Frequently asked questions (FAQ)

• ONE_TIME_PAYMENT: Waffo acts as PSP, providing full acquiring services (information flow + fund settlement)
• DIRECT_PAYMENT: Waffo acts as ISV/PG, providing only system connectivity (no fund handling)

• Same-currency orders: Most currencies require 2 decimal places per ISO 4217, but IDR, COP, KES, and TWD must not have decimals
• Cross-currency orders: All currency amounts must conform to ISO 4217 precision, with no exceptions

• Omit both: The user selects a payment method on the Waffo checkout page
• Card payments: Pass payMethodType="CREDITCARD,DEBITCARD" and omit payMethodName. Waffo automatically determines the card network from the card BIN the user enters, supporting Visa/Mastercard and credit/debit cards in a single order
• VA (virtual account): Pass payMethodType="VA" and omit payMethodName; the user selects a bank on the checkout page
• Specify a particular method: Pass both payMethodType and payMethodName. You can look up the exact values on the Payin page in the Portal

1. Send a fixed-format value such as userId@examples.com (replace with the actual userId)
2. Contact Waffo to have Waffo overwrite it to userId@examples.com format on your behalf (requires merchant authorization)

After going live, passing the user’s real email is recommended. Avoid using strings like test or reusing the same email across multiple users, as this may trigger risk controls.

• Same-currency: The merchant’s pricing currency matches the user’s local currency (e.g., IDR pricing → Indonesian user pays in IDR)
• Cross-currency: The merchant’s pricing currency differs from the user’s payment currency (e.g., USD pricing → Indonesian user pays in IDR via DANA)

• Global cards (CREDITCARD/DEBITCARD): Do not pass this field—global cards do not belong to any specific country.

• actionType = "WEB" → use webUrl
• actionType = "DEEPLINK" → use deeplinkUrl

In the sandbox, deeplinks cannot launch real wallet apps because a simulator is used. Verify this behavior in production.

• When creating an order: If you can confirm the user cannot complete payment under the error condition (e.g., payment methods that require returning a checkout URL), you may abandon the order.
• When refunding: You must retry with the same refundRequestId. Do not abandon the request.

1. Verify that notifyUrl is HTTPS and publicly reachable
2. Verify that the callback port is 80 or 443 (Waffo production only accepts standard ports)
3. Verify that the response body is {"message": "success"} and Content-Type is application/json
4. Verify that the response includes the X-SIGNATURE header
5. Proactively call the inquiry API to get the latest status
6. If you still don’t receive it, contact Waffo technical support

• Query proactively when the user lands on a success/failure page to give the smoothest experience
• Retrieve the result for historical orders
• Fall back to the inquiry API when Webhook signature verification fails

1. Incorrect private key format: The key must be in PKCS#8 format
2. Incorrect signing content: The entire HTTP body must be signed; you cannot sign only selected fields

• Confirm that the App and WebView allow opening external Apps or external browser pages
• Confirm that the App and WebView support download, copy, and long-press save behavior. QR, OTC, and bank-transfer style payment methods may depend on these capabilities
• Confirm that query parameters are preserved when URLs are passed between the native App and WebView
• When loading via WebView, set userTerminal to APP
• For detailed limitations, see Payment method integration notes