Initiate a payment
Creates a payment session and returns a hosted payment URL.
POSThttps://pay.syok2pay-sandbox.com/v1/initiate
Base URL
https://pay.syok2pay-sandbox.comRequest body
merchant_coderequiredYour merchant code, e.g. M00001
reference_norequiredYour unique order reference
order_descriptionrequiredShown on checkout
amountrequiredDecimal string, 2 dp, e.g. 3.00
currencyrequiredISO code, e.g. MYR
frontend_return_urlrequiredCustomer redirect target; supports the {gateway} and {txn_id} templates
backend_return_urlrequiredServer-to-server callback URL
channelPre-select a payment channel
product_codeOptional product code
customer_idYour customer identifier
customer_nameCustomer name
customer_emailCustomer email
customer_contactCustomer phone
customer_ipCustomer IP
Example request
bash
curl -X POST https://pay.syok2pay-sandbox.com/v1/initiate \
-H "Authorization: Bearer pk_..." \
-H "X-Timestamp: 1714280400" \
-H "X-Signature: <hmac>" \
-H "Content-Type: application/json" \
-d '{
"merchant_code": "M00001",
"reference_no": "ORD-20260428-003",
"order_description": "Payment for Order #001",
"amount": "3.00",
"currency": "MYR",
"frontend_return_url": "https://store.example/payment/return?gw={gateway}&txn_id={txn_id}",
"backend_return_url": "https://store.example/payment/callback?gw={gateway}&txn_id={txn_id}",
"customer_email": "john@example.com"
}'
Example response
json
{
"success": true,
"data": {
"session_id": "cs_abc123",
"txn_id": "txn_abc123",
"status": "PENDING",
"amount": "3.00",
"currency": "MYR",
"reference_no": "ORD-20260428-003",
"merchant_name": "Example Store",
"expires_at": "2026-04-28T12:30:00Z",
"payment_url": "https://pay.syok2pay-sandbox.com/payment?session_id=cs_abc123"
},
"trace_id": "xid_abc123"
}
Redirect the customer to data.payment_url.
Code examples
Each example builds the signing string
(merchant_code|reference_no|amount|currency|timestamp), signs it with your
secret key (sk_…) using HMAC-SHA256, and POSTs the request. The amount
must be the same 2-decimal string in both the signing string and the body. On
success, redirect the customer to data.payment_url.
PHP
initiate.php
<?php
$publishableKey = 'pk_test_xxxxxxxxxxxx'; // Bearer token
$secretKey = 'sk_test_xxxxxxxxxxxx'; // used to sign — never sent
$amount = number_format(3, 2, '.', ''); // "3.00"
$payload = [
'merchant_code' => 'M00001',
'reference_no' => 'ORD-' . date('Ymd') . '-001',
'order_description' => 'Payment for Order #001',
'amount' => $amount,
'currency' => 'MYR',
'frontend_return_url' => 'https://store.example/payment/return?gw={gateway}&txn_id={txn_id}',
'backend_return_url' => 'https://store.example/payment/callback?gw={gateway}&txn_id={txn_id}',
'customer_email' => 'john@example.com',
];
$timestamp = (string) time();
$signature = hash_hmac(
'sha256',
"{$payload['merchant_code']}|{$payload['reference_no']}|{$payload['amount']}|{$payload['currency']}|{$timestamp}",
$secretKey
);
$ch = curl_init('https://pay.syok2pay-sandbox.com/v1/initiate');
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Authorization: Bearer ' . $publishableKey,
'X-Timestamp: ' . $timestamp,
'X-Signature: ' . $signature,
'Content-Type: application/json',
],
CURLOPT_POSTFIELDS => json_encode($payload),
]);
$result = json_decode(curl_exec($ch), true);
curl_close($ch);
Node.js
initiate.mjs
import crypto from 'node:crypto'
const publishableKey = 'pk_test_xxxxxxxxxxxx' // Bearer token
const secretKey = 'sk_test_xxxxxxxxxxxx' // used to sign — never sent
const amount = (3).toFixed(2) // "3.00"
const payload = {
merchant_code: 'M00001',
reference_no: 'ORD-20260531-001',
order_description: 'Payment for Order #001',
amount,
currency: 'MYR',
frontend_return_url: 'https://store.example/payment/return?gw={gateway}&txn_id={txn_id}',
backend_return_url: 'https://store.example/payment/callback?gw={gateway}&txn_id={txn_id}',
customer_email: 'john@example.com',
}
const timestamp = Math.floor(Date.now() / 1000).toString()
const signature = crypto
.createHmac('sha256', secretKey)
.update(`${payload.merchant_code}|${payload.reference_no}|${payload.amount}|${payload.currency}|${timestamp}`)
.digest('hex')
const res = await fetch('https://pay.syok2pay-sandbox.com/v1/initiate', {
method: 'POST',
headers: {
'Authorization': `Bearer ${publishableKey}`,
'X-Timestamp': timestamp,
'X-Signature': signature,
'Content-Type': 'application/json',
},
body: JSON.stringify(payload),
})
const result = await res.json()
Python
initiate.py
import hashlib
import hmac
import time
import requests
publishable_key = "pk_test_xxxxxxxxxxxx" # Bearer token
secret_key = "sk_test_xxxxxxxxxxxx" # used to sign — never sent
amount = f"{3:.2f}" # "3.00"
payload = {
"merchant_code": "M00001",
"reference_no": "ORD-20260531-001",
"order_description": "Payment for Order #001",
"amount": amount,
"currency": "MYR",
"frontend_return_url": "https://store.example/payment/return?gw={gateway}&txn_id={txn_id}",
"backend_return_url": "https://store.example/payment/callback?gw={gateway}&txn_id={txn_id}",
"customer_email": "john@example.com",
}
timestamp = str(int(time.time()))
signing_string = f"{payload['merchant_code']}|{payload['reference_no']}|{payload['amount']}|{payload['currency']}|{timestamp}"
signature = hmac.new(secret_key.encode(), signing_string.encode(), hashlib.sha256).hexdigest()
res = requests.post(
"https://pay.syok2pay-sandbox.com/v1/initiate",
headers={
"Authorization": f"Bearer {publishable_key}",
"X-Timestamp": timestamp,
"X-Signature": signature,
"Content-Type": "application/json",
},
json=payload,
)
result = res.json()