Document of the owner of the bank account. Required.
CBU of the owner of the bank account.. Required only for Argentina.
Payment with Credit Card Information
Payment with Credit Card Token
The following example applies for credit card payments using the plain credit card information (only for Full PCI DSS merchants). To make payments using encrypted card information, simply replace the numberand cvvparameters with encrypted_data.
The following example applies for credit card payments using a Smart Fields token. To make a payment with a card_idobtained from the Create a Card method, simply replace the tokenparameter with card_id.
All the errors are returned with appropriate HTTP status code, 4XX or 5XX. The format of all errors is:
Human readable message.
In case one parameter is wrong.
"message":"User unauthorized due to cadastral situation"
HTTP Status Code
Unregistered IP address.
Merchant has no authorization to use this API.
404 Not Found
Payment not found.
400 Bad Request
Invalid parameter: [parameter_name]
Invalid transaction status.
Country not supported.
Currency not allowed for this country.
User unauthorized due to cadastral situation.
User limit exceeded.
Token not found or inactive.
Order id is duplicated.
Method not available.
Amount too low.
Invalid API Version.
Chargeback in place for this transaction.
429 Too many requests
Too many requests to the API.
500 Internal Server Error
Failed to process the request.
Notifications will be sent in every change of status of a payment to the notification URL specified by the merchant. This URL is taken from the notification_url field of the payment, if it differs from the one specified in the merchant panel. The body of the request will always be the payment object.
Until dLocal receives a 200 status code confirmation on these notifications, it will retry every 10 minutes for 30 days.
An HMAC signature is calculated using a request's key-value pairs and a secret key, which is known only to you and dLocal. By verifying this signature, you'll confirm that the notification was not modified during transmission.
Simply take the Authorization HTTP header from the notification, and compare it with the one generated by you using your X-Login and secretKey, and the X-Dateand Request body of the notification received. If the signature generated by you matched the one received on the Authorization HTTP header, then it is safe to assume that this is a valid message from dLocal.