Use Cases
- Payment initiated via mobile browsers (not inside native apps)
- Suitable for mobile websites, WebApps, or flows where users open links in Safari/Chrome
- Supported wallets:
- Alipay Cross-Border (
801107)
- AlipayHK (
801512)
- Alipay Service Window H5 (
800107) — requires user authorisation (openid)
Social apps (e.g. WeChat, Facebook Messenger) may block redirecting to external wallet apps.
For better conversion, guide users to open payment links in Safari, Chrome, or the system browser.
HTTP Request
Endpoint: POST /trade/v1/payment
PayType Reference
| PayType | Wallet | Description |
|---|
801107 | Alipay Cross-Border | International WAP/H5 payment |
801512 | AlipayHK | Hong Kong WAP payments |
800107 | Alipay Service Window H5 | Alipay Mini Program, Requires user authorisation code (openid) |
Request Parameters
For the full list of shared parameters, see:
Common Request Parameters
Below are Alipay WAP / H5 specific or commonly required fields:
| Parameter | Required | Description |
|---|
pay_type | Yes | One of 801107, 801512, 800107 |
return_url | Recommended | Redirect after payment completion (browser flow) |
notify_url | Recommended | Backend webhook for payment result |
goods_name | Recommended | Required by some wallets; keep ≤20 chars |
openid | Conditional | Required for 800107 only (Alipay Service Window H5) |
expired_time | Optional | QR / link expiry in minutes (5–120, if supported) |
limit_pay | Optional | Mainland restrictions only (if applicable) |
mchid | Conditional | Include only if provided by QFPay for your store setup |
Never hardcode or assume mchid is always required.
Include it only if QFPay has provided it for your store configuration.
Sample Request
# coding=utf-8
import hashlib
import requests
import datetime
environment = "https://test-openapi-hk.qfapi.com"
app_code = "YOUR_APP_CODE"
client_key = "YOUR_CLIENT_KEY"
def make_req_sign(data, key):
keys = sorted(list(data.keys()))
parts = [f"{k}={data[k]}" for k in keys]
sign_str = ("&".join(parts) + key).encode("utf-8")
return hashlib.md5(sign_str).hexdigest().upper()
txdtm = datetime.datetime.now().replace(microsecond=0).strftime("%Y-%m-%d %H:%M:%S")
data = {
"txamt": "10",
"txcurrcd": "HKD",
"pay_type": "801107",
"out_trade_no": "01234567890123",
"txdtm": txdtm,
"goods_name": "test1",
"return_url": "https://merchant.example/success",
"notify_url": "https://merchant.example/notify"
# "mchid": "ZaMVg*****" # include only if provided by QFPay
# "openid": "xxx" # required for pay_type=800107 only
}
headers = {
"X-QF-APPCODE": app_code,
"X-QF-SIGN": make_req_sign(data, client_key)
}
resp = requests.post(environment + "/trade/v1/payment", data=data, headers=headers)
print(resp.json())
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
public class AlipayWapExample {
public static void main(String[] args) {
String appcode = "YOUR_APP_CODE";
String key = "YOUR_CLIENT_KEY";
String txdtm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date());
Map<String, String> params = new HashMap<>();
params.put("txamt", "10");
params.put("txcurrcd", "HKD");
params.put("pay_type", "801107");
params.put("out_trade_no", "01234567890123");
params.put("txdtm", txdtm);
params.put("goods_name", "test1");
params.put("return_url", "https://merchant.example/success");
params.put("notify_url", "https://merchant.example/notify");
// params.put("mchid", "ZaMVg*****"); // include only if provided by QFPay
// params.put("openid", "xxx"); // required for pay_type=800107 only
String data = QFPayUtils.getDataString(params);
String sign = QFPayUtils.getMd5Value(data + key);
String url = "https://test-openapi-hk.qfapi.com";
String resp = Requests.sendPostRequest(url + "/trade/v1/payment", data, appcode, sign);
System.out.println(resp);
}
}
const crypto = require("crypto");
const request = require("request");
const environment = "https://test-openapi-hk.qfapi.com";
const app_code = "YOUR_APP_CODE";
const client_key = "YOUR_CLIENT_KEY";
const txdtm = new Date().toISOString().replace("T", " ").replace(/\..+/, "");
const payload = {
txamt: "10",
txcurrcd: "HKD",
pay_type: "801107",
out_trade_no: "01234567890123",
txdtm,
goods_name: "test1",
return_url: "https://merchant.example/success",
notify_url: "https://merchant.example/notify"
// mchid: "ZaMVg*****", // include only if provided by QFPay
// openid: "xxx" // required for pay_type=800107 only
};
const ordered = Object.keys(payload).sort().map(k => `${k}=${payload[k]}`).join("&");
const sign = crypto.createHash("md5").update(ordered + client_key).digest("hex").toUpperCase();
request({
uri: environment + "/trade/v1/payment",
headers: {
"X-QF-APPCODE": app_code,
"X-QF-SIGN": sign
},
method: "POST",
form: payload
}, function (error, response, body) {
console.log(body);
});
<?php
function buildSign($fields, $key) {
ksort($fields);
$pairs = array();
foreach ($fields as $k => $v) { $pairs[] = $k . '=' . $v; }
$str = implode('&', $pairs) . $key;
return strtoupper(md5($str));
}
$url = "https://test-openapi-hk.qfapi.com/trade/v1/payment";
$app_code = "YOUR_APP_CODE";
$app_key = "YOUR_CLIENT_KEY";
$fields = array(
"txamt" => "10",
"txcurrcd" => "HKD",
"pay_type" => "801107",
"out_trade_no" => "01234567890123",
"txdtm" => date("Y-m-d H:i:s"),
"goods_name" => "test1",
"return_url" => "https://merchant.example/success",
"notify_url" => "https://merchant.example/notify"
// "mchid" => "ZaMVg*****", // include only if provided by QFPay
// "openid" => "xxx" // required for pay_type=800107 only
);
$sign = buildSign($fields, $app_key);
$headers = array(
"X-QF-APPCODE: " . $app_code,
"X-QF-SIGN: " . $sign
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($fields));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$output = curl_exec($ch);
curl_close($ch);
echo $output;
?>
Response Parameters
Refer to shared fields here:
Common Response Parameters
Sample Response
{
"sysdtm": "2020-04-13 11:32:03",
"paydtm": "2020-04-13 11:32:03",
"txcurrcd": "HKD",
"respmsg": "",
"pay_type": "801107",
"udid": "qiantai2",
"txdtm": "2020-04-13 11:32:03",
"txamt": "300",
"resperr": "success",
"out_trade_no": "BUFB3PT9ZDUWEUAE4ATD21JKNHVEIIPV",
"syssn": "20200413000200020087171988",
"respcd": "0000",
"pay_url": "https://globalmapi.alipay.com/gateway.do?...",
"chnlsn": ""
}
Asynchronous Notification
After payment completion, QFPay will notify your backend via notify_url.
Never rely solely on front-end redirection. Always verify the final result via backend notification and signature validation.
Security Considerations
Additional References
- Official: Alipay H5 Authorisation Flow (Service Window)
- Official: Alipay Cashier / WAP Documentation