Server API version 1.0



The PostFinance E-Payment API has been designed as a REST API. It uses the HTTP protocol as its foundation. Each resource is accessible under a clearly named URL and the HTTP response codes are used to relay status. HTTP Verbs like GET and POST are used to interact with the resources. To support accessibility by clients directly, as opposed to your server, our servers support cross-origin resource sharing. We use JSON for all of our payloads, including error messages

All these characteristics mean that you will be able to use standard off the shelf software to interact with PostFinance. To make the integration even easier, PostFinance also has SDKs that wrap both the complete Server API as well as the complete Client API.

To help you get started the below documentation is richly annotated with ready to be used code examples for each of the SDKs as well as JSON examples. These examples can be used against our Pre-Production environment.

Server and Client API

We offer two RESTful APIs: A server API which is used for your server-to-server integration and a client API which is used by clients like desktops, laptops, mobile phones and other internet connected devices. The Client API will be consumed on the devices of your clients and supports less functionality as this device will not be under your full control. This API is designed to drive your UI to enbale you to collect the right information and safely encrypt it already on the client device.

Server API

The server API enables merchants to access the PostFinance platform functionality such as doing payments, starting hosted checkouts, creating tokens, and much more. All these calls require the caller to have a secret API key that merchants can look up in their Configuration Center account.

Client API

The client API enables clients such as mobile phones, browsers, and apps to access the hosted data on the PostFinance platform such as detailed information about the available payment products, profile management, and public keys used for encrypting sensitive data. These calls require a session id that the merchant can create using the server API.

Access to the Client API has to be granted through the Server API create session API call and is then granted for 2 hours. There is no limitation for the number of payments created during these 2 hours, however we do require any payment requests done within the context of a session to be submitted within those 2 hours as the encryption keys used for the client side encryption are also linked to the context of the session.