Skip to main content


Welcome to the official QFPay open API documentation. To get started, please review the Developer Instructions below.

There are language bindings available in Python, Java, Node.js and PHP! You can view code examples in the dark area to the right, and you can switch the programming language of the examples with the tabs in the top right corner.

If you would like to quickly test the payment function in Postman we provide a collection that includes a pre-request script to generate the signature, download the file from here.

Developer Instructions


If the mchid is provided, it is mandatory to submit the mchid when calling the API (unless otherwise specified.). In other words, if mchid is not provided, merchants shall not pass in the mchid parameter in the API request.

To use the QFPay open API, you must have a set of active API credentials, including the app_code and client_key. If you encounter technical issues please contact

There are separate environments available for application testing and development, as well as production.

Please note that transactions conducted in the sandbox environment will not be settled. Therefore, make sure to test with small amounts and process refunds using the API refund endpoint or Merchant APP on the same day as the original transaction.

Each merchant will be provided with a set of app code and key (with or without mchid). Merchants with multiple store branches will usually be supplied with app code, key and mchid. The hashed mchid is used to identify shops and outlets. Otherwise, only app code and key will be given.

Encoding Description

All return parameters from the APIs are in UTF-8 encoding unless otherwise noted.



Remember to immediately refund transactions that were made in testing environments.

API Environments

The table below depicts the base URLs for each environment.

Environment NameProd. URL
Sandbox (Only for credit card simulations)
Live Testing Environment

Signature Generation


Always submit the signature in the HTTP header X-QF-SIGN unless noted otherwise.

Step 1: Sort all parameters in ascending order according to parameter names

Parameter list: abc=value1 bcd=value2 bad=value3 Sort result: abc=value1 bad=value3 bcd=value2

Step 2: Connect all parameters with ‘&’,and get the string to be signed


Step 3: Combine the string with client_key from QFPay.


Step 4: Sign the string from step 3 with MD5 or SHA256. We recommend to use SHA256.

MD5(abc=value1&bad=value3&bcd=value2Key) HASH(“SHA256”, abc=value1&bad=value3&bcd=value2Key)

Step 5: Request API with the signature

Save the signature in the http header field X-QF-SIGN unless otherwise specified in this document.

For code instructions select Python, Java, Node.js or PHP with the tabs below.
# Create signature
def make_req_sign(data, key):
keys = list(data.keys())
p = []
for k in keys:
v = data[k]
unsign_str = ('&'.join(p) + key).encode("utf-8")
s = hashlib.md5(unsign_str).hexdigest()
return s.upper()

# Body payload
txamt = '10' # In USD,EUR,etc. Cent
txcurrcd = 'HKD'
pay_type = '800101' # Alipay CPM = 800108 , MPM = 800101
auth_code='283854702356157409' #CPM only
out_trade_no = random_string
txdtm = current_time
goods_name = 'test1'
auth_code = '280438849930815813'
key = client_key
mchid = 'ZaMVg*****' # ID is provided during merchant onboarding

#data ={'txamt': txamt, 'txcurrcd': txcurrcd, 'pay_type': pay_type, 'out_trade_no': out_trade_no, 'txdtm': txdtm, 'goods_name': goods_name, 'udid': udid, 'auth_code': auth_code, 'mchid': mchid}
data ={'txamt': txamt, 'txcurrcd': txcurrcd, 'pay_type': pay_type, 'out_trade_no': out_trade_no, 'txdtm': txdtm, 'goods_name': goods_name, 'mchid': mchid}

r ="/trade/v1/payment",data=data,headers={'X-QF-APPCODE':app_code,'X-QF-SIGN':make_req_sign(data, key)})

print(make_req_sign(data, key))

The above command returns JSON structured like this:


Request Description


The API will return response content in JSON format. We encourage developers to verify the signature in the response header in order to ensure message integrity.

MethodPOST/ GET (Depends on individual API function)

Required Parameter Settings in HTTP Header to Request the API

X-QF-APPCODEYesApp code assigned to the merchant
X-QF-SIGNYesSignature generated according to the signature formulation method described above
X-QF-SIGNTYPENoSignature algorithm used to generate the signature. If SHA256 is used, the developer must pass the value as SHA256. The default value is MD5 in case this field is not passed to the API.