Skip to content
config → auth · payments · webhooks · errors · compliance

Payment Gateway API Documentation Generator

Fill in a small config and generate a complete, payment-specialized API documentation page — authentication, Create Payment, refunds, disputes, subscriptions, webhooks, idempotency, error codes and PCI compliance notes — with copyable curl/JSON snippets and a one-click Markdown export. Generated entirely in your browser.

01 · Configure your gateway
Authentication
Default currency
Sections to include (8/8)
Amounts in minor units · sample 2499 USD = $24.99
Authentication · Bearer Token

Send your secret key as a Bearer token in the Authorization header. Rotate keys regularly and scope them to the least privilege your integration needs.

request headers
Authorization: Bearer sk_live_4eC39HqLyjWDarjtT1zdp7dc
Create a Payment

Charge $24.99 (2499 minor units, USD). The Idempotency-Key makes retries safe.

POST /v1/payments · curl
curl -X POST https://api.acmepay.com/v1/payments \
  -H "Authorization: Bearer sk_live_4eC39HqLyjWDarjtT1zdp7dc" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: idem_$(uuidgen)" \
  -d '{
    "amount": 2499,
    "currency": "USD",
    "source": "tok_visa",
    "description": "Order #1042",
    "capture": true
  }'
200 OK · response.json
{
  "id": "pay_acme-pay_3Nd8x2KqL",
  "object": "payment",
  "status": "succeeded",
  "amount": 2499,
  "amount_captured": 2499,
  "currency": "USD",
  "source": {
    "brand": "visa",
    "last4": "4242",
    "exp_month": 12,
    "exp_year": 2029
  },
  "description": "Order #1042",
  "idempotency_key": "idem_b1f9c0d4-7a2e-4c11-9f3d-2a6e8c1b5d7f",
  "livemode": true,
  "created": 1718668800
}
Refund a Payment

Issue a full or partial refund. Omit amount for a full refund.

POST /v1/refunds · curl
curl -X POST https://api.acmepay.com/v1/refunds \
  -H "Authorization: Bearer sk_live_4eC39HqLyjWDarjtT1zdp7dc" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: idem_$(uuidgen)" \
  -d '{
    "payment": "pay_acme-pay_3Nd8x2KqL",
    "amount": 1250,
    "reason": "requested_by_customer"
  }'
200 OK · refund.json
{
  "id": "re_9Kp2sLm4Qe",
  "object": "refund",
  "status": "succeeded",
  "payment": "pay_acme-pay_3Nd8x2KqL",
  "amount": 1250,
  "currency": "USD",
  "reason": "requested_by_customer",
  "created": 1718672400
}
Disputes & Chargebacks

A dispute is created when a cardholder charges back. Submit evidence before evidence_due_by.

dispute.json
{
  "id": "dp_5Tn7vQx1Az",
  "object": "dispute",
  "status": "needs_response",
  "payment": "pay_acme-pay_3Nd8x2KqL",
  "amount": 2499,
  "currency": "USD",
  "reason": "fraudulent",
  "evidence_due_by": 1719273600,
  "created": 1718758800
}
Subscriptions & Billing

Recurring billing against a saved customer and price, with an optional trial.

POST /v1/subscriptions · curl
curl -X POST https://api.acmepay.com/v1/subscriptions \
  -H "Authorization: Bearer sk_live_4eC39HqLyjWDarjtT1zdp7dc" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: idem_$(uuidgen)" \
  -d '{
    "customer": "cus_Qh3Lp9Rm",
    "price": "price_monthly_pro",
    "quantity": 1,
    "trial_period_days": 14
  }'
200 OK · subscription.json
{
  "id": "sub_8Wd2kPq0Lx",
  "object": "subscription",
  "status": "active",
  "customer": "cus_Qh3Lp9Rm",
  "price": "price_monthly_pro",
  "quantity": 1,
  "currency": "USD",
  "amount_per_period": 2499,
  "current_period_start": 1718668800,
  "current_period_end": 1721260800,
  "cancel_at_period_end": false
}
Webhook Events

Payment outcomes can be asynchronous. Subscribe to events instead of polling, and verify the signature on every payload.

EventFires when
payment.succeededA payment was authorized and captured successfully.
payment.failedA payment attempt was declined or errored.
payment.pendingAn asynchronous payment (e.g. bank debit) is awaiting settlement.
refund.createdA full or partial refund was issued against a payment.
refund.failedA refund could not be processed and was reversed.
dispute.openedThe cardholder opened a chargeback; evidence is required.
dispute.closedA dispute was resolved (won or lost).
subscription.renewedA subscription cycle billed successfully.
subscription.canceledA subscription was canceled or lapsed.
Idempotency

Send a unique Idempotency-Key header on every money-moving POST. The server stores the first response for 24 hours and replays it for any retry with the same key — a dropped connection never double-charges. Reusing a key with a different body returns 409 idempotency_conflict.

Error Codes
HTTPCodeMeaning
400bad_requestMalformed JSON, missing required field, or unsupported parameter.
401unauthenticatedMissing or invalid API key / signature.
402card_declinedThe card issuer declined the charge (insufficient funds, fraud rules, etc.).
403forbiddenThe key is valid but lacks permission for this resource or is in the wrong mode.
404resource_missingNo object exists for the supplied id.
409idempotency_conflictAn Idempotency-Key was reused with a different request body.
422validation_errorParameters are well-formed but fail a business rule (e.g. amount below minimum).
429rate_limitedToo many requests; back off using the Retry-After header.
402 · error.json
{
  "error": {
    "type": "card_error",
    "code": "card_declined",
    "decline_code": "insufficient_funds",
    "message": "Your card has insufficient funds.",
    "http_status": 402,
    "request_id": "req_3Kd8xQ2Lp9"
  }
}
Compliance Notes
  • Tokenize card data. Collect PANs with a hosted field or client SDK so raw card numbers never touch your servers — this keeps you in the reduced PCI-DSS SAQ A scope.
  • Never log a PAN, CVV or full track data. Mask to the last four digits.
  • Always use HTTPS (TLS 1.2+) and reject plaintext requests.
  • Rotate keys and signing secrets and store them in a secrets manager, not in source control.

Note: this is a documentation template, not legal or compliance advice. Confirm your PCI-DSS obligations with a Qualified Security Assessor and your legal team before publishing.

Field notes

What good payment API docs get right

Payment APIs are unforgiving to document badly, because every ambiguity is a chance to move the wrong amount of money. The two details that distinguish credible payment docs from generic REST docs are amount representation and idempotency. Amounts are always integers in the currency's smallest unit — cents, pence, paise — never floats, because floating-point arithmetic on money rounds in ways that fail reconciliation. This generator emits integer minor units everywhere alongside the explicit ISO currency code, so a reader is never left guessing whether 2499 means twenty-five dollars or twenty-five cents.

Webhooks are not optional in payments — they are how you learn the true outcome of an asynchronous flow. A card may require 3-D Secure, a bank debit settles hours later, and a dispute lands days after the original charge; none of those final states fit in the synchronous HTTP response. Good docs publish the event catalogue (payment.succeeded, payment.failed, refund.created, dispute.opened) up front and insist on signature verification, because a webhook endpoint that trusts unsigned payloads is a fraud vector. The generated webhook table gives integrators that catalogue immediately.

Idempotency keys deserve a section of their own, and most generated docs omit them. The contract is simple but load-bearing: a unique key on every money-moving POST lets the client retry a dropped request without double-charging, and reusing a key with a different body must fail loudly with 409 rather than silently doing the wrong thing. Pair that with a clear error table — 402 card_declined, 422 validation_error, 429 rate_limited with Retry-After — and integrators can build correct retry logic on the first read. The companion API authentication builder covers the auth half of that contract in depth.

Finally, compliance. Reducing PCI-DSS scope through tokenization — collecting card data with a hosted field so PANs never reach your servers — is the single highest-leverage architectural decision in a payments integration, and it belongs in the docs so partners build it correctly from day one. The compliance notes here summarize that good practice but are deliberately framed as a template, not advice; your real obligations depend on your processor and jurisdiction. For the surrounding REST surface, the OpenAPI documentation generator turns a full spec into a browsable reference.

Payment API Documentation FAQs

Have more questions? Contact us

Trusted by Fintech & Payments Engineers

4.8
Based on 1,450 reviews

The minor-units handling and the idempotency key on every POST are exactly right — most generated docs get money representation wrong. I switched the currency to INR and every example updated to paise correctly. Dropped the Markdown straight into our internal docs site.

P
Priya Nair
Payments platform engineer
June 11, 2026

Flipping the auth scheme to HMAC and seeing the X-Signature pattern propagate into every curl example saved me writing the auth section by hand. The 409 idempotency_conflict and 402 card_declined rows in the error table are the ones people always forget to document.

M
Marcus Feld
Fintech backend lead
May 19, 2026

I use this to scaffold partner-facing docs before our writers polish them. The webhook table and the not-legal-advice disclaimer on the compliance section are sensible defaults. I'd love a Python/Node SDK snippet toggle, but the curl plus JSON pairing already covers the core.

S
Sofia Adebayo
Developer advocate, payments
April 22, 2026

The subscription example with trial_period_days and the renewal webhook matched our real model closely enough that I copied it almost verbatim. Runs entirely in-browser so I could draft docs for an unreleased gateway without anything leaving my laptop.

T
Tobias Lindqvist
Staff engineer, billing
March 8, 2026

Love using our calculator?

Connected instruments

Related API tools

Learn More

Related Articles

Dive deeper with our expert guides and tutorials related to Payment Gateway API Documentation Generator

Loading articles...

auth · payments · refunds · disputes · webhooks · idempotency · errors · compliance · in-browser · Last reviewed: 2026-06