payzum docs
payzum.comAPI referenceSign in

Legacy form adapter

Drop-in form-encoded endpoint for existing shopping-cart plugins.

payzum exposes a form-encoded endpoint at /legacy/api.php for shopping-cart plugins that speak a command-based, HMAC-signed wire format. If your cart plugin already works with a gateway using this protocol, pointing it at your payzum host and entering your payzum public/private key pair is usually all you need to migrate.

New integrations should prefer the REST API at POST /v1/payment. The legacy adapter exists to keep existing shopping-cart plugins working without code changes.

Endpoint

POST /legacy/api.php
Content-Type: application/x-www-form-urlencoded

All parameters are sent as a standard URL-encoded form body. Every request must be signed; the signature goes in the HMAC request header.

Signing requests

Compute the signature over the raw body bytes exactly as you will send them:

HMAC: hex(HMAC-SHA-512(privateKey, rawBody))

Do not re-encode the form between signing and transmitting — the bytes you sign must match the bytes you send.

Example (curl)

BODY="version=1&cmd=create_transaction&key=<PUBLIC_KEY>&nonce=$(date +%s%3N)&amount=25.00&currency1=USD&currency2=USDT.TRC20&invoice=ORDER-5678&ipn_url=https%3A%2F%2Fmerchant.example.com%2Fipn"
HMAC=$(printf '%s' "$BODY" | openssl dgst -sha512 -hmac "<PRIVATE_KEY>" | sed 's/^.*= //')
curl -X POST "$PAYZUM_BASE/legacy/api.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "HMAC: $HMAC" \
  -d "$BODY"

Set $PAYZUM_BASE to your payzum API host: https://merchant.payzum.com (production) or https://staging.payzum.com (staging/sandbox).

Supported commands

Pass the command name as the cmd field. Each command maps to a REST equivalent.

| cmd value | REST equivalent | Description | |---|---|---| | create_transaction | POST /v1/payment | Create a new invoice | | get_tx_info | GET /v1/payment/:id | Read a single invoice by its payzum id | | rates | GET /v1/currencies | Fetch the current rate table |

cmd=create_transaction

Creates an invoice. Returns a payzum payment id (txid) and a checkout URL.

BODY="version=1&cmd=create_transaction&key=<PUBLIC_KEY>&nonce=$(date +%s%3N)&amount=10.00&currency1=USD&currency2=USDT.TRC20&invoice=ORDER-1234&ipn_url=https%3A%2F%2Fmerchant.example.com%2Fipn"
HMAC=$(printf '%s' "$BODY" | openssl dgst -sha512 -hmac "<PRIVATE_KEY>" | sed 's/^.*= //')
curl -X POST "$PAYZUM_BASE/legacy/api.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "HMAC: $HMAC" \
  -d "$BODY"

cmd=get_tx_info

Reads a single invoice by its payzum id (txid).

BODY="version=1&cmd=get_tx_info&key=<PUBLIC_KEY>&nonce=$(date +%s%3N)&txid=pzi_..."
HMAC=$(printf '%s' "$BODY" | openssl dgst -sha512 -hmac "<PRIVATE_KEY>" | sed 's/^.*= //')
curl -X POST "$PAYZUM_BASE/legacy/api.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "HMAC: $HMAC" \
  -d "$BODY"

cmd=rates

Returns the current rate table for supported currencies. No per-transaction parameters required beyond version, cmd, and key.

BODY="version=1&cmd=rates&key=<PUBLIC_KEY>&nonce=$(date +%s%3N)"
HMAC=$(printf '%s' "$BODY" | openssl dgst -sha512 -hmac "<PRIVATE_KEY>" | sed 's/^.*= //')
curl -X POST "$PAYZUM_BASE/legacy/api.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "HMAC: $HMAC" \
  -d "$BODY"

IPN (webhook) delivery

IPN payloads for legacy-adapter transactions use the same signed-webhook format as the REST API. The HMAC header carries hex(HMAC-SHA-512(privateKey, rawBody)) — the same algorithm used for request signing.

See Payment IPN for the full payload shape and verification steps.

Limitations

  • The adapter covers the common command surface (create_transaction, get_tx_info, rates). Advanced commands such as mass withdrawals are not supported — use the REST API for those workflows.
CoinPayments adapterMerchants & API keys