E-comm API
The E-comm API powers websites, hosted checkouts, embed checkout, payment links and third-party plugins on miaPOS. Token authentication, payment creation, status queries, Request-to-Pay push, signed merchant callback, public-key retrieval.
Overview
The E-comm API is the merchant-facing interface for online payments. A merchant backend authenticates with client credentials, calls POST /ecomm/api/v1/pay with an amount and a callback URL, redirects the buyer to the returned checkout URL, and waits for a signed callback. Status can be polled at any time via GET /ecomm/api/v1/payment/{paymentId}. Refunds and Request-to-Pay are optional secondary flows on top of the same authenticated session.
The same API also powers the plugins (WooCommerce, OpenCart, CS-Cart) and the embed checkout snippet — the embed track adds an Idempotency-Key header on POST /pay plus a public no-JWT GET /checkout/{paymentId} for the browser widget. See Embed checkout guide for that surface.
Base URL & environments
Every partner integration uses its own base URL. Sandbox and production hosts and merchant client credentials are issued per partner during onboarding — request sandbox access from sales. Public documentation intentionally does not list host names or credentials. Once you receive the base URL, you can also try the interactive demo — the demo host is provided together with your sandbox credentials.
Authentication
Get a JWT access token by calling POST /ecomm/api/v1/token with your client credentials. Pass the token as Authorization: Bearer <accessToken> on every business call. Exchange refresh tokens for new access tokens with POST /ecomm/api/v1/token/refresh. The GET /checkout/{paymentId} endpoint is intentionally public (no JWT) so a browser widget can render checkout state without a merchant secret in the browser.
Endpoints
Authentication
2 endpointsPayment
4 endpointsIdempotency-Key for embedRequest-to-Pay
1 endpointPublic key
1 endpointCallback protocol
When a payment reaches a terminal state (SUCCESS, FAILED, refunded), the E-comm service POSTs a JSON body to the callbackUrl the merchant supplied on POST /pay. The payload has two top-level fields — result and signature. The signature is an RSA-SHA256 signature over the result object, produced by miaPOS with its private key and verifiable with the public key from GET /api/v1/public-key. Full algorithm and language examples: Signature verification.
POST https://your-shop.example/miapos/callback Content-Type: application/json { "result": { "terminalId": "123456", "orderId": "order123", "paymentId": "bc340d13-7411-4785-a083-b594b1384eb5", "status": "SUCCESS", "amount": 145.25, "currency": "MDL", "paymentDate": "2024-05-20T16:32:28+03:00", "swiftMessageId": "swift123", "swiftPayerBank": "SomeBank" }, "signature": "base64_encoded_signature" }
callbackUrl. The signature field is what proves the payload came from miaPOS. Do not rely on IP allow-listing; do rely on RSA verification.Schemas
Full request and response schemas — including enum values and per-field descriptions — are published in the interactive Redoc reference. Long-form protocol description with request/response walk-throughs and plugin patterns is in the public integration repo on GitHub.
Errors
All endpoints return errors in the standard envelope. See Errors for the full catalogue and the mapping from HTTP status to internal error code.