG-Signature header on incoming notifications.

Important: never expose the API Token or Webhook Secret in public browser JavaScript. They must remain on your server, plugin or backend.

2. Recommended payment flow

The standard integration avoids building a complete payment screen. Your system creates the operation and redirects the buyer.

Order createdYour website creates the order with amount, currency and buyer details.

RiskPayGo APIYou send a request to /payments/create with your credentials.

Checkout URLRiskPayGo returns a secure payment URL.

RedirectYou redirect the buyer to the received URL.

WebhookYour website receives confirmation and updates the order.

Approved domain: before selling live, add your website under Projects in the dashboard. RiskPayGo will verify that the domain sent in site.url belongs to an approved project.

3. Check connection with ping

This endpoint checks whether your credentials are correct and whether the account is using the standard profile.

GEThttps://riskpaygo.com/portal/api/plugin/ping

cURL example

curl -X GET 'https://riskpaygo.com/portal/api/plugin/ping' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'X-RPG-Merchant: YOUR_MERCHANT_ID'

Example response

{
  "success": true,
  "merchant_id": "mer_XXXXXXXX",
  "api_profile": "standard",
  "account_status": "approved",
  "currency": "USD",
  "limits": {
    "min_amount": 10,
    "max_amount": null,
    "max_label": "No limit"
  },
  "required_customer_fields": ["customer_name", "customer_email"]
}

4. Create a payment

Send a POST request with the order details. For API STANDARD, the minimum buyer details are name and email.

POSThttps://riskpaygo.com/portal/api/plugin/payments/create

Required fields

merchant_order_idUnique order ID in your system.

amountAmount in USD. Minimum 10.00.

currencyUse USD.

customer_nameBuyer name.

customer_emailValid buyer email address.

site.urlStore or website domain approved in RiskPayGo.

Recommended fields

notify_urlURL where you will receive the confirmation webhook.

return_urlURL to return to after a completed payment.

cancel_urlURL to return to if the buyer cancels.

order_idNumeric or internal order ID.

order_keyInternal order key if your platform uses one.

site.platformExample: woocommerce, shopify, custom.

Create payment with cURL

curl -X POST 'https://riskpaygo.com/portal/api/plugin/payments/create' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'X-RPG-Merchant: YOUR_MERCHANT_ID' \
  -d '{
    "merchant_order_id": "ORDER-1001",
    "order_id": 1001,
    "order_key": "wc_order_abc123",
    "amount": "149.99",
    "currency": "USD",
    "customer_name": "Customer Name",
    "customer_email": "customer@example.com",
    "site": {"url": "https://your-domain.com/", "name": "My Store", "platform": "custom"},
    "notify_url": "https://your-domain.com/wp-json/riskpaygo/v1/webhook",
    "return_url": "https://your-domain.com/payment/completed",
    "cancel_url": "https://your-domain.com/payment/cancelled"
  }'

Create payment with PHP

<?php
$apiBase = 'https://riskpaygo.com/portal/api/plugin';
$merchantId = 'YOUR_MERCHANT_ID';
$apiToken = 'YOUR_API_TOKEN';

$payload = [
    'merchant_order_id' => 'ORDER-1001',
    'order_id' => 1001,
    'order_key' => 'wc_order_abc123',
    'amount' => '149.99',
    'currency' => 'USD',
    'customer_name' => 'Customer Name',
    'customer_email' => 'customer@example.com',
    'site' => ['url' => 'https://your-domain.com/', 'name' => 'My Store', 'platform' => 'custom'],
    'notify_url' => 'https://your-domain.com/wp-json/riskpaygo/v1/webhook',
    'return_url' => 'https://your-domain.com/payment/completed',
    'cancel_url' => 'https://your-domain.com/payment/cancelled',
];

$ch = curl_init($apiBase . '/payments/create');
curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_HTTPHEADER => ['Accept: application/json','Content-Type: application/json','Authorization: Bearer ' . $apiToken,'X-RPG-Merchant: ' . $merchantId], CURLOPT_POSTFIELDS => json_encode($payload, JSON_UNESCAPED_SLASHES), CURLOPT_TIMEOUT => 30]);
$response = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error || $status >= 400) { throw new RuntimeException('Error creating payment: ' . ($error ?: $response)); }
$data = json_decode($response, true);
header('Location: ' . $data['data']['checkout_url']);
exit;

Create payment with Node.js

const apiBase = 'https://riskpaygo.com/portal/api/plugin';
const merchantId = 'YOUR_MERCHANT_ID';
const apiToken = 'YOUR_API_TOKEN';

const payload = {
  merchant_order_id: 'ORDER-1001', order_id: 1001, order_key: 'wc_order_abc123', amount: '149.99', currency: 'USD',
  customer_name: 'Customer Name', customer_email: 'customer@example.com',
  site: {url: 'https://your-domain.com/', name: 'My Store', platform: 'custom'},
  notify_url: 'https://your-domain.com/wp-json/riskpaygo/v1/webhook', return_url: 'https://your-domain.com/payment/completed', cancel_url: 'https://your-domain.com/payment/cancelled'
};
const response = await fetch(`${apiBase}/payments/create`, {method: 'POST', headers: {'Accept':'application/json','Content-Type':'application/json','Authorization':`Bearer ${apiToken}`,'X-RPG-Merchant':merchantId}, body: JSON.stringify(payload)});
const data = await response.json();
if (!response.ok || !data.success) throw new Error(data.message || 'Payment could not be created');
console.log(data.data.checkout_url);

5. Payment creation response

When the payment is created successfully, RiskPayGo returns an internal reference and a checkout URL. Your integration must redirect the buyer to checkout_url.

JSON response

{
  "success": true,
  "data": {
    "payment_ref": "RPG-20260621-ABC12345",
    "checkout_url": "https://riskpaygo.com/portal/checkout.php?ref=RPG-20260621-ABC12345",
    "fee_percent": 20,
    "plan_slug": "free",
    "api_profile": "standard",
    "language": "en"
  }
}

What to store: save payment_ref with your order. You will use it to reconcile the payment when the webhook arrives.

6. Confirmation webhooks

When RiskPayGo confirms a status change, it will send a POST request to your notify_url. Your endpoint should respond with HTTP 200 when the event is processed correctly.

Received headers

Header	Use
`Content-Type`	`application/json`
`X-RPG-Signature`	Base64 HMAC SHA-256 signature calculated over the unmodified JSON body.

Common payload

Field	Description
`merchant_id`	RiskPayGo Merchant ID.
`order_id`	Order ID sent by your website.
`order_key`	Order key if you sent one.
`payment_ref`	RiskPayGo reference.
`transaction_id`	Internal transaction reference.
`status`	Final or updated status. Example: `paid`.

Webhook example

{
  "merchant_id": "mer_XXXXXXXX",
  "order_id": 1001,
  "order_key": "wc_order_abc123",
  "payment_ref": "RPG-20260621-ABC12345",
  "transaction_id": "TX-789456123",
  "status": "paid",
  "event": "payment_confirmed",
  "source": "riskpaygo_checkout"
}

Validate signature in PHP

<?php
$webhookSecret = 'YOUR_WEBHOOK_SECRET';
$rawBody = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_RPG_SIGNATURE'] ?? '';
$expected = base64_encode(hash_hmac('sha256', $rawBody, $webhookSecret, true));
if (!hash_equals($expected, $signature)) { http_response_code(401); exit('invalid_signature'); }
$event = json_decode($rawBody, true);
if (!is_array($event)) { http_response_code(400); exit('invalid_json'); }
if (($event['status'] ?? '') === 'paid') {
    // Find your order by order_id, order_key or payment_ref and mark it as paid once.
}
http_response_code(200);
echo 'ok';

Validate signature in Node.js

import crypto from 'crypto';
const webhookSecret = 'YOUR_WEBHOOK_SECRET';
export async function riskpaygoWebhook(req, res) {
  const rawBody = req.rawBody;
  const signature = req.headers['x-rpg-signature'] || '';
  const expected = crypto.createHmac('sha256', webhookSecret).update(rawBody).digest('base64');
  if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))) return res.status(401).send('invalid_signature');
  const event = JSON.parse(rawBody.toString('utf8'));
  if (event.status === 'paid') {
    // Mark your order as paid in an idempotent way.
  }
  return res.status(200).send('ok');
}

Tip: process webhooks idempotently. If you receive the same payment_ref or transaction_id twice, do not duplicate the order or balance.

7. Common errors and how to fix them

Code	Common message	Solution
`403`	Unauthorized merchant	Check `Merchant ID`, `API Token` and `Authorization: Bearer` header.
`403`	Domain not approved	Add the domain under Projects and wait for approval before selling live.
`422`	Amount not allowed	For API STANDARD, the minimum amount is 10 USD.
`422`	Email or name required	Send `customer_name` and `customer_email`, or their equivalents inside `customer`.
`500`	Internal error creating the transaction	Retry and contact support if it persists, including time, domain and `merchant_order_id`.

8. Security best practices

Protect your keys

Store the API Token and Webhook Secret in environment variables, private plugin settings or secure server configuration.

Always validate the webhook

Do not mark orders as paid just because a request reaches your endpoint. Verify X-RPG-Signature.

Use HTTPS

Your notify_url, return_url and cancel_url must use HTTPS in production.

Do not expose internal details

The buyer should only see the RiskPayGo checkout and clear messages. Do not expose tokens or internal routes.

9. Checklist before enabling live payments

Credentials copiedAPI Base URL, Merchant ID, API Token and Webhook Secret are configured on your server or plugin.

Domain approvedThe URL sent in site.url appears as an approved project in RiskPayGo.

Ping successfulThe /ping endpoint responds with success: true and shows API STANDARD.

Test paymentThe request to /payments/create returns checkout_url and the buyer can open it.

Webhook validatedYour website validates the signature and marks the order as paid only when it receives status: paid.

Ready: if all points are correct, the standard integration is ready to operate with RiskPayGo.