Backend & Gateway Config

This page never stores anything on a server — all state lives in this browser tab. It talks to your own backend (src/payment-gateway/*) which in turn talks to 911Pay, plus an optional "Direct 911Pay API" tab that calls https://api.911pay.asia/nineoneonepay_api/ directly (see CORS caveat in that tab).

1. Login (obtain JWT)


  

2. Create Deposit — POST /payment-gateway/deposit


    
On success the response includes paymentLink — open it to complete the sandbox payment on 911Pay's hosted page, then 911Pay will call your PAY911_CALLBACK_BASE_URL/deposit webhook.

3. Create Withdrawal — POST /payment-gateway/withdrawal


    
Returns a requestId — use it below in the Admin Review tab to approve/reject (requires an admin JWT in Config).

4. Admin Review & Failed Webhooks

Review withdrawal — PATCH /payment-gateway/admin/withdrawal/:id

Requires the token in Config to belong to an Admin user.

  

Failed webhooks — GET /payment-gateway/admin/failed-webhooks


  

5. Simulate 911Pay Webhooks

Deposit callback — POST /payment-gateway/webhook/deposit

Hash formula: sha256('ID|CustomerCode|Amount|Status|SecretKey'). Amount must match the exact string format 911Pay uses (xxxx.yy).

  

Payout callback — POST /payment-gateway/webhook/payout

Hash formula: sha256('ID|Amount|Status|SecretKey') (no customer_code).

  

6. Direct 911Pay API (bypasses your backend)

911Pay's API is a plain server-to-server REST API with no CORS headers, so calls made directly from a browser tab will almost certainly be blocked by the browser (and this form would also expose your secret_key in browser network traffic). This tab is provided for completeness / cross-checking the request shape against https://merchant.911pay.asia/Api — if the "Send" button fails with a network/CORS error, that is expected; use curl/Postman/your backend instead of a browser for real calls to 911Pay directly.


  

7. Field Reference (cross-checked against merchant.911pay.asia/Api)

Base URL: https://api.911pay.asia/nineoneonepay_api/   Method: POST, all endpoints   Body: multipart/form-data   Auth: secret_key field on every request.

POST /create_order/ (deposit)

FieldRequired?Sent by this repo's client?
secret_keyalwaysyes (appended by Pay911ClientService)
unique_idalwaysyes
amountalwaysyes
return_urlalwaysyes
callback_urlalwaysyes
customer_bank_holder_namerequired for INR/THB/TRY/NPRyes (optional in our DTO — must be supplied for INR flows)
customer_bank_accrequired for INR/THB/TRY/NPRyes (optional in our DTO — must be supplied for INR flows)
bank_coderequired for BDT/NPR onlynot sent — not needed for INR
customer_phone_numberrequired for NPR onlynot sent — not needed for INR
customer_id / customer_name / customer_surnamerequired for TRY onlynot sent — not needed for INR
customer_codeoptionalyes
customer_email / remarkoptionalnot currently sent — could be added if needed

Response fields per docs: customer_code, transaction_id, transaction_date, amount, typefee, totalamount, payment_link, status (SUCCESS|ERROR), message. Our client returns the raw JSON as Pay911CreateOrderResponse (typed for transaction_id/payment_link, rest passthrough).

POST /create_payout/ (withdrawal)

FieldRequired?Sent by this repo's client?
secret_key, unique_id, amount, callback_urlalwaysyes
customer_bank_codealwaysyes
customer_bank_holder_namealwaysyes
customer_bank_accalwaysyes
customer_bank_branch (IFSC)required for TRY onlyyes (optional in our DTO — must be supplied for TRY flows)
customer_id / customer_surnamerequired for TRY onlyyes (optional in our DTO — must be supplied for TRY flows)
customer_mobile_numberrequired for NPR onlyyes (optional in our DTO — must be supplied for NPR flows)

Response: payout_id, payout_date, amount, totalamount, status (SUCCESS|ERROR), message.

Deposit callback (webhook)

FieldNotes
idtransaction_id — this repo's DTO reads it as transaction_id, confirm your controller's field name matches what 911Pay actually posts (docs call it id)
customer_code, amount, status (success|fail), message, reference_number, bank_time, unique_id, hashhash = sha256('ID|CustomerCode|Amount|Status|SecretKey')

Payout callback (webhook)

FieldNotes
id, unique_id, amount, status (success|fail), message, reference_number, bank_time, hashhash = sha256('ID|Amount|Status|SecretKey')

Other endpoints

/check_transaction/ (needs transaction_id) → status, transaction_id, customer_code, amount, transaction_date, bank_to, bank_time, reference_number, remark, return_url, callback_url, state (PENDING|SUCCESS|FAILED).

/check_payout/ (needs payout_id) → status, payout_id, amount, withdrawal_date, bank_time, remark, callback_url, state.

/get_balance/ (needs only secret_key) → status, currency, main_wallet, payout_wallet.

⚠ Verify the callback field name discrepancy above (id vs transaction_id/payout_id) against a real sandbox webhook delivery from 911Pay before going live — the docs use id generically for both callback types, so check src/payment-gateway/dto/gateway-deposit-callback.dto.ts and gateway-payout-callback.dto.ts map to whatever key 911Pay actually sends.