Skip to main content
This section provides the complete technical specification for the Rebell Payments API. Use this reference alongside the Payment Integration guides for implementation details and best practices.

Base URLs

Sandbox

https://sandbox-api.rebellapp.com
For development and testing. Payments are simulated.

Production

https://api.rebellapp.com
Live environment. Requires merchant onboarding.
Sandbox and production use separate credentials. Keys registered in sandbox do not carry over to production.

Authentication

All API requests require RSA-SHA256 signature authentication. Every request must include these headers:
HeaderRequiredDescription
Client-IdYesYour merchant identifier
Request-TimeYesISO 8601 UTC timestamp (e.g., 2024-01-10T12:22:30Z)
SignatureYesRSA signature: algorithm=SHA256withRSA, keyVersion=<n>, signature=<base64>
Content-TypeYesMust be application/json

Signature Construction

The signature is computed over a signing string built from: 
<HTTP_METHOD> <HTTP_PATH>
<Client-Id>.<Request-Time>.<REQUEST_BODY>
Example signing string: 
POST /v1/payments/retailPay
2022091495540562874792.2024-01-10T12:22:30Z.{"productCode":"51051000101000100040",...}
For detailed signing implementation with code examples in Node.js, Python, and Java, see Authentication & Environments or the Authentication Deep Dive.

Request Format

All requests use JSON with the following conventions:
  • Amounts are specified in minor units (cents). Example: 1250 = €12.50
  • Timestamps use ISO 8601 format in UTC (with Z suffix)
  • IDs must be unique per transaction (paymentRequestId serves as idempotency key)
Example Request Body
{
  "productCode": "51051000101000100040",
  "paymentRequestId": "order-123-abc",
  "paymentAmount": {
    "currency": "EUR",
    "value": 1250
  },
  "order": {
    "orderDescription": "Coffee order"
  }
}

Response Format

All responses include a result object indicating the outcome:
Success Response
{
  "result": {
    "resultStatus": "S",
    "resultCode": "SUCCESS",
    "resultMessage": "Success"
  },
  "paymentId": "2024032100123456",
  "paymentRequestId": "order-123-abc"
}

Result Status Codes

StatusMeaningAction
SSuccessTransaction completed successfully
FFailureTransaction failed - check resultCode for details
UUnknownIndeterminate state - use Inquiry API to check status
AAcceptedRequest accepted, processing asynchronously
Never assume the initial API response is final. Always implement webhooks to receive the authoritative payment result.

Available Endpoints

Payments

EndpointMethodDescription
/v1/payments/createQROrderPOSTCreate a merchant-presented QR code for payment
/v1/payments/retailPayPOSTProcess payment from customer-presented QR/barcode
/v1/payments/linkPayCreatePOSTCreate a redirect link for app-to-app payment
/v1/payments/inquiryPaymentPOSTQuery payment status

Webhooks

EndpointDirectionDescription
Your webhook URLRebell → MerchantReceives payment notifications (payment.succeeded, payment.failed)

Error Handling

When a request fails, the response includes error details:
Error Response
{
  "result": {
    "resultStatus": "F",
    "resultCode": "INVALID_SIGNATURE",
    "resultMessage": "Request signature validation failed"
  }
}

Common Error Codes

CodeDescriptionResolution
INVALID_SIGNATURESignature validation failedVerify signing string construction and key
TIMESTAMP_INVALIDRequest-Time outside ±5 minute windowSync server clock with NTP
INVALID_CLIENT_IDClient-Id not recognizedVerify credentials for correct environment
ORDER_NOT_EXISTPayment/order not foundVerify paymentId or paymentRequestId
REPEAT_REQUESTDuplicate paymentRequestIdUse unique ID for each transaction
For complete error reference, see Error Handling & Result Codes.

Rate Limits

EnvironmentLimit
Sandbox100 requests/minute
ProductionContact Rebell for limits based on your integration

Testing in Sandbox

The sandbox environment simulates the full payment flow:
  1. Create payments using test credentials
  2. Simulate user actions - payments auto-complete after creation
  3. Receive webhooks to your configured endpoint
  4. Query status using the Inquiry API
Test all error scenarios in sandbox before going to production. See the Testing Checklist for comprehensive test cases.

SDK & Code Examples

Complete signing and API client implementations are available in the Authentication Deep Dive:
  • Node.js - RebellClient class with full signing
  • Python - RebellClient class with cryptography library
  • Java - Signing utilities and HTTP client examples

Quick Integration Guide

Step-by-step integration walkthrough

Authentication Deep Dive

Detailed signing implementation

Webhooks

Webhook setup and signature verification

Error Handling

Complete error codes reference