RiskPayGo API Integration

This documentation explains how to integrate RiskPayGo into your website or application to create payments, redirect the buyer to checkout, and receive final status confirmation via webhook.

The integration must be done from your backend. Exposing credentials or sensitive logic on the frontend is not recommended.

Before we begin

Before you begin, you need an approved and active merchant account with RiskPayGo. You also need your integration credentials and to ensure that the domain you'll be collecting payments from is approved within your account.

The data you will need is your Merchant ID, you API Token, you Webhook Secret and the base URL of the API.

The base URL is as follows:

https://riskpaygo.com/portal/api/plugin

Authentication

All API requests must be authenticated. To do this, you must include the private token in the header. Authorization and the merchant identifier in the header X-RPG-Merchant.

The necessary headers are these:

Accept: application/json
Content-Type: application/json
Authorization: Bearer TU_API_TOKEN
X-RPG-Merchant: TU_MERCHANT_ID

These credentials should only be used on the server. They should not be visible in browser JavaScript or public code.

Approved Domain

RiskPayGo validates the domain you send in the field site.urlThis means that having valid credentials is not enough: the domain from which you are creating the payment must also be registered and approved in your account.

If the domain does not match one of your approved projects, the API will reject the request even if the token is correct.

Therefore, before going into production, it's advisable to check that the exact URL of your store or application is registered in the panel.

Create a payment

To initiate a payment, you must submit a request. POST to the payment creation endpoint.

POST https://riskpaygo.com/portal/api/plugin/payments/create

In that request you must send the main information of the order: the amount, the currency, your internal references, the buyer's details and the return and notification URLs.

A typical request will include fields such as merchant_order_id, order_id, order_key, amount, currency, customer, site, notify_url, return_url and cancel_url.

Below is a complete example of the body you can send:

{
  "merchant_order_id": "PED-1001",
  "order_id": 1001,
  "order_key": "pedido_1001_key",
  "amount": "149.99",
  "currency": "USD",
  "customer": {
    "email": "cliente@ejemplo.com",
    "first_name": "Nombre",
    "last_name": "Apellido",
    "phone": "+34123456789",
    "country": "ES",
    "date_of_birth": "1990-05-20"
  },
  "site": {
    "url": "https://tu-dominio.com/",
    "name": "Mi tienda",
    "platform": "custom",
    "plugin": "integracion-propia"
  },
  "notify_url": "https://tu-dominio.com/api/riskpaygo/webhook",
  "return_url": "https://tu-dominio.com/pago/completado",
  "cancel_url": "https://tu-dominio.com/pago/cancelado"
}

The field amount It must be greater than zero. The currency is sent in currency. In customer It's advisable to send, at least, the buyer's email address. site.url You must submit the approved domain. notify_url You indicate where you want to receive the payment status notification.

API Response

If the request is successful, RiskPayGo returns a response with the internal payment reference and the checkout URL. This reference allows you to link the payment to your order and track it afterward.

The expected response takes this form:

{
  "success": true,
  "data": {
    "payment_ref": "RPG-20260313-ABC12345",
    "checkout_url": "https://riskpaygo.com/portal/checkout.php?ref=RPG-20260313-ABC12345",
    "fee_percent": 20,
    "plan_slug": "free"
  }
}

As soon as you receive checkout_urlYou must redirect the buyer to that address so they can complete the payment.

What to do about the checkout

Payment is processed through a checkout hosted by RiskPayGo. Your system should not consider the order paid simply because you obtained the checkout URL or because the user returned to the website.

It is recommended to save the reference. payment_refredirect the buyer and wait for final confirmation via webhook.

The return_url It serves to return the user to your site after payment, but the final status should be based on the notification you receive in notify_url.

Confirmation webhook

When the payment status changes, RiskPayGo will send a request POST to the URL indicated in notify_urlThat notification includes a signature at the top. X-RPG-Signature.

You must validate that signature using your Webhook SecretThe validation must be done on the exact original body of the request, not on a reserialized JSON.

The header you need to check is this one:

X-RPG-Signature:

The RiskPayGo notification may include information such as the merchant, order reference, payment reference, status, and transaction ID. An example would be this:

{
  "merchant_id": "TU_MERCHANT_ID",
  "order_id": 1001,
  "order_key": "pedido_1001_key",
  "payment_ref": "RPG-20260313-ABC12345",
  "transaction_id": "RPG-20260313-ABC12345",
  "status": "paid",
  "provider_status": "success",
  "provider_event": "payment_succeeded",
  "source": "payera_webhook"
}

The important thing here is that you validate the signature and then use the value of status to update the order in your system.

Payment statuses

During integration you must consider four main states.

pending It indicates that the payment has been initiated but is not yet confirmed.

paid This indicates that the payment has been successfully confirmed. This is the status you should normally use to mark the order as paid.

failed indicates that the payment has failed or has been rejected.

cancelled indicates that the payment has been cancelled or has expired.

The general recommendation is to use the webhook as the primary source of truth and only consider the order paid for when you receive status = paid.

Common mistakes

Unauthorized Merchant

If the API responds with an authorization error, the first thing you should check is that the value sent in Authorization be correct and that the merchant sent in X-RPG-Merchant match that token. You must also confirm that the account is approved and active.

Domain not approved

If the problem is in the domain, check the value sent in site.url and verify that the domain exists as an approved project within the RiskPayGo panel.

Invalid amount

If the API rejects the amount, make sure that amount It is sent correctly and has a value greater than zero.

Invalid webhook signature

If your system fails to validate the notification, check that you are using the Webhook Secret correct and that the signature calculation is done on the exact original body of the request.

Use with WooCommerce

If you're using the official WooCommerce plugin, the same integration details are still required. You'll need to configure the base URL, merchant, token, and webhook secret.

The main values ​​to enter are these:

API Base URL: https://riskpaygo.com/portal/api/plugin
Merchant ID: TU_MERCHANT_ID
API Token: TU_API_TOKEN
Webhook Secret: TU_WEBHOOK_SECRET

The webhook URL in WordPress usually has this format:

https://tu-dominio.com/wp-json/riskpaygo/v1/webhook

Final recommendations

Before going into production, it's advisable to verify that the domain is approved, that your notify_url It responds correctly via HTTPS, which you save. payment_ref in your system and that you only mark orders as paid when the final confirmation arrives via webhook.

With this structure you already have a solid foundation to integrate RiskPayGo into your own website, a custom application or a WooCommerce store.

Scroll to Top