Technical Documentation Writer

API Documentation: PaymentFlow API v2.1

1. Documentation Structure

Table of Contents:

1. Getting Started - Quick Start (5 min integration) - System Requirements - Installation Guide
2. Core Concepts - Architecture Overview - Authentication Model - Request/Response Flow
3. API Reference - Endpoints - Request Parameters - Response Objects - Error Codes
4. Integration Guides - Accept Payments - Refund Transactions - Webhook Setup - Testing
5. Code Examples - Node.js - Python - PHP - Ruby
6. Troubleshooting - Common Issues - Error Resolution - Performance Tips
7. Admin Guide - Dashboard Setup - Security Configuration - Monitoring
8. Changelog & Migration - v2.1 Changes - Migration from v2.0 - Deprecation Schedule

Version Information:

• Current Version: 2.1.0
• Release Date: March 15, 2025
• Status: Stable
• Previous Versions: 2.0.x (supported until Sept 2025), 1.x (deprecated)
• Support: support@paymentflow.com | Documentation: docs.paymentflow.com

Changelog (v2.1.0 - March 15, 2025):

• Added: Apple Pay and Google Pay support
• Added: Recurring billing endpoints
• Improved: Webhook reliability with automatic retries
• Fixed: Currency conversion rounding issue
• Deprecated: /v1/charges endpoint (migrate to /v2/payments)
• Breaking Change: None (fully backwards compatible with v2.0)

Navigation Hierarchy:

• Organized by user journey: Setup → Integration → Testing → Production
• Search functionality with fuzzy matching
• Code examples copyable with one click
• Version selector (dropdown for v1.x, v2.0, v2.1 docs)

Cross-References:

• Internal: Markdown links between related sections
• External: Links to Stripe, OAuth, webhook.site for testing
• Related: "See also" boxes for connected topics

2. Getting Started Guide

System Requirements:

Minimum Requirements:

• Server: Node.js 14+, Python 3.7+, PHP 7.4+, Ruby 2.7+
• SSL: TLS 1.2 or higher required for all API calls
• Webhook Endpoint: HTTPS URL (publicly accessible)
• Dependencies: curl, json module/library for your language

Recommended Environment:

• Production: Load balancer, Redis cache, PostgreSQL database
• Development: Docker containers for consistency
• Testing: Sandbox account (free, instant setup)
• Monitoring: Logging system (Datadog, New Relic, or similar)

Browser Support (for embedded checkout UI):

• Chrome 90+ - Firefox 88+ - Safari 14+ - Edge 90+ - Mobile: iOS Safari 14+, Chrome Mobile 90+

Installation Instructions:

Step 1: Create Account

# Sign up at https://dashboard.paymentflow.com/signup
# Verify email address
# Complete business information

Step 2: Get API Keys

# Navigate to Settings → API Keys
# Copy your test keys:
# - Publishable Key (starts with pk_test_)
# - Secret Key (starts with sk_test_)
# Store Secret Key securely (never commit to git!)

Step 3: Install SDK

Node.js:

npm install @paymentflow/node
# or
yarn add @paymentflow/node

Python:

pip install paymentflow

PHP:

composer require paymentflow/paymentflow-php

Ruby:

gem install paymentflow

Step 4: Initialize Client

Node.js:

const PaymentFlow = require('@paymentflow/node');
const pf = new PaymentFlow('sk_test_YOUR_SECRET_KEY');

Python:

import paymentflow
paymentflow.api_key = 'sk_test_YOUR_SECRET_KEY'

Initial Configuration:

Set API Version (Optional):

const pf = new PaymentFlow('sk_test_YOUR_SECRET_KEY', {
  apiVersion: '2025-03-15', // Pin to specific version
  timeout: 80000, // 80 second timeout
  maxRetries: 3 // Automatic retries on network failure
});

Quick Start Tutorial (5 Minutes):

Goal: Accept your first test payment

Step 1: Create Payment Intent

const paymentIntent = await pf.paymentIntents.create({
  amount: 2000, // $20.00 in cents
  currency: 'usd',
  payment_method_types: ['card'],
  description: 'Test Payment'
});

console.log(paymentIntent.client_secret);
// Output: pi_1Ab2cD3eF4gH5iJ6_secret_K7lM8nO9pQ0rS

Step 2: Use Client Secret in Frontend

<script src="https://js.paymentflow.com/v3"></script>
<script>
  const pf = PaymentFlow('pk_test_YOUR_PUBLISHABLE_KEY');
  const clientSecret = 'pi_1Ab2cD3eF4gH5iJ6_secret_K7lM8nO9pQ0rS';

  pf.confirmCardPayment(clientSecret, {
    payment_method: {
      card: cardElement, // Assumes you've created card element
      billing_details: {name: 'Test User'}
    }
  }).then(function(result) {
    if (result.error) {
      console.error(result.error.message);
    } else {
      console.log('Payment successful!', result.paymentIntent.id);
    }
  });
</script>

Step 3: Verify Payment

# Check your dashboard: https://dashboard.paymentflow.com/payments
# You'll see test payment with status: succeeded

Common Use Cases:

• One-time payments - Subscription billing - Marketplace splits - Delayed capture - Refunds and disputes

3. Core Concepts

Architecture Overview:

[Your Application]
       ↓
[PaymentFlow SDK] → Handles requests, retries, authentication
       ↓
[PaymentFlow API] → Processes payments, stores data
       ↓
[Payment Networks] → Visa, Mastercard, ACH, etc.
       ↓
[Bank Accounts] → Customer → Your Account

Key Components:

Payment Intent: Represents customer's intention to pay. Tracks entire payment lifecycle from creation to confirmation.

Customer Object: Stores customer information for repeat purchases. Can attach payment methods, subscriptions.

Payment Method: Represents how customer pays (card, bank account, wallet). Can be reused for future charges.

Webhooks: Real-time notifications when payment events occur (successful charge, failed payment, dispute filed).

Key Terminology:

• Idempotency: Using idempotency keys prevents duplicate charges if request retries
• Payment Intent: Object tracking payment from creation to completion
• SCA (Strong Customer Authentication): 3D Secure requirement for European cards
• Metadata: Custom key-value pairs you can attach to any object (max 50 keys)
• Webhook Signature: Cryptographic proof webhook came from PaymentFlow
• Sandbox Mode: Test environment using test API keys (no real money processed)

System Components:

PaymentFlow API: RESTful API accessed via HTTPS - Base URL: https://api.paymentflow.com - Format: JSON request/response - Authentication: Bearer token (API Secret Key) - Versioning: Date-based (2025-03-15)

Dashboard: Web interface for payment management - URL: https://dashboard.paymentflow.com - Features: Payment search, refund processing, analytics, settings - Mobile app available (iOS/Android)

SDKs: Official libraries for 8 languages - Handles authentication, retries, type safety - Open source on GitHub - Community SDKs for 15+ additional languages

Data Flow Diagram:

1. Customer clicks "Pay" on your website
   ↓
2. Your frontend creates Payment Intent (via your backend)
   ↓
3. PaymentFlow returns client_secret
   ↓
4. Frontend confirms payment with customer card details
   ↓
5. PaymentFlow processes via payment networks
   ↓
6. Payment succeeds or fails
   ↓
7. Webhook sent to your server (async notification)
   ↓
8. Your application fulfills order

Security Model:

API Keys:

• Secret Key (sk_): Server-side only, never expose to clients - Full API access, can charge cards and issue refunds
• Publishable Key (pk_): Client-side safe, limited scope - Can create tokens, confirm payment intents, no charge capability

Authentication:

POST /v2/payments HTTP/1.1
Host: api.paymentflow.com
Authorization: Bearer sk_test_YOUR_SECRET_KEY
Content-Type: application/json

Webhook Signatures:

• Every webhook includes signature header
• Verify using your webhook signing secret
• Prevents malicious fake webhooks
• Example verification code provided in Security section

4. Feature Documentation

Feature: Accepting One-Time Payments

Description: The PaymentFlow Payment Intents API allows you to accept one-time payments from customers using cards, bank transfers, or digital wallets with a single unified API.

Usage Instructions:

Step 1: Create Payment Intent (Backend)

const paymentIntent = await pf.paymentIntents.create({
  amount: 2999, // $29.99 in cents
  currency: 'usd',
  payment_method_types: ['card', 'us_bank_account'],
  metadata: {
    order_id: 'ORD-12345',
    customer_email: 'user@example.com'
  }
});

Step 2: Return Client Secret to Frontend

res.json({clientSecret: paymentIntent.client_secret});

Step 3: Confirm Payment (Frontend)

const {error, paymentIntent} = await pf.confirmCardPayment(
  clientSecret,
  {payment_method: {card: cardElement}}
);

if (error) {
  // Handle error (show message to customer)
  displayError(error.message);
} else if (paymentIntent.status === 'succeeded') {
  // Payment successful - show confirmation
  showSuccessMessage();
}

Configuration Options:

Currency Support: 135+ currencies supported - USD, EUR, GBP, CAD, AUD, JPY, etc. - Automatic conversion at real-time rates - Settlement in your account currency

Payment Method Types:

• card - Credit/debit cards (Visa, Mastercard, Amex, Discover)
• us_bank_account - ACH direct debit
• sepa_debit - European bank transfers
• apple_pay - Apple Pay (requires domain verification)
• google_pay - Google Pay

Capture Behavior:

• Automatic (default): Funds captured immediately on confirmation
• Manual: Authorize now, capture later (hold funds for up to 7 days)
• Use case for manual: Hotel reservations, custom orders requiring verification

Best Practices:

1. Always create Payment Intent on backend - Never expose secret key to frontend
2. Use idempotency keys for retries - Prevents duplicate charges if request retries
3. Handle all possible payment statuses - requires_payment_method, requires_confirmation, requires_action, processing, succeeded, canceled
4. Implement webhooks for async events - Don't rely on client-side confirmation only
5. Test thoroughly in sandbox - Use test cards (4242 4242 4242 4242 for success)

Limitations and Constraints:

• Amount Limits: Minimum $0.50, Maximum $999,999.99 per transaction
• Rate Limits: 100 requests/second per API key in production (1,000/second for enterprise)
• Metadata: Max 50 key-value pairs, keys up to 40 characters, values up to 500 characters
• Description: Max 1,000 characters
• Refund Window: Refunds allowed for 90 days after charge
• Failed Payment Attempts: Max 3 attempts per Payment Intent before must create new Intent

5. API Reference

Endpoint: Create Payment Intent

POST /v2/payment_intents

Description: Creates a new Payment Intent representing your customer's intention to pay. Track the payment lifecycle and confirm on the frontend.

Authentication: Requires secret API key

Request Parameters:

Request Example:

const paymentIntent = await pf.paymentIntents.create({
  amount: 5999,
  currency: 'usd',
  payment_method_types: ['card', 'apple_pay'],
  customer: 'cus_ABC123',
  description: 'Premium Subscription - Annual',
  metadata: {
    subscription_id: 'sub_12345',
    plan: 'premium_annual'
  },
  receipt_email: 'customer@example.com',
  statement_descriptor: 'ACME CORP SUBSCRIPTION'
});

Response Format:

{
  "id": "pi_1Ab2cD3eF4gH5iJ6",
  "object": "payment_intent",
  "amount": 5999,
  "currency": "usd",
  "status": "requires_payment_method",
  "client_secret": "pi_1Ab2cD3eF4gH5iJ6_secret_K7lM8nO9pQ0rS",
  "created": 1710523145,
  "customer": "cus_ABC123",
  "description": "Premium Subscription - Annual",
  "metadata": {
    "subscription_id": "sub_12345",
    "plan": "premium_annual"
  },
  "payment_method_types": ["card", "apple_pay"],
  "receipt_email": "customer@example.com"
}

Response Objects (Key Fields):

• id (string): Unique identifier for this Payment Intent
• client_secret (string): Secret used to confirm payment on frontend (pass to JavaScript)
• status (string): Current state - see Payment Intent Statuses below
• amount (integer): Amount in smallest currency unit
• currency (string): Three-letter ISO code
• created (timestamp): Unix timestamp of creation

Authentication Methods:

Bearer Token (Recommended):

Authorization: Bearer sk_live_YOUR_SECRET_KEY

Basic Auth (Alternative):

Authorization: Basic BASE64(sk_live_YOUR_SECRET_KEY:)

Note: Secret key is username, password is empty

API Key Header (Deprecated):

X-API-Key: sk_live_YOUR_SECRET_KEY

Will be removed in v3.0

Rate Limits:

Rate Limit Headers (returned in every response):

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1710523200

Error Codes:

Error Response Format:

{
  "error": {
    "type": "invalid_request_error",
    "code": "parameter_missing",
    "message": "Missing required parameter: amount",
    "param": "amount",
    "doc_url": "https://docs.paymentflow.com/errors/parameter_missing"
  }
}

6. Code Examples

Complete Payment Flow (Node.js + Express):

const express = require('express');
const PaymentFlow = require('@paymentflow/node');

const app = express();
const pf = new PaymentFlow('sk_test_YOUR_SECRET_KEY');

// Endpoint to create payment intent
app.post('/create-payment-intent', async (req, res) => {
  try {
    const {amount, currency} = req.body;

    // Create payment intent
    const paymentIntent = await pf.paymentIntents.create({
      amount,
      currency,
      automatic_payment_methods: {enabled: true},
      metadata: {
        user_id: req.user.id,
        order_id: req.body.order_id
      }
    });

    // Return client secret to frontend
    res.json({
      clientSecret: paymentIntent.client_secret
    });
  } catch (error) {
    res.status(400).json({error: error.message});
  }
});

// Webhook endpoint to handle payment confirmation
app.post('/webhook', express.raw({type: 'application/json'}), async (req, res) => {
  const signature = req.headers['pf-signature'];
  const webhookSecret = 'whsec_YOUR_WEBHOOK_SECRET';

  let event;

  try {
    // Verify webhook signature
    event = pf.webhooks.constructEvent(
      req.body,
      signature,
      webhookSecret
    );
  } catch (err) {
    console.error('Webhook signature verification failed');
    return res.status(400).send();
  }

  // Handle specific event types
  switch (event.type) {
    case 'payment_intent.succeeded':
      const paymentIntent = event.data.object;
      console.log(`Payment ${paymentIntent.id} succeeded`);
      // Fulfill order, send confirmation email, etc.
      await fulfillOrder(paymentIntent.metadata.order_id);
      break;

    case 'payment_intent.payment_failed':
      console.log('Payment failed:', event.data.object.last_payment_error);
      // Notify customer, retry logic, etc.
      break;
  }

  res.json({received: true});
});

app.listen(3000);

Python (Flask) Example:

from flask import Flask, request, jsonify
import paymentflow

app = Flask(__name__)
paymentflow.api_key = 'sk_test_YOUR_SECRET_KEY'

@app.route('/create-payment-intent', methods=['POST'])
def create_payment():
    try:
        data = request.get_json()

        intent = paymentflow.PaymentIntent.create(
            amount=data['amount'],
            currency='usd',
            automatic_payment_methods={'enabled': True},
            metadata={
                'user_id': str(current_user.id),
                'order_id': data['order_id']
            }
        )

        return jsonify({'clientSecret': intent.client_secret})
    except paymentflow.error.PaymentFlowError as e:
        return jsonify({'error': str(e)}), 400

@app.route('/webhook', methods=['POST'])
def webhook():
    payload = request.get_data()
    signature = request.headers.get('PF-Signature')
    webhook_secret = 'whsec_YOUR_WEBHOOK_SECRET'

    try:
        event = paymentflow.Webhook.construct_event(
            payload, signature, webhook_secret
        )
    except ValueError:
        return 'Invalid payload', 400
    except paymentflow.error.SignatureVerificationError:
        return 'Invalid signature', 400

    if event['type'] == 'payment_intent.succeeded':
        payment_intent = event['data']['object']
        # Fulfill the order
        fulfill_order(payment_intent['metadata']['order_id'])

    return jsonify({'success': True})

Integration Patterns:

Pattern 1: Checkout Page Integration

• User adds items to cart
• Backend calculates total, creates Payment Intent
• Frontend displays PaymentFlow hosted checkout
• User completes payment
• Webhook confirms success
• Application fulfills order

Pattern 2: Subscription Billing

• Create Customer object on signup
• Attach Payment Method to Customer
• Create Subscription with pricing plan
• PaymentFlow auto-charges on billing cycle
• Webhooks notify of payment success/failure

Pattern 3: Marketplace with Split Payments

• Create separate accounts for each seller (Connected Accounts)
• Route portions of payment to sellers
• Platform takes fee automatically
• Separate reporting for each seller

Testing Examples:

Test Card Numbers:

// Successful payment
const successCard = '4242424242424242';

// Payment requires authentication (3D Secure)
const sca_card = '4000002500003155';

// Declined card
const declinedCard = '4000000000000002';

// Insufficient funds
const insufficientCard = '4000000000009995';

// All test cards: Any future expiration, any 3-digit CVC

Test Webhooks Locally:

# Use PaymentFlow CLI to forward webhooks to localhost
pf listen --forward-to http://localhost:3000/webhook

# Trigger test webhook
pf trigger payment_intent.succeeded

Debugging Tips:

Enable Request Logging:

const pf = new PaymentFlow('sk_test_KEY', {
  debug: true, // Logs all requests/responses
  telemetry: false // Disable usage stats
});

Inspect API Request Details:

• Every SDK method returns full request/response details
• Check error.raw for complete API error response
• Use pf.setAppInfo() to tag requests for easier filtering in dashboard

7. Troubleshooting

Common Issue 1: "Invalid API Key" Error

Symptoms: All API calls fail with 401 authentication error

Causes:

• Using publishable key instead of secret key
• Using test key in production mode (or vice versa)
• API key copied incorrectly (extra spaces)
• Key revoked or expired

Solutions:

1. Verify you're using secret key starting with sk_
2. Check environment: test keys for testing, live keys for production
3. Copy API key directly from dashboard (avoid manual typing)
4. Generate new key if old one compromised

Diagnostic Code:

console.log('API Key starts with:', pf.apiKey.substring(0, 7));
// Should output: sk_test or sk_live

Common Issue 2: Webhook Not Receiving Events

Symptoms: Payments succeed but webhook never called

Causes:

• Webhook URL not publicly accessible (localhost, firewall)
• Webhook endpoint returns error (not 200 status)
• Signature verification failing
• SSL certificate invalid

Solutions:

1. Use ngrok for local development: ngrok http 3000
2. Ensure webhook endpoint returns 200 status within 30 seconds
3. Verify webhook signature using SDK method
4. Check webhook logs in PaymentFlow dashboard

Testing Webhooks:

# Use PaymentFlow CLI
pf listen --forward-to https://your-domain.com/webhook

# Or use webhook.site for inspection
# Set webhook URL to: https://webhook.site/YOUR-UNIQUE-URL

Common Issue 3: Payment Declined with No Clear Reason

Symptoms: card_declined error but customer insists card works elsewhere

Causes:

• Card issuer blocks online transactions
• International card blocked for US merchant
• Fraud detection triggered
• Insufficient funds
• Card expired (customer didn't notice)

Solutions:

1. Display specific decline reason to customer: error.decline_code
2. Suggest trying different card
3. Advise customer to contact their bank
4. For fraud blocks: Customer must authorize with bank

Decline Codes Reference:

• insufficient_funds - "Your card has insufficient funds. Please try a different payment method."
• lost_card - "This card was reported lost. Please use a different card."
• generic_decline - "Your card was declined. Please contact your bank or try a different card."

Error Message Reference:

Performance Optimization:

Reduce API Calls:

• Batch operations where possible (create multiple payments in one call)
• Cache customer objects (don't fetch every time)
• Use webhook for status rather than polling
• Implement idempotency (safe retries without duplicates)

SDK Best Practices:

// ❌ Bad: Creating new client each time
function charge() {
  const pf = new PaymentFlow(key); // Creates new HTTP connection
  return pf.paymentIntents.create(...);
}

// ✅ Good: Reuse client instance
const pf = new PaymentFlow(key); // Create once
function charge() {
  return pf.paymentIntents.create(...);
}

Connection Pooling:

• SDKs handle connection pooling automatically
• Keep-alive enabled by default
• Set reasonable timeout (80 seconds recommended)

Support Resources:

• Documentation: docs.paymentflow.com (searchable, versioned)
• Community Forum: community.paymentflow.com (2-hour avg response)
• Email Support: support@paymentflow.com (24-hour response for paid plans)
• Live Chat: Available in dashboard (instant for Enterprise)
• Status Page: status.paymentflow.com (real-time API status)
• GitHub: github.com/paymentflow (SDK issues and feature requests)

8. Administrative Guide

Deployment Procedures:

Production Checklist:

• Switch from test keys to live keys in environment variables
• Set up webhook endpoint with HTTPS
• Configure webhook secret in production environment
• Enable fraud detection rules in dashboard
• Set up payment failure notifications
• Configure invoice/receipt email templates
• Test with real card (charge $0.50 and refund immediately)
• Monitor error rate in logs for first 24 hours
• Document rollback procedure

Environment Variables:

# Production
PAYMENTFLOW_SECRET_KEY=sk_live_YOUR_LIVE_KEY
PAYMENTFLOW_WEBHOOK_SECRET=whsec_YOUR_WEBHOOK_SECRET
PAYMENTFLOW_PUBLIC_KEY=pk_live_YOUR_PUBLIC_KEY

# Never commit these to git!
# Use .env file and .gitignore

Backup and Recovery:

Data Retention: PaymentFlow retains all payment data indefinitely - Export via API or dashboard - Use /v2/reporting/exports endpoint for bulk exports - Format: CSV, JSON, or Excel

Disaster Recovery:

• Payment data stored across 3 geographic regions
• 99.99% uptime SLA
• If API unavailable: Payments queue and process when service restores
• Your webhook retries: PaymentFlow retries webhooks for 3 days

Monitoring and Logging:

What to Monitor:

• Payment success rate (should be >95%)
• Average payment confirmation time (<2 seconds p95)
• Webhook delivery success rate (>98%)
• API error rate (<1% of requests)
• Failed payment reasons (track patterns)

Logging Best Practices:

// ❌ Don't log sensitive data
console.log('Payment for card:', fullCardNumber); // NEVER!

// ✅ Log only safe identifiers
console.log('Payment intent created:', paymentIntent.id);
console.log('Customer:', paymentIntent.customer);

Never Log: Full card numbers, CVV, API secret keys, webhook secrets

Dashboard Analytics:

• Real-time payment volume graph
• Success vs failure rate
• Average transaction size
• Top decline reasons
• Geographic distribution
• Custom date range reports

Security Configuration:

API Key Rotation:

• Generate new key in dashboard
• Update applications with new key
• Monitor usage of old key (ensure switched)
• Revoke old key after 7-day grace period

IP Allowlisting (Enterprise):

• Restrict API access to specific IP ranges
• Configure in dashboard Settings → Security
• Recommended for high-value accounts

Webhook Security:

• Always verify webhook signatures
• Use HTTPS endpoints only
• Implement replay attack protection (check timestamp)
• Rate limit webhook endpoint (prevent DoS)

PCI Compliance:

• PaymentFlow is PCI DSS Level 1 certified
• Using SDKs keeps you PCI compliant (card data never touches your servers)
• Never log or store card numbers
• Use PaymentFlow hosted forms where possible

Maintenance Tasks:

Weekly:

• Review failed payments (identify patterns)
• Check webhook delivery success rate
• Monitor error logs for new issues

Monthly:

• Review API usage vs plan limits
• Analyze payment success rate trends
• Update to latest SDK version
• Reconcile payments vs accounting

Quarterly:

• Security audit of integration
• Load test with expected peak volume
• Review and optimize slow API calls
• Update documentation for team

Annually:

• Full PCI compliance review
• Update SSL certificates
• Review and refresh API keys
• Conduct disaster recovery drill