1. XCheckout
ANexPay Docs
  • XCheckout
    • Introduction
    • Quick Start
    • Checkout Flow
    • Payment
    • Refund
    • Settlement
    • Webhook
    • Enum Reference
    • Api Reference
      • Authentication
        • Get AccessToken
      • payment order
        • CreateOrder
        • CancelOrder
        • GetOrderInfo
        • GetOrderList
      • refund
        • CreateRefund
        • CancelRefund
        • GetRefundInfo
        • GetRefundList
      • settlement
        • CreateSettlement
        • CancelSettlement
        • GetSettlementInfo
        • GetSettlementList
      • webhook
        • webhook
  • Agentic Payment
  1. XCheckout

Quick Start

This document outlines the prerequisites required before integrating ANexPay XCheckout payment capabilities. It helps ensure proper setup, successful testing, and smooth integration.

Registration & Credentials#

Contact the ANexPay team to complete registration.
Obtain the following credentials:
apiKey
apiSecret
signKey

API Endpoints#

EnvironmentAPI Base URLDashboard URL
Sandboxhttps://openapi.dev.anexpay.comhttps://www.dev.anexpay.com/login
Productionhttps://openapi.anexpay.comhttps://www.anexpay.com/login

Authentication Mechanism#

1. Request Signature#

All requests must include a signature in the HTTP headers.
Use signKey to generate the signature.

String to Sign#

StringToSign = HTTP_METHOD + TIMESTAMP + URI + QueryString + RequestBody

Examples#

GET1636360576641/openapi/test?test=234
POST1636360661729/openapi/test{"a":"124"}
Sign Key: aR2822Y6XbehWMclnB0Y2NJK
StringToSign: POST1636360661729/openapi/test{"a":"124"}
Signature:
MxrYnCm9Q7JOAvOrISf8+T2kuTW1d/w0at8aaPaoiX08VWfun3XPokVlIx1TkHXdcitls09wzfUGtXQZq23xdg==

Field Definitions#

HTTP Method: Uppercase (GET / POST / PUT / DELETE)
Timestamp: Milliseconds since epoch
Requests will be rejected if the time difference exceeds 2 minutes
URI: API path (excluding domain)
Query String: Raw query parameters (after ?, not URL-encoded)
Request Body:
JSON string with all whitespace removed
Must be sent as raw string (not object)
File uploads do not require signing

2. Response Signature Verification#

The response signature follows the same logic as request signing.

Verification Steps#

Reconstruct the signature string using:
HTTP Method
Timestamp
URI
Query String
Response Body
Compare the generated signature with the SIGNATURE header in the response
If matched → response is valid
If not matched → response must be rejected

Code Examples#

Java Example#

JavaScript Example#

Developer Best Practices#

Time Synchronization
Ensure your server uses NTP to avoid signature validation failures.
Idempotency
Include nonce or requestId for critical operations (e.g., payments, refunds) to prevent replay attacks.
Sandbox Testing First
Always validate API integration and signature logic in the Sandbox environment before going live.

Notes#

Ensure request body used for signing matches exactly what is sent in HTTP body
Remove all unnecessary whitespace in JSON before signing
Signature mismatch is the most common integration issue—log StringToSign during debugging
If you want next step, I can help you:
Convert this into Stripe-style API docs (very clean developer UX)
Add request/response examples for payment APIs
Or design signature middleware (Java / Node / Go reusable module)
Modified at 2026-03-30 18:35:54
Previous
Introduction
Next
Checkout Flow
Built with