Payment Gateway API Quick Reference
A concise reference for all core CyoGate gateway API operations. All requests use HTTPS POST to the gateway endpoint with your Private API Key for authentication, unless otherwise noted.
Gateway Endpoints
| Purpose | Endpoint |
|---|---|
| Transactions (sale, auth, void, refund, vault, recurring) | https://secure.cyogate.net/api/transact.php |
| Query (transaction history, vault records, subscriptions) | https://secure.cyogate.net/api/query.php |
| 3D Secure authentication | https://secure.cyogate.net/api/3ds.php |
Authentication
Include your Private API Key as a POST field in every request:
security_key=YOUR_PRIVATE_KEYNever expose your Private API Key in client-side JavaScript, mobile app code, or source control. All calls using the Private Key must be server-side only.
Transactions
Process payments, authorizations, captures, voids, and refunds.
Transaction Type Values
| type | Description |
|---|---|
sale | Authorize and capture immediately |
auth | Authorize only — capture later with capture |
capture | Capture a prior authorization (requires transactionid) |
void | Cancel an unsettled transaction (requires transactionid) |
refund | Refund a settled transaction (requires transactionid) |
credit | Push funds to a card — Account Funding Transactions (AFT) |
Core Request Fields
| Field | Required | Description |
|---|---|---|
security_key | Yes | Your Private API Key |
type | Yes | Transaction type (see above) |
amount | Yes | Transaction amount, e.g. 29.99 |
payment_token | Yes* | Token from Collect.js — replaces raw card data |
customer_vault_id | Yes* | Vault ID — alternative to payment_token for returning customers |
transactionid | Capture/Void/Refund | Original transaction ID to act upon |
order_id | No | Your unique order reference (echoed back in notifications) |
order_description | No | Description shown on receipt and in reporting |
ipaddress | No | Customer IP address (recommended for fraud screening) |
firstname / lastname | No | Cardholder name |
email | No | Customer email for digital receipts |
address1, city, state, zip | No | Billing address — improves AVS match rate |
country | No | 2-letter ISO country code, e.g. US |
tax_amount | No | Tax portion of the total amount |
shipping_amount | No | Shipping portion of the total amount |
surcharge | No | Credit card surcharge amount (separate line item on receipt) |
currency | No | ISO 4217 currency code, default USD |
Code Examples
PHP
$post = array(
'security_key' => YOUR_PRIVATE_KEY,
'type' => 'sale',
'amount' => '29.99',
'payment_token' => $_POST['payment_token'], // From Collect.js
'order_id' => 'ORDER-123',
'email' => $customer_email,
);
$ch = curl_init('https://secure.cyogate.net/api/transact.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
$response = curl_exec($ch);
curl_close($ch);
parse_str($response, $result);
// $result['response'] == '1' means approvedPython
import requests
from urllib.parse import parse_qs
payload = {
'security_key': PRIVATE_KEY,
'type': 'sale',
'amount': '29.99',
'payment_token': request.POST.get('payment_token'),
'order_id': 'ORDER-123',
}
response = requests.post(
'https://secure.cyogate.net/api/transact.php',
data=payload,
timeout=30
)
result = {k: v[0] for k, v in parse_qs(response.text).items()}
# result['response'] == '1' means approvedcurl
curl -X POST https://secure.cyogate.net/api/transact.php -d "security_key=YOUR_PRIVATE_KEY" -d "type=sale" -d "amount=29.99" -d "payment_token=YOUR_TOKEN" -d "order_id=ORDER-123"Transaction Response Fields
| Field | Description |
|---|---|
response | 1=Approved, 2=Declined, 3=Error |
responsetext | Human-readable result message |
authcode | Card network authorization code |
transactionid | Unique gateway transaction ID — always store this |
avsresponse | Address Verification result (see AVS codes below) |
cvvresponse | CVV verification result (see CVV codes below) |
amount | Approved amount (may differ on partial approvals) |
orderid | Your order ID echoed back |
type | Transaction type echoed back |
Common Decline Response Text
| responsetext | Meaning | Recommended Action |
|---|---|---|
| DECLINE | Generic decline from issuer | Ask customer to use a different card |
| INSUFFICIENT FUNDS | Card has insufficient balance | Ask customer to use a different card |
| CARD EXPIRED | Card expiry date has passed | Ask customer to check expiry or use a different card |
| INVALID CARD | Card number failed validation | Ask customer to re-enter card number |
| NO SUCH ISSUER | Card BIN not recognized | Ask customer to use a different card |
| PICK UP CARD | Issuer requests card be retained | Do not attempt retry — contact issuer |
| LOST/STOLEN | Card reported lost or stolen | Do not retry — flag for review |
| DO NOT HONOR | Issuer declined without reason | Ask customer to contact their bank |
| TRANSACTION NOT ALLOWED | Card not enabled for this transaction type | Ask customer to use a different card |
| DUPLICATE TRANSACTION | Same amount/card processed recently | Check if original transaction approved before retrying |
| CVV FAILURE | CVV code did not match | Ask customer to verify CVV |
| AVS FAILURE | Address verification failed (if hard rejection configured) | Ask customer to verify billing address |
| AMOUNT EXCEEDS LIMIT | Transaction exceeds card or merchant limit | Split into smaller transactions or contact CyoGate |
AVS Response Codes
Returned in the avsresponse field. AVS compares the billing address submitted against what the card issuer has on file.
| Code | Meaning |
|---|---|
X | Exact match — street address and 9-digit ZIP both match |
Y | Exact match — street address and 5-digit ZIP both match |
A | Street address matches, ZIP does not |
W | 9-digit ZIP matches, street address does not |
Z | 5-digit ZIP matches, street address does not |
P | ZIP matches, street address not verified (international) |
N | Neither street address nor ZIP match |
U | Address information unavailable — issuer does not support AVS |
S | AVS not supported by card issuer |
R | System unavailable — retry |
E | AVS error — data not provided or incorrect format |
G | Non-US card issuer — does not support AVS |
B | Street address matches, ZIP not verified (international) |
C | Street address and ZIP not verified (international) |
D | Street address and ZIP match (international) |
CVV Response Codes
Returned in the cvvresponse field.
| Code | Meaning |
|---|---|
M | CVV match |
N | CVV does not match |
P | Not processed |
S | CVV should be present but was not provided |
U | Issuer does not support CVV verification |
Customer Vault
Store and manage customer payment credentials on CyoGate's PCI-compliant servers for repeat billing and one-click checkout.
Vault Operations
| customer_vault value | Description |
|---|---|
add_customer | Store a new payment method (optionally with a simultaneous charge) |
update_customer | Update billing info or replace stored payment method |
delete_customer | Permanently remove a vault record |
Key Vault Fields
| Field | Description |
|---|---|
customer_vault | Operation to perform (see above) |
customer_vault_id | Your custom ID for the vault record — auto-assigned if omitted |
payment_token | Collect.js token to store as the payment method |
Code Examples
PHP — Add to Vault During Sale
$post = array(
'security_key' => YOUR_PRIVATE_KEY,
'type' => 'sale',
'amount' => '29.99',
'payment_token' => $token,
'customer_vault' => 'add_customer',
'customer_vault_id' => 'CUST-' . $user_id,
);Python — Charge a Vaulted Customer
payload = {
'security_key': PRIVATE_KEY,
'type': 'sale',
'amount': '49.99',
'customer_vault_id': 'CUST-12345',
'order_id': 'ORDER-456',
}curl — Delete a Vault Record
curl -X POST https://secure.cyogate.net/api/transact.php -d "security_key=YOUR_PRIVATE_KEY" -d "customer_vault=delete_customer" -d "customer_vault_id=CUST-12345"See also: Customer Vault Overview | Adding Customers | Credential on File Best Practices
Recurring Billing
Create and manage subscription and installment plans tied to Customer Vault records.
Subscription Operations
| recurring value | Description |
|---|---|
add_subscription | Create a new recurring plan |
update_subscription | Modify an existing plan |
delete_subscription | Cancel a subscription permanently |
Subscription Fields
| Field | Required | Description |
|---|---|---|
plan_amount | Yes | Amount to charge each billing cycle |
plan_payments | Yes | Number of payments — 0 for indefinite |
month_frequency | Yes* | Bill every N months (1–24). Use instead of day_frequency. |
day_frequency | Yes* | Bill every N days (1–365). Use instead of month_frequency. |
day_of_month | No | Day of month to bill when using monthly frequency (1–31) |
start_date | Yes | Date of first recurring charge — format YYYY-MM-DD |
subscription_id | Update/Delete | ID of subscription to modify or cancel |
Code Examples
PHP — Create Monthly Subscription
$post = array(
'security_key' => YOUR_PRIVATE_KEY,
'type' => 'sale',
'amount' => '9.99',
'customer_vault_id' => 'CUST-12345',
'recurring' => 'add_subscription',
'plan_payments' => '0',
'plan_amount' => '9.99',
'month_frequency' => '1',
'day_of_month' => '1',
'start_date' => date('Y-m-d', strtotime('+1 month')),
);curl — Cancel a Subscription
curl -X POST https://secure.cyogate.net/api/transact.php -d "security_key=YOUR_PRIVATE_KEY" -d "recurring=delete_subscription" -d "subscription_id=SUB-12345"See also: Preparing Subscriptions | Vault Transactions
Query API
Retrieve transaction history, vault records, and subscription data.
Query Endpoint
https://secure.cyogate.net/api/query.phpQuery Fields
| Field | Value / Format | Description |
|---|---|---|
security_key | string | Your Private API Key |
report_type | transaction | Query transaction records |
report_type | customer_vault | Query vault records |
report_type | recurring | Query subscription plans |
transaction_id | string | Look up a single transaction by ID |
customer_vault_id | string | Look up a single vault record |
start_date | YYYY-MM-DD HH:MM:SS | Filter results from this datetime |
end_date | YYYY-MM-DD HH:MM:SS | Filter results to this datetime |
result_limit | integer | Maximum number of records to return |
result_order | ASC / DESC | Sort order by date |
Code Examples
PHP — Query Last 30 Days of Transactions
$post = array(
'security_key' => YOUR_PRIVATE_KEY,
'report_type' => 'transaction',
'start_date' => date('Y-m-d 00:00:00', strtotime('-30 days')),
'end_date' => date('Y-m-d 23:59:59'),
'result_order' => 'DESC',
);
$ch = curl_init('https://secure.cyogate.net/api/query.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$xml = curl_exec($ch);
$result = simplexml_load_string($xml);Python — Look Up a Single Transaction
import requests
payload = {
'security_key': PRIVATE_KEY,
'report_type': 'transaction',
'transaction_id': 'TXN-12345678',
}
response = requests.post('https://secure.cyogate.net/api/query.php', data=payload)
# Response is XML — parse with xml.etree.ElementTree or xmltodictQuery API responses are returned as XML, not URL-encoded query strings. Parse with
simplexml_load_string() in PHP or xml.etree.ElementTree in Python.See also: Transaction History Component | Deposit History
Webhooks & Event Notifications
CyoGate POSTs a transaction notification to a URL you configure whenever a transaction is processed — including recurring billing charges, refunds, and voids. Configure your notification URL in the Merchant Control Panel under Settings > Transaction Notifications.
Notification POST Fields
| Field | Description |
|---|---|
response | 1=Approved, 2=Declined, 3=Error |
responsetext | Human-readable result message |
transactionid | Unique gateway transaction ID |
amount | Amount charged |
authcode | Card network authorization code |
avsresponse | AVS result code |
cvvresponse | CVV result code |
order_id | Your order ID echoed back |
customer_vault_id | Vault ID if customer was stored during this transaction |
subscription_id | Subscription ID for recurring billing notifications |
type | Transaction type that triggered the notification |
email | Customer email echoed back if provided |
firstname / lastname | Cardholder name echoed back if provided |
PHP Notification Handler
<?php
// Your configured notification_url endpoint
$response = $_POST['response'];
$txn_id = $_POST['transactionid'];
$amount = $_POST['amount'];
$order_id = $_POST['order_id'];
// Always validate amount and order_id match your records before fulfilling
if ($response == '1') {
$order = get_order($order_id);
if ($order && $order->amount == $amount && !$order->fulfilled) {
fulfill_order($order_id, $txn_id);
}
}
?>Always validate that the
transactionid, amount, and order_id in the notification match a pending order in your own database before fulfilling. This protects against forged notifications.See also: Implement Backend | Hosted Checkout Advanced
Vault & Subscription Delete
Permanently remove Customer Vault records or cancel recurring subscriptions.
PHP — Delete Vault Record
$post = array(
'security_key' => YOUR_PRIVATE_KEY,
'customer_vault' => 'delete_customer',
'customer_vault_id' => 'CUST-12345',
);curl — Cancel Subscription
curl -X POST https://secure.cyogate.net/api/transact.php -d "security_key=YOUR_PRIVATE_KEY" -d "recurring=delete_subscription" -d "subscription_id=SUB-12345"Response
| Field | Description |
|---|---|
response | 1=Success, 2=Failed, 3=Error |
responsetext | Confirmation or error message |
Vault deletions and subscription cancellations are permanent and irreversible. Verify the correct
customer_vault_id or subscription_id before executing.See also: Managing Vault Entries | Credential on File Best Practices