The Payments API connects Zippi orders to the Wompi payment gateway. It provides endpoints for recording manual payments, initiating Wompi hosted-checkout sessions, listing payment transactions, and receiving asynchronous webhook notifications from Wompi. All order-scoped endpoints are mounted underDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CRISTIANCAMACH34/Zippi/llms.txt
Use this file to discover all available pages before exploring further.
/api/v1/orders and require the orders.financial permission. The webhook endpoint is unauthenticated (public) but is protected by HMAC checksum verification on every request.
Order-scoped payment endpoints (
/payment-method, /payments, /wompi/checkout, /payment-transactions) are mounted at /api/v1/orders/{order_id}/.... Only the public webhook is registered at /api/v1/payments/wompi/webhook.Environment Variables
| Variable | Default | Description |
|---|---|---|
WOMPI_ENV | sandbox | Gateway environment. Set to production for live transactions. |
WOMPI_BASE_URL | https://sandbox.wompi.co/v1 | Wompi API base URL. Switches to https://production.wompi.co/v1 in production. |
WOMPI_PUBLIC_KEY | — | Wompi public key used on the frontend checkout widget. |
WOMPI_PRIVATE_KEY | — | Wompi private key used for server-side API calls. |
WOMPI_INTEGRITY_SECRET | — | Secret used to sign checkout integrity tokens. |
WOMPI_EVENTS_SECRET | — | Secret used to verify incoming webhook event checksums. |
WOMPI_REDIRECT_URL | http://localhost:5173/orders | URL Wompi redirects the customer to after checkout completes. |
WOMPI_WEBHOOK_PUBLIC_URL | http://localhost:5000/api/v1/payments/wompi/webhook | Public URL registered with Wompi as the event callback endpoint. |
Permissions
| Permission | Description |
|---|---|
orders.financial | View amounts, collections, and payments on an order; initiate or record payments |
PATCH /api/v1/orders//payment-method
Updates the payment method associated with an order (e.g. switching fromcash to wompi before collection).
Permission required: orders.financial
Path Parameters
Numeric order ID.
Body
New payment method. Accepted values:
cash, wompi, transfer, other.Response
Always
true on success.Updated order payment record with the new
payment_method and updated_at timestamp.POST /api/v1/orders//payments
Records a manual payment entry against an order (cash collection, bank transfer confirmation, etc.). The optionalIdempotency-Key header prevents duplicate entries when the request is retried. Returns 201 Created.
Permission required: orders.financial
Path Parameters
Numeric order ID.
Headers
A unique key (UUID recommended) that makes the operation safe to retry. If a payment with the same key was already recorded, the original response is returned without creating a duplicate.
Body
Payment amount in centavos (e.g.
1500000 = $15,000 COP).Payment method:
cash, wompi, transfer, other.External reference number (bank transfer ID, receipt number, etc.).
Internal note attached to this payment record.
Response
Always
true on success.Created payment record including
payment_id, order_id, amount, method, reference, and created_at.GET /api/v1/orders//payments
Lists all payment records associated with an order. Permission required:orders.financial
Path Parameters
Numeric order ID.
Response
Whether the request succeeded.
Array of payment objects, each with
payment_id, amount (centavos), method, reference, and created_at.POST /api/v1/orders//wompi/checkout
Creates a Wompi hosted-checkout session for an order. Returns the checkout URL and reference that the customer uses to complete payment. Returns201 Created.
Permission required: orders.financial
Path Parameters
Numeric order ID.
Headers
Unique key to prevent creating duplicate checkout sessions on retry.
Body
Amount to charge in centavos. Must match the outstanding balance of the order.
Customer email address pre-filled in the Wompi checkout widget.
Override the default
WOMPI_REDIRECT_URL for this specific checkout. Useful for deep links.Response
Always
true on success.Checkout session details.
The Wompi hosted checkout URL to redirect the customer to.
Unique Wompi transaction reference for this checkout session.
ISO 8601 timestamp when the session expires.
GET /api/v1/orders//payment-transactions
Returns the list of Wompi transaction records associated with an order. Each record reflects a Wompi gateway event and includes the gateway status, amounts, and timestamps. Permission required:orders.financial
Path Parameters
Numeric order ID.
Response
Whether the request succeeded.
Array of Wompi transaction objects, each including
transaction_id, wompi_id, status, amount_in_cents, payment_method_type, and created_at.POST /api/v1/payments/wompi/webhook
Receives asynchronous event notifications from the Wompi gateway. This endpoint is public (noAuthorization header required) and is registered directly with Wompi’s dashboard as the event callback URL.
No authentication header required. Security is enforced via HMAC-SHA256 checksum verification using WOMPI_EVENTS_SECRET.
Webhook Security
Every Wompi webhook request includes anX-Event-Checksum header. The service verifies it as follows:
Handled Event Types
| Wompi Event | Action Taken |
|---|---|
TRANSACTION.UPDATED | Updates the Wompi transaction record and, if the transaction status is APPROVED, marks the corresponding order payment as settled. |
Webhook Payload Structure
Event type identifier, e.g.
"TRANSACTION.UPDATED".Event data envelope.
Wompi transaction object.
Wompi-assigned transaction UUID.
Your internal order reference used when creating the checkout session.
Transaction amount in centavos.
Gateway status:
PENDING, APPROVED, DECLINED, VOIDED, ERROR.Payment instrument used:
CARD, NEQUI, PSE, BANCOLOMBIA_TRANSFER, etc.ISO 8601 timestamp when Wompi dispatched the event.
Unix epoch of the event.
Wompi signature envelope (used for integrity verification alongside
X-Event-Checksum).Response
Always
true when the event is accepted and processed.Processing result, including any state transitions triggered by the event.