Help Center

To check requests for payment creation via API, two methods are available.

Allpay API Tester

With Allpay API Tester, you can perform requests for new payment, refund, create subscription, and other operations in both live and test modes, emulating requests from your server.

Simply insert the API login/key of any integration created in the <span class="u-richtext-element">Settings</span> -> <span class="u-richtext-element">API Integrations</span> section, and fill out the form fields according to the API documentation.

If test mode is enabled for the integration, requests will be executed in the test environment.

API request contents

The transaction details show its history. By clicking a history record, you can view the API request body and webhook.

This feature allows you to manage the payment amount via URL, pass customer data filled out on your platform to the payment page, and control the customer's path after a successful payment.

First, you need to create a payment link in the Allpay dashboard and set its type to <span class="u-richtext-element">Customer indicates amount</span>.

You can add the parameters <span class="u-richtext-element">amount</span> for the payment amount, <span class="u-richtext-element">client_name</span>, and <span class="u-richtext-element">client_email</span> for customer data to the payment link URL.

For example, https://allpay.to/~pay/dynamic?amount=100&client_name=Jason%20Statham&client_email=jason@go.com

‍
If the values for the parameters <span class="u-richtext-element">client_name</span> and <span class="u-richtext-element">client_email</span> are not specified, we will request them from the customer during payment.

This way, you can use a single payment link for all customers, specifying an individual amount for each of them.

Supported parameters

<span class="u-richtext-element">amount</span> — payment amount.

<span class="u-richtext-element">client_name</span> — customer name.

<span class="u-richtext-element">client_email</span> — customer email.

<span class="u-richtext-element">client_tehudat</span> — the Tehudat Zehut (Social ID number). This is included in the payment receipt. To hide this field from the page, pass nine zeros.

<span class="u-richtext-element">currency</span> — payment currency. For example, ILS, USD, EUR. If the currency is not approved for the account, it will be converted to ILS.

<span class="u-richtext-element">currency_display</span> — display currency. For example, you can show the price in USD and charge in ILS at the current exchange rate. List of supported display currencies.

<span class="u-richtext-element">lang</span> — language of the payment page. It is auto-detected by the customer's browser language, but you can control it by passing values AR (Arabic), EN (English), HE (Hebrew), or RU (Russian).

Product name

The product or service name cannot be passed this way, as it creates a possibility for manipulation. For example, it would allow changing the name of the provided product or service, which is automatically included in the receipt generated after payment.

Parameter add_field

You can also use the parameter <span class="u-richtext-element">add_field</span>, the value of which will be passed unchanged in the redirect URL after a successful payment (see the article Redirect after payment for how to set up the redirect URL).

For example, https://allpay.to/~pay/dynamic?amount=100&add_field=any_text

In the example above, the parameter <span class="u-richtext-element">add_field=any_text</span> will be passed unchanged in the redirect URL after payment. This allows you to track conversions, direct the customer to the desired stage of your chatbot funnel, and perform other necessary actions after payment.

If needed, you can set the value of <span class="u-richtext-element">add_field</span> to a string with multiple parameters and parse them on your server side. For example, <span class="u-richtext-element">add_field=par1-value1,par2-value2</span>.

If Webhook sending is enabled for the link, the <span class="u-richtext-element">add_field</span> parameter will be included in the request body.

Video tutorial

Creating payment forms

Using this approach and basic web development skills, you can create payment forms for placement on your website. These forms do not replace full capacity of our API but provide a simple and convenient solution for accepting payments.

You can allow customers to select product modifications or quantities, calculate the total based on selected options, and redirect the customer to proceed the payment.

Example in action:

You can view the source code for the forms used in the video at the following links:

https://allpay.to/demo/snippet-example-1.html

https://allpay.to/demo/snippet-example-2.html

Using ChatGPT, you can customize the functionality of the forms to suit your specific needs.

We help Amuta (Non-Profit Organization) connect payment system to accept donations.

Amuta is a non-profit organization that aims to promote socially significant goals or ideas in society.

Documents required to enable payments

1. Identity document (תעודת זהות) of the founder or director.
2. Certificate of registration of the amuta (תעודה לרישומה של עמותה).
3. Bank account details confirmation (אישור ניהול חשבון בנק).
4. Minutes specifying the authorized signatories (פרוטוקול מורשי חתימה). Must be notarized by a lawyer. Download a sample.
5. Certificate of proper management (אישור ניהול תקין) or a confirmation of document submission signed by an accountant (אישור הגשת מסמכים).

The Certificate of proper management confirms the legality and continuity of the amuta’s activity over a two-year period. The Confirmation of document submission serves as a temporary equivalent of the Certificate of proper management.

Registration steps

1. Make sure that the amuta site matches requirements.
2. Fill in registration form.
3. Within 24 hours, an Allpay manager will contact you to request missing documents.
4. If everything is in order, you will receive approval within 2-3 days and will be able to start accepting payments.

Technical capabilities

Allpay allows non-profit organizations to conveniently accept donations online. You can:

• create payment links, including links with an amount input field where the donor enters the donation amount;
• automatically create documents such as receipt (קבלה) and donation receipt (קבלה על תרומה) according to rules implemented in 2026;
• accept automatic monthly donations (subscriptions);
• embed a payment form on your website;
• accept donations via Bit and Apple Pay;
• and use other Allpay features.

Chargeback comes from the English words «charge» (debit) and «back» (return), which literally means «return of funds back». This term refers to the procedure by which a bank refunds money to the payer after funds were mistakenly or fraudulently withdrawn from their account.

It is a consumer protection mechanism that allows the cancellation of credit or debit transactions and the return of funds if the customer did not authorize the purchase, did not receive the goods or services, or if billing errors occurred.

Participants in a chargeback

The chargeback process involves:

• Customer: Initiates the chargeback through the issuing bank (the bank that issued the card).
• Issuing bank: Conducts the investigation and, if necessary, refunds the money to the customer. In Israel, the issuing banks can be Isracard, CAL, MAX and few others.
• Merchant (seller): Must provide evidence of the legitimacy of the transaction. If the chargeback is justified, the merchant refunds the money to the bank.

Possible reasons for a chargeback

• The customer requested a refund because they did not recognize a charge in the bank statement or forgot about an actual payment.
• The goods or services were not provided by the merchant.
• Fraudulent charges were made on the card without the customer’s knowledge (the card was stolen or compromised).

Chargeback procedure

After the customer files a request, the issuing bank opens a case, determines the reason for the chargeback, and decides whether to return the money to the customer or leave it with the merchant. As part of the investigation, the bank will contact the merchant and request proof of service delivery.

In Israel, according to the Payment Services Law of 2020, if a transaction is considered an «insufficient documentation transaction» (i.e., made without the physical presence of the card, which applies to all online payments), the customer receives a full refund if they contact the issuing bank within 30 days of receiving the charge notification.

Thus, the law provides significant protection for the consumer but can also lead to fraud and cancellations of legitimate transactions where the customer actually received the agreed service. Therefore, merchants are advised to collect and keep evidence of goods or services provided to the customer, especially for large amounts (e.g., contracts, receipts, emails, delivery confirmations).

If the bank establishes that the funds were withdrawn from the customer’s card illegally, they will be returned to the customer and deducted from the merchant’s balance.

Risks for merchants

Frequent chargebacks can have serious consequences for merchants. The main risk is financial loss due to refunds to customers. However, that is not the only risk:

• Fines and fees: Banks may impose fines for each chargeback, increasing financial pressure on the business.
• Deterioration of banking relationships: Frequent chargebacks can damage relationships with acquiring banks. This can lead to higher fees, worse cooperation terms, or even termination of the contract.
• Risk of being blacklisted: A high chargeback rate can result in being added to blacklists of payment systems, making it difficult to work with new acquirers and other financial institutions.
• Loss of reputation: Frequent chargebacks can damage the merchant’s reputation, creating distrust among customers and partners.

Tips for prevention

To minimize chargeback risks, merchants should take the following measures:

• Use secure payment methods: Activate 3DS for payments — a two-factor authentication method where the bank asks the customer to confirm the payment via the banking app or by entering an SMS code.
• Improve communication with customers: Quick and transparent communication helps avoid misunderstandings. It is important to respond to customer inquiries promptly and provide full information about goods and services.
• Collect and store evidence: Systematically keep all documents confirming the provision of services or delivery of goods. This will help protect the business in case of a chargeback.
• Clear refund policy: A transparent and easy-to-understand return policy can reduce the number of chargebacks, as customers will know how to return a product or cancel a service.

Fees

The average fee charged for handling a chargeback is 50 ILS.

Display in the interface and documents

If a chargeback was requested for a payment, a new transaction with a negative amount and the label <span class="u-richtext-element" style="background-color: rgba(221, 94, 94, 0.4)">chargeback</span> will appear on the payments screen.

A refund document will also be created: a credit invoice and/or a receipt with a negative amount — depending on the business type and the type of the previously issued document.

If the business disputed the chargeback and the dispute was resolved in favor of the business, the funds will be returned. In this case, a new transaction with a positive amount and the label <span class="u-richtext-element" style="background-color: rgba(68, 203, 138, 0.5)">chargeback revert</span> will appear on the payments screen.

A new income document will also be created: a receipt or a tax invoice/receipt — depending on the business type and document settings.

When a payment is created through an external website, API, or integration, Allpay by default considers that the transferred price of the product or service already includes VAT.

For example, if the website sends the following line item:

Product name: 116.82 ₪

Allpay displays this amount on the payment page as the final price of the line item:

Product name      116.82 ₪
Subtotal          99.00 ₪
VAT 18%           17.82 ₪
Total             116.82 ₪

This means that the line item price is displayed including VAT, while the breakdown below separately shows the amount before VAT, the VAT amount, and the total amount.

Why Allpay displays the line item price including VAT

There are two reasons for this: technical and legal.

Technical reason

When a payment is created through an external website or integration, Allpay receives already prepared data and assumes that the price submitted by the external website is the final price for the payer.

Allpay does not change the line item price and does not replace it with the price before VAT. We show the buyer the amount submitted by the website or integration.

This is especially important because the external website may have already calculated the price, discount, VAT, currency, subscription, or other conditions. Therefore, Allpay should not change the price of an individual line item at its own discretion.

Legal reason

The payment page is the screen the buyer sees before making the payment. Therefore, it is important to show a clear final price.

Israeli consumer protection law requires the full price of a product or service to be displayed to the consumer. The full price includes all mandatory charges, including VAT, if applicable.

The official explanation by the Consumer Protection and Fair Trade Authority also states that the full price of the product or service must be displayed.

Court practice usually interprets this requirement strictly: if the consumer is shown the price of a product or service without VAT, and VAT is added separately later, this may be considered a less transparent way of displaying the price.

Even if the total amount is shown below, a product line with a price before VAT may create the impression that the product is cheaper. It may also make it harder for the buyer to compare prices between different sellers.

For this reason, the safer and clearer approach for the payment page is to show each line item price including VAT, while displaying the breakdown separately below.

Accounting systems

Accounting systems may display the same payment differently.

For example, Morning may show the line item price before VAT, while EasyCount may show it including VAT.

Below is a screenshot with an example where the same payment is displayed differently in Morning and EasyCount:

Both options may be correct for an accounting document, as long as the final amounts match: the amount before VAT, the VAT amount, and the total amount.

However, the Allpay payment page is not an accounting document. It is the screen shown to the buyer before payment. Therefore, Allpay displays the line item price as the final price for the buyer, including VAT.

When creating a payment link, switch the selector from «I indicate the amount» to «Customer indicates amount» and provide the name of the product or service.

You can also add buttons with predefined amounts, allowing the payer to choose one or enter their own amount in the input field. To make one of the buttons preselected on the payment page, mark it with a star.

The payer will select the desired amount button or enter their own amount and proceed with the payment. The transaction will appear on the main payment screen like any other.

“Donate” button

In the payment link settings, the “Pay” button label can be changed to “Donate”, which is better suited for charitable projects.

Passing the amount through a URL link

If you add <span class="u-richtext-element">?amount=AMOUNT</span> to the end of the URL link, the buttons and input fields will disappear, and the amount will be fixed.

For example, https://allpay.to/~pay/dynamic?amount=300

This helps avoid creating multiple payment links for a single service with a frequently changing price. You only need to create one link and insert the required amount into its URL when sending it to the customer.

In the article "Passing parameters through the payment link URL" you can learn about other options of this feature.

Webhook is an automatic event notification sent by the Allpay system to an external URL.

When a payment is successfully completed, Allpay sends a POST request to the specified address. The request contains full payment details, including the buyer's name, the payment description, and the amount.

Developers and integrators use webhooks to:

• automatically trigger actions (e.g. activating an order or sending an email to the customer),
• synchronize data between systems,
• eliminate the need for manual payment status checks.

Even types

Currently, Allpay supports a webhook for one event only — successful payment.

For subscriptions, the webhook is automatically sent to the specified URL each month after a successful recurring charge.

Where to configure a webhook

A webhook is configured separately for each payment link or API integration:

1. Payment link — in the settings of that specific link. In this case, the webhook will be sent for every payment made via that link.
2. API integration — in the settings of a specific integration under the <span class="u-richtext-element">API Integrations</span> section. This allows you to receive webhooks for all payments processed through that integration — for example, from your site on WordPress, or another platform.

Allpay does not have a centralized webhook setting for all payments. This approach gives you flexible control over notifications across different channels.

Webhook request contents

Allpay sends a POST request to the specified URL. The request body is a JSON object containing parameters related to the event.

Example request

POST /c96zv6ri852dvppncccdg6fxkjnpwojg HTTP/2
Host: hook.eu2.make.com
accept: */*
content-type:application/json
content-length: 453

{
    "name": "Consultation",
    "items": [
        {
            "name": "Consultation",
            "price": 150,
            "qty": 2,
            "vat": "1"
        },
        {
            "name": "Clock",
            "price": 50,
            "qty": 1,
            "vat": "1"
        }
    ],
    "amount": "350",
    "status": 1,
    "client_name": "Tanur Mikrogalov",
    "client_email": "test@email.com",
    "client_tehudat": "123456789",
    "client_phone": "+972 58 569 8877",
    "foreign_card": "0",
    "card_mask": "455743******3431",
    "card_brand": "visa",
    "receipt": "",
    "inst": 1,
    "sign": "83f6fab69f7b237ee2db5d9993b84b5fe89ef722af6206a0ffe64480501f3784"
}

‍

Each payment for which a webhook was sent is marked with a corresponding label. By clicking on this label, you can view the full contents of the request.

add_field parameter

If you add <span class="u-richtext-element">?add_field=any-string</span> to the payment link URL, this parameter will be included in the Webhook request body. Learn more.

Webhook security

Allpay supports two methods for verifying the authenticity of webhook requests:

Verification using the Webhook secret key

This method relies on an HMAC signature based on the SHA256 algorithm.

Signature generation algorithm:

1. Remove the <span class="u-richtext-element">sign</span> parameter from the request.
2. Exclude all parameters with empty values.
3. Sort the remaining keys in alphabetical order.
4. From the sorted list, take the parameter values and join them into a single string using a colon (:) as a separator.
5. Append your Webhook secret key to the end of the string, preceded by a colon.
6. Apply the SHA256 algorithm to the resulting string.
7. Compare the result with the <span class="u-richtext-element">sign</span> parameter received in the request.

Platforms like Zapier support this type of verification using built-in tools, such as a custom script in Code by Zapier.

Example JavaScript for Zapier

const webhookKey = "YOUR WEBHOOK SECRET KEY";

// Parse the input params from JSON string to an object
const params = JSON.parse(inputData.params || '{}');

// Store the original signature from the request
const requestSignature = params.sign || null;

// Remove the 'sign' parameter before calculating the signature
delete params.sign;

function getApiSignature(params, webhookKey) {
    // Filter out empty values and sort keys alphabetically
    const sortedKeys = Object.keys(params)
        .filter((key) => {
            const value = params[key];
            return value !== null && value !== undefined && String(value).trim() !== '';
        })
        .sort();

    // Collect the values in sorted key order, process nested arrays (like "items")
    const chunks = [];
    sortedKeys.forEach(key => {
        const value = params[key];
        if (Array.isArray(value)) {
            value.forEach(item => {
                if (typeof item === 'object' && item !== null) {
                    Object.keys(item).sort().forEach(subKey => {
                        const val = item[subKey];
                        if (val !== null && val !== undefined && String(val).trim() !== '') {
                            chunks.push(String(val).trim());
                        }
                    });
                }
            });
        } else {
            chunks.push(String(value).trim());
        }
    });

    // Build the string to hash
    const baseString = chunks.join(':') + ':' + webhookKey;

    // Generate SHA256 hash
    const crypto = require('crypto');
    const hash = crypto.createHash('sha256').update(baseString).digest('hex');

    return { baseString, verifiedSignature: hash };
}

// Generate the signature
const result = getApiSignature(params, webhookKey);

// Return the original and calculated values
output = {
    requestSignature: requestSignature,
    baseString: result.baseString,
    verifiedSignature: result.verifiedSignature
};

‍

Demo of webhook verification on Zapier

‍

IP address verification‍

A simpler but less secure method is to check that the request comes from Allpay’s server IP address. You can request the current IP address by contacting our support team.

Webhook delivery and retries

Your server must return an <span class="u-richtext-element">200 OK</span> response to confirm successful receipt of a webhook. If any other status is returned, or the request fails due to a timeout or network error, Allpay will automatically retry delivery.

Allpay performs up to 10 delivery attempts in total. The first retry is made 1 minute after the initial failure. Subsequent retries are sent with progressively increasing intervals, with the final attempt occurring within 24 hours of the original request.

If all delivery attempts fail, the webhook will be marked as failed and no further retries will be made.

Hosted Fields allow you to embed card input fields on your website or app, fully adapting them to the system's design. They create a seamless interface experience and eliminate the need to redirect the customer to an external payment page. This improves usability and conversion rates.

The input fields for the card number, expiration date, and CVC are represented as an iFrame. We provide the ability to fully customize their CSS and embed them on your site as a single frame.

Tutorial

Setup

<span class="u-richtext-counter">1</span> In the <span class="u-richtext-element">Settings</span> → <span class="u-richtext-element">Integrations</span> → <span class="u-richtext-element">My sites</span> enable Hosted Fields for the required integration.

<span class="u-richtext-counter">2</span> Click the <span class="u-richtext-element">Hosted Fields settings</span> button and specify the domain where the payment will be processed. Domains and subdomains must be entered one per line in plain format, without <span class="u-richtext-element">https://</span>, paths, or any additional parts — for example, <span class="u-richtext-element">mysite.com</span>. If needed, adjust the CSS styles for the input fields.

<span class="u-richtext-counter">3</span> On your website’s payment page, place an iFrame, assign any custom value to its <span class="u-richtext-element">id</span> parameter, and in the <span class="u-richtext-element">src</span> parameter specify the payment URL (payment_url) returned by Allpay in response to a payment creation request (see Payment request section in the API Reference). Payment URLs can also be generated using the Allpay API Tester.‍

<span class="u-richtext-counter">4</span> Add the following script to the payment page:

1<script src="https://allpay.to/js/allpay-hf.js"></script>
2    <script>
3    let Allpay = new AllpayPayment(
4        {
5            iframeId: 'iframe_id',
6            onSuccess: function() { alert('Payment success'); },
7            onError: function(error_n, error_msg) { alert('Payment error: ' + error_n + ' (' + error_msg + ')'); }
8        }
9    );
10    </script>

‍

In the script, replace the following parameters with your own:

• <span class="u-richtext-element">iframeId</span> — the id value of your iFrame.
• <span class="u-richtext-element">onSuccess</span> — the handler for successful payment completion (what should happen after successful payment).
• <span class="u-richtext-element">onError</span> — the handler for payment errors. For example, you can display the payment error message on the page.

<span class="u-richtext-counter">5</span> To initiate the process, execute the function <span class="u-richtext-element">Allpay.pay()</span>, for example, by assigning it to the "Pay" button:

<button onclick="Allpay.pay();">Pay</button>

Installments

If you enabled the installment option for the customer when creating the payment by passing a value in the <span class="u-richtext-element">inst</span> parameter, a field for selecting the number of payments will automatically appear in the frame.

Quick Pay Buttons

Apple Pay and Bit buttons will not be displayed in preview mode or within the iFrame if they are not activated in the <span class="u-richtext-element">Settings</span> → <span class="u-richtext-element">Modules</span>.

Additionally, these buttons are not displayed in test mode. As well as in live mode for installment or subscription payments.

Apple Pay button

At the moment, the Apple Pay button does not work inside Hosted Fields. We are working on a solution.

To ensure Apple Pay button works correctly, set the attribute <span class="u-richtext-element">allow="payment *"</span> in the <span class="u-richtext-element">iframe</span> tag. Example:

<iframe id="myPaymentIframe" allow="payment *" src="..." >