Getting Started · Payments for Programmers

Payments for Programmers

Getting Started

600 words 3 minutes

Regulatory Considerations

Credit and debit card transactions depend on keeping the primary account number secret. On top of that the card security code has to be kept a secret. Therefore the credit card industry is enforcing a regulatory framework on all parties involved in credit card transactions called PCI-DSS (Payment Card Industry - Data Security Standard). As a merchant (the party getting paid) the regulatory requirements are the lowest when never handling any sensitive card data directly. This includes writing any code that executes in a context where card numbers are present, both on the backend as well as on the frontend. To enable this, PayFunc provides the necessary UI components in combination with safe API:s so that you never are required to handle the sensitive card data directly.

Integration Options

Depending on your business needs and your requirement for control over the user experience we provide several ways to integrate PayFunc payments into your system.

No Integration

Sometimes no integration is required. One can use PayFunc Portal together with PayFunc Send to send out payment links using SMS or email.


The PayFunc Checkout provides a complete checkout experience with support for multitple payment methods and handling of customer information. You can learn more on how you integrate in here.

PayFunc Onboard

PayFunc Onboard provides a solution to onboard your customers to create accounts that can be reused to bill them later. Read omer on how to integrate it here.

Card Tokenizer

It is also possible to use our card tokenizer component to create card tokens. It is the most low level way of using our API:s without increasing your compliance burden and is a great solution if you want maximum control and customization. The card tokens can then be used with the API to create orders and accounts for that card. Please contact us using the chat below for more information on how to use the card tokenizer.


Our API uses three different API-keys for authentication:
- public
- private
- account

Public API-keys

Public API-keys are used to create new orders, new accounts and new card tokens. The public API-key is safe to use in the browser of your consumers.

Private API-keys

Private API-keys are the most potent API-key and let’s you do everything available in the API. Private API-keys should be protected and only be used on systems you trust. Private API-keys can among other things be used to list all your orders and charge, cancel and refund orders.

Account API-keys

Account API-keys are unique to a single account. It enable your users to update their address, payment methods and also to view their order history.

Testing and Integration

For testing and integration purposes we provide test API-keys. They do not transfeer real money and are therefore great for dryrunning the system.

With test API-keys you should never use real card numbers. Instead, use one of the following test card PANs:
- 4111 1111 1111 1111
- 2221 0000 0000 0009
- 5500 0000 0000 0004

The card security code (CVC) is 987 for each of these numbers.


Base URL

The base URL for our API, both for testing and production is:


Authentication is done using the HTTP header Authentication with the Bearer scheme.