Skip to main content

Low-Level Payments (core-js + REST)

Most developers don’t need this page. If you’re building a checkout, start with the Headless SDK — it wraps everything below into a single tagada.payment.pay() call with built-in session management, APM discovery, and 3DS handling.This page is for advanced use cases where you need direct control over payment instruments, 3DS sessions, and the charge lifecycle.

Which Approach Should I Use?

Rule of thumb: If your customer is checking out on a web page, use the Headless SDK. If you’re building a native mobile app, a payment platform, or need server-initiated (MIT) charges, use core-js + REST as described below.

When to Use This

When NOT to Use This


The Flow

Every payment follows 4 steps:

Prerequisites

  • A TagadaPay account with an API key (Bearer token)
  • A store with at least one payment flow configured (connects to your PSP: Stripe, NMI, Airwallex, etc.)
  • Install the tokenization SDK:
The tokenization SDK runs client-side (browser). Steps 2–4 happen server-side with your API key. Never expose your API key in the browser.

Step 1: Tokenize the Card (Client-Side)

The card number never touches your server. It goes directly to a PCI-compliant secure vault (BasisTheory) and returns a token.
What’s in a TagadaToken? It’s a base64-encoded JSON envelope containing the provider token, card metadata (last4, brand, BIN, expiry), SCA flags, and issuer information. It’s safe to send over the network — no raw card data.

Step 2: Create a Payment Instrument (Server-Side)

Send the tagadaToken from your client to your server, then call TagadaPay to create a reusable payment instrument:
Response:
If the customer already exists, pass customerId instead of customerData. The instrument will be attached to the existing customer.
Save the paymentInstrument.id — you’ll use it for every charge on this card. The instrument is reusable for future payments (subscriptions, repeat purchases).

Step 3: 3DS Authentication (If Required)

3DS (3D Secure) is required by many card issuers, especially in Europe (SCA regulation). The tokenization step tells you if it’s needed via rawToken.metadata.auth.scaRequired. 3DS has two parts: creating a session (server + client) and handling the challenge (client).

3a. Create a 3DS Session

Client-side: Create a local session with the 3DS provider SDK:
Server-side: Persist the session to TagadaPay so the payment processor can use it:
Response:

3b. Handle the Challenge (After Payment — See Step 4)

If the issuer requires a challenge (password, SMS, biometric), it comes back in the payment response. You handle it client-side — see Step 4b below.

Step 4: Process the Payment (Server-Side)

4a. Send the charge request

If payment succeeds immediately:
If 3DS challenge is required:

4b. Handle the 3DS Challenge (Client-Side)

When the payment response has requireAction: "threeds_auth", show the challenge to the customer:
The SDK opens a modal with the issuer’s authentication page. Once the customer completes it, poll for the final status.

4c. Poll for Final Status

After 3DS completes, the PSP processes the payment asynchronously. Poll until you get a terminal status:
Poll every 1–2 seconds. Terminal statuses: succeeded, failed, declined.

CIT vs MIT (Customer vs Merchant Initiated)

CIT Example (Customer Paying Now)

MIT Example (Subscription Renewal)

MIT Example (Auth + Capture)


Void and Refund

Void (Cancel an Authorization)

Refund (Full or Partial)

Omit amount for a full refund.

What TagadaPay Does Under the Hood

When you call /payments/process, TagadaPay:
  1. Routes to the right PSP — based on your payment flow rules (card brand, currency, amount, BIN range, etc.)
  2. Attaches 3DS data — if a threedsSessionId is provided, the authentication result is forwarded to the PSP
  3. Handles retries — if the primary PSP declines, the payment flow can cascade to a backup PSP
  4. Normalizes the response — regardless of which PSP handled it, you get the same response format
  5. Records the transaction — for analytics, dispute management, and reconciliation
You don’t need to integrate with Stripe, NMI, Airwallex, etc. individually. Configure the PSP connections in the CRM dashboard, set up payment flow routing rules, and TagadaPay handles the rest.

API Reference


Working Examples

Complete working examples with React, TypeScript, and Tailwind CSS are available on GitHub:

Card Tokenization + Payment

Full 4-step payment flow with 3DS

Apple Pay & Google Pay

Wallet tokenization integration
Test card: 4242 4242 4242 4242 (any future expiry, any CVC)

SDK Reference

@tagadapay/core-js Package

Key Types

npm Package

@tagadapay/core-js on npm

API Reference

Full REST API documentation