This specification standardizes an API to allow merchants (i.e. web
sites selling physical or digital goods) to utilize one or more payment
methods with minimal integration. User agents (e.g., browsers)
facilitate the payment flow between merchant and user.
The deadline for comments for Candidate Recommendation is 30 September
2017.
If you wish to make comments regarding this document, please raise
them as GitHub
issues. Only send comments by email if you are unable to raise
issues on GitHub (see links below). All comments are welcome.
Features at risk
As this specification enters the Candidate Recommendation phase of
the W3C standardization process, the working group has identified the
following feature(s) as being "at risk" of being removed
from the specification. The working group seeks input from
implementers, developers, and the general public on whether these
features should remain in the specification. If no compelling use
cases are received, or if there is limited interest from
implementers, these features will be removed from the specification
before proceeding along the W3C Recommendation track.
This specification describes an API that allows user agents
(e.g., browsers) to act as an intermediary between three parties in a
transaction:
the payee: the merchant that runs an online store, or other party
that requests to be paid.
the payer: the party that makes a purchase at that online store,
and who authenticates and authorizes payment as required.
the payment method provider:
the party that provides the means (e.g., credit card) that the payer
uses to pay, and that is accepted by the payee.
The details of how to fulfill a payment request for a given payment
method are handled by payment
handlers. In this specification, these details are left up to the
user agent, but future specifications may expand on the
processing model in more detail.
This API also enables web sites to take advantage of more secure
payment schemes (e.g., tokenization and system-level authentication)
that are not possible with standard JavaScript libraries. This has the
potential to reduce liability for the merchant and helps protect
sensitive user information.
Goals
Allow the user agent to act as intermediary between merchants,
users, and payment method providers.
Enable user agents to streamline the user's payment experience by
taking into account user preferences, merchant information, security
considerations, and other factors.
Standardize (to the extent that it makes sense) the communication
flow between a merchant, user agent, and payment method
provider.
Enable payment method providers to bring more secure
payment transactions to the web.
A developer creates a PaymentRequest to make a payment request.
This is typically associated with the user initiating a payment process
(e.g., by activating a "Buy," "Purchase," or "Checkout" button on a web
site, selecting a "Power Up" in an interactive game, or paying at a
kiosk in a parking structure). The PaymentRequest allows
developers to exchange information with the user agent while the
user is providing input before approving or denying a payment request.
The user agent as a whole has a single payment request is
showing boolean, initially false. This is used to prevent
multiple PaymentRequests from being shown, via their
show() method, at the same time.
The following example shows how to construct a PaymentRequest
and begin the user interaction:
function validateResponse(response) {
// check that the response is ok... throw if bad, for example.
}
async function doPaymentRequest() {
const payment = new PaymentRequest(methodData, details, options);
payment.addEventListener("shippingaddresschange", event => {
// Process shipping address change
});
let paymentResponse;
try {
paymentResponse = await payment.show();
// paymentResponse.methodName contains the selected payment method.
// paymentResponse.details contains a payment method specific
// response.
validateResponse(paymentResponse);
paymentResponse.complete("success");
} catch (err) {
console.error("Uh oh, bad payment response!", err.message);
paymentResponse.complete("fail");
}
}
doPaymentRequest();
Constructor
The PaymentRequest is constructed using the supplied
methodData list including any payment method
specific data, the payment
details, and the payment options.
If details.id is missing, add an id member to details and
set its value to string that uniquely identifies this payment
request. It is RECOMMENDED that the string be a UUID [[!RFC4122]].
Process payment methods:
If the length of the methodData sequence is zero,
then throw a TypeError, optionally informing the
developer that at least one payment method is required.
For each paymentMethod of methodData:
If the data
member of paymentMethod is missing, let
serializedData be null. Otherwise, let
serializedData be the result of
JSON-serializingpaymentMethod.data
into a string. Rethrow any exceptions.
Add the tuple (paymentMethod.supportedMethods,
serializedData) to
serializedMethodData.
If the first code point of
details.total.amount.value is U+002D HYPHEN-MINUS,
then throw a TypeError, optionally informing the
developer that the total can't be negative.
If the data member of
modifier is missing, let
serializedData be null. Otherwise, let
serializedData be the result of
JSON-serializingmodifier.data into a string.
Rethrow any exceptions.
Add serializedData to
serializedModifierData.
Remove the
data member of modifier, if it is
present.
The show() method is called when a developer wants to begin
user interaction for the payment request. The show() method
returns a Promise that will be resolved when the user
accepts the payment request. Some kind of user interface will
be presented to the user to facilitate the payment request after
the show() method returns.
During the Candidate Recommendation phase, implementations are
expected to experiment in this area. Developers using this API
should investigate and anticipate such experiments and understand
under what circumstances a "SecurityError"
DOMException might occur. If interoperable behavior
emerges amongst user agents, then that behavior will be
standardized here before progressing the specification along the
W3C Recommendation Track.
This allows the user agent to act as if the user had
immediately aborted
the payment request, at its discretion. For example, in
"private browsing" modes or similar, user agents might take
advantage of this step.
Let identifier be the first element in the
paymentMethod tuple.
Let data be the result of JSON-parsing the second
element in paymentMethod tuple.
If required by the specification that defines the
identifer, then convertdata to an IDL value. Otherwise, convert to
object.
If conversion results in an error, reject
acceptPromise with that error and terminate this
algorithm.
Determine which payment handlers support
identifier. For each resulting payment handler, if
payment method specific capabilities supplied by the payment
handler match those provided by data, the payment
handler matches.
Otherwise, show a user interface to allow the user to interact
with the payment request process, using those payment
handlers and payment methods which the above step
identified as feasible. The user agent SHOULD prioritize the
preference of the user when presenting payment methods and
applications.
The payment handler should be sent the appropriate data
from request in order to guide the user through the
payment process. This includes the various attributes and
internal slots of request.
The abort() method is called if a developer wishes to tell
the user agent to abort the payment request and
to tear down any user interface that might be shown. The
abort() can only be called after the show() method
has been called (see states) and before this
instance's [[\acceptPromise]] has been resolved. For
example, developers might choose to do this if the goods they are
selling are only available for a limited amount of time. If the
user does not accept the payment request within the allowed time
period, then the request will be aborted.
A user agent might not always be able to abort a request.
For example, if the user agent has delegated responsibility
for the request to another app. In this situation, abort()
will reject the returned Promise.
The canMakePayment() method can be used by the developer to
determine if the PaymentRequest object can be used to make a
payment, before they call show(). It returns a Promise
that will be fulfilled with true if the user agent supports
any of the desired payment methods supplied to the
PaymentRequest constructor, and false if none are supported.
If the method is called too often, the user agent might instead
return a promise rejected with a "NotAllowedError"
DOMException, at its discretion.
This allows user agents to apply heuristics to detect and prevent
abuse of the canMakePayment() method for fingerprinting
purposes, such as creating PaymentRequest objects with a
variety of supported payment methods and calling
canMakePayment() on them one after the other. For example,
a user agent may restrict the number of successful calls that can
be made based on the top-level browsing context or the
time period in which those calls were made.
Instances of PaymentRequest are created with the internal
slots in the following table:
Internal Slot
Description (non-normative)
[[\serializedMethodData]]
The methodData supplied to the constructor, but
represented as tuples containing supported methods and a string
or null for data (instead of the original object form).
[[\serializedModifierData]]
A list containing the serialized string form of each data member for each
corresponding item in the sequence
[[\details]].modifier,
or null if no such member was present.
This feature has been marked "at risk". If you'd like for this
feature to remain in the specification, please describe your use case
in issue
490.
currencySystem
A URL that indicates the currency system that the currency
identifier belongs to. By default, the value is
urn:iso:std:iso:4217 indicating that currency
is defined by [[ISO4217]] (for example, USD for US
Dollars).
currency
A string containing a currency identifier. The value of
currency can be any string that is valid within the currency
system indicated by currencySystem.
This sequence of PaymentItem dictionaries contains line
items for the payment request that the user agent MAY
display. For example, it might include details of products or
breakdown of tax and shipping. It is optional to provide this
information.
It is the developer's responsibility to verify that the
total amount is the sum
of these items.
shippingOptions
A sequence containing the different shipping options for the user
to choose from.
If the sequence is empty, then this indicates that the merchant
cannot ship to the current shippingAddress.
If an item in the sequence has the selected member set to true,
then this is the shipping option that will be used by default and
shippingOption
will be set to the id
of this option without running the shipping option changed
algorithm. Authors SHOULD NOT set selected to true on more
than one item. If more than one item in the sequence has
selected set to
true, then user agents MUST select the last one in the
sequence.
If the sequence has an item with the selected member set to true,
then authors are responsible for ensuring that the total member includes the cost of
the shipping option. This is because no
shippingoptionchange event will be fired for this option
unless the user selects an alternative option first.
modifiers
This sequence of PaymentDetailsModifier dictionaries
contains modifiers for particular payment method identifiers. For
example, it allows you to adjust the total amount based on payment
method.
When the payment request is updated using updateWith(), the
PaymentDetailsUpdate can contain a message in the
error member that will be displayed to the user, if the
PaymentDetailsUpdate indicates that there are no valid
shippingOptions
(and the PaymentRequest was constructed with the requestShipping option set to
true). This can be used to explain why goods cannot be shipped to
the chosen shipping address, or any other reason why no shipping
options are available.
total
This PaymentItem contains the non-negative total amount.
This sequence of PaymentItem dictionaries provides additional
display items that are appended to the displayItems member in the
PaymentDetailsBase dictionary for the payment method
identifiers in the supportedMethods member. This member is
commonly used to add a discount or surcharge line item indicating the
reason for the different total amount for the selected
payment method that the user agent MAY display.
This is the default and refers to the address being collected as the
destination for shipping.
delivery
This refers to the address being collected as being used for
delivery. This is commonly faster than shipping. For example, it
might be used for food delivery.
pickup
This refers to the address being collected as part of a service
pickup. For example, this could be the address for laundry pickup.
The PaymentOptions dictionary is passed to the
PaymentRequest constructor and provides information about the
options desired for the payment request.
requestPayerName
This boolean value indicates whether the user agent should
collect and return the payer's name as part of the payment request.
For example, this would be set to true to allow a merchant to make a
booking in the payer's name.
requestPayerEmail
This boolean value indicates whether the user agent should
collect and return the payer's email address as part of the payment
request. For example, this would be set to true to allow a merchant
to email a receipt.
requestPayerPhone
This boolean value indicates whether the user agent should
collect and return the payer's phone number as part of the payment
request. For example, this would be set to true to allow a merchant
to phone a customer with a billing enquiry.
requestShipping
This boolean value indicates whether the user agent should
collect and return a shipping address as part of the payment request.
For example, this would be set to true when physical goods need to be
shipped by the merchant to the user. This would be set to false for
an online-only electronic purchase transaction.
shippingType
Some transactions require an address for delivery but the term
"shipping" isn't appropriate. For example, "pizza delivery" not
"pizza shipping" and "laundry pickup" not "laundry shipping". If
requestShipping is set to true, then the shippingType
member may be used to influence the way the user agent
presents the user interface for gathering the shipping address.
The shippingType member only affects the user interface for
the payment request.
A sequence of one or more PaymentItem dictionaries is included
in the PaymentDetailsBase dictionary to indicate what the
payment request is for and the value asked for.
label
This is a human-readable description of the item. The user
agent may display this to the user.
When set to true this flag means that the amount member is not
final. This is commonly used to show items such as shipping or tax
amounts that depend upon selection of shipping address or shipping
option. User agents MAY indicate pending fields in the user
interface for the payment request.
This is the [[!CLDR]] (Common Locale Data Repository) region code.
For example, US, GB, CN, or JP.
addressLine attribute
This is the most specific part of the address. It can include, for
example, a street name, a house number, apartment number, a rural
delivery route, descriptive instructions, or a post office box
number.
region attribute
This is the top level administrative subdivision of the country. For
example, this can be a state, a province, an oblast, or a prefecture.
city attribute
This is the city/town portion of the address.
dependentLocality attribute
This is the dependent locality or sublocality within a city. For
example, used for neighborhoods, boroughs, districts, or UK dependent
localities.
postalCode attribute
This is the postal code or ZIP code, also known as PIN code in India.
sortingCode attribute
This is the sorting code as used in, for example, France.
languageCode attribute
This is the [[!BCP47]] language code for the address. It's used to
determine the field separators and the order of fields when
formatting the address for display.
organization attribute
This is the organization, firm, company, or institution at this
address.
recipient attribute
This is the name of the recipient or contact person. This member may,
under certain circumstances, contain multiline information. For
example, it might contain "care of" information.
phone attribute
This is the phone number of the recipient or contact person.
The PaymentShippingOption dictionary has members describing a
shipping option. Developers can provide the user with one or more
shipping options by calling the updateWith() method in
response to a change event.
This is set to true to indicate that this is the default selected
PaymentShippingOption in a sequence. User agents SHOULD
display this option by default in the user interface.
An object that provides a payment method specific message used
by the merchant to process the transaction and determine successful
fund transfer. This data is returned by the payment method
specific code that satisfies the payment request.
The corresponding payment request id that spawned this payment response.
complete() method
The complete() method is called after the user has accepted
the payment request and the [[\acceptPromise]] has been
resolved. Calling the complete() method tells the user
agent that the transaction is over (and SHOULD cause any
remaining user interface to be closed).
After the payment request has been accepted and the
PaymentResponse returned to the caller but before the caller
calls complete() the payment request user interface remains in
a pending state. At this point the user interface ought not offer a
cancel command because acceptance of the payment request has been
returned. However, if something goes wrong and the developer never
calls complete() then the user interface is blocked.
For this reason, implementations MAY impose a timeout for developers
to call complete(). If the timeout expires then the
implementation will behave as if complete() was called with no
arguments.
Return promise and perform the remaining steps in
parallel.
Close down any remaining user interface. The user agent
MAY use the value result to influence the user experience.
Resolve promise with undefined.
Internal Slots
Instances of PaymentResponse are created with the internal
slots in the following table:
Internal Slot
Description (non-normative)
[[\completeCalled]]
true if the complete
method has been called and false otherwise.
PaymentRequest and iframe elements
To indicate that a cross-origin iframe is allowed to invoke the
payment request API, the allowpaymentrequest attribute can be
specified on the iframe element.
The PaymentRequestUpdateEvent enables developers to update the
details of the payment request in response to a user interaction.
If a developer wants to update the payment request, then they need to
call updateWith() and provide a PaymentDetailsUpdate
dictionary, or a promise for one, containing changed values that the
user agent SHOULD present to the user.
If a developer wants to update the payment request, then they need
to call updateWith() and provide a
PaymentDetailsUpdate dictionary, or a promise for one,
containing changed values that the user agent presents to
the user.
The user agent SHOULD disable the user interface that
allows the user to accept the payment request. This is to ensure
that the payment is not accepted until developers have made changes
required by the change. Developers MUST settle the
detailsPromise to indicate that the payment request is
valid again.
The user agent SHOULD disable any part of the user
interface that could cause another update event to be fired.
Only one update may be processed at a time.
Return from the method and perform the remaining steps in
parallel.
The remaining steps are conditional on the
detailsPromise settling. If
detailsPromise never settles then the payment
request is blocked. Users SHOULD always be able to cancel a
payment request. Implementations MAY choose to implement a
timeout for pending updates if detailsPromise
doesn't settle in a reasonable amount of time. If an
implementation chooses to implement a timeout, they must
execute the steps listed below in the "upon rejection" path.
Such a timeout is a fatal error for the payment request.
If the data member of
modifier is missing, let
serializedData be null. Otherwise, let
serializedData be the result of
JSON-serializingmodifier.data into a
string. If JSON-serializing throws an
exception, then abort the update with that
exception.
Add serializedData to
serializedModifierData.
Remove the data member of
modifier, if it is present.
If request.[[\options]].requestShipping is
true, and
request.[[\details]].shippingOptions
is empty, then the developer has signified that there are
no valid shipping options for the currently-chosen shipping
address (given by request's shippingAddress). In
this case, the user agent SHOULD display an error
indicating this, and MAY indicate that the currently-chosen
shipping address is invalid in some way. The user agent
SHOULD use the error member of
details, if it is present, to give more
information about why there are no valid shipping options
for that address.
In either case, run the following steps, after either the upon
rejection or upon fulfillment steps have concluded:
The user agent should update the user interface
based on any changed values in request. The user
agent SHOULD re-enable user interface elements that might have
been disabled in the steps above if appropriate.
If any of the above steps say to abort the update with
an exception exception, then:
Abort the current user interaction and close down any remaining
user interface.
Aborting the update is
performed when there is a fatal error updating the payment
request, such as the supplied detailsPromise
rejecting, or its fulfillment value containing invalid data. This
would potentially leave the payment request in an inconsistent
state since the developer hasn't successfully handled the change
event. Consequently, the PaymentRequest moves to a
"closed" state. The error is signaled to the developer
through the rejection of the [[\acceptPromise]], i.e. the
promise returned by show().
User agents might show an error message to the user when
this occurs.
The PaymentRequest updated algorithm is run by other
algorithms above to fire an event to indicate that a user has
made a change to a PaymentRequest called request
with an event name of name.
It MUST run the following steps:
If the request.[[\updating]] is true, then
terminate this algorithm and take no further action. Only one update
may take place at a time. This should never occur.
If the request.[[\state]] is not set to
"interactive", then terminate this algorithm and take no
further action. The user agent user interface should ensure
that this never occurs.
The user accepts the
payment request algorithm runs when the user accepts the
payment request and confirms that they want to pay. It MUST queue
a task on the user interaction task source to perform the
following steps:
Let request be the PaymentRequest object that
the user is interacting with.
If the request.[[\updating]] is true, then
terminate this algorithm and take no further action. The user
agent user interface should ensure that this never occurs.
If request.[[\state]] is not
"interactive", then terminate this algorithm and take no
further action. The user agent user interface should ensure
that this never occurs.
If the requestShipping value of
request.[[\options]] is true, then if the
shippingAddress
attribute of request is null or if the shippingOption attribute of
request is null, then terminate this algorithm and take no
further action. This should never occur.
Set the details
attribute value of response to an object containing the
payment method specific message that will be used by the
merchant to process the transaction. The format of this response will
be defined for each payment method.
If the requestPayerName value of
request.[[\options]] is true, then set the payerName attribute of
response to the payer's name provided by the user, or to
null if none was provided. Otherwise, set it to null.
If the requestPayerEmail value of
request.[[\options]] is true, then set the
payerEmail attribute of
response to the payer's email address provided by the
user, or to null if none was provided. Otherwise, set it to null.
If the requestPayerPhone value of
request.[[\options]] is true, then set the
payerPhone attribute of
response to the payer's phone number provided by the user,
or to null if none was provided. When setting the payerPhone value, the user agent
SHOULD format the phone number to adhere to [[!E.164]]. Otherwise,
set it to null.
The user aborts the
payment request algorithm runs when the user aborts the payment
request through the currently interactive user interface. It MUST
queue a task on the user interaction task source to
perform the following steps:
Let request be the PaymentRequest object that
the user is interacting with.
If the request.[[\updating]] is true, then
terminate this algorithm and take no further action. The user
agent user interface should ensure that this never occurs.
If request.[[\state]] is not
"interactive", then terminate this algorithm and take no
further action. The user agent user interface should ensure
that this never occurs.
This section is a placeholder to record security considerations as we
gather them through working group discussion.
Encryption of data fields
The PaymentRequest API does not directly support encryption of
data fields. Individual payment methods may choose to include
support for encrypted data but it is not mandatory that all
payment methods support this.
Privacy Considerations
This section is a placeholder to record privacy considerations as we
gather them through working group discussion.
Exposing user information
The user agent MUST NOT share information about the user with
a developer (e.g., the shipping address) without user consent.
Exposing available payment methods
Developers might try to call the payment request API repeatedly with
only one payment method identifier to try to determine what payment
methods a user agent has installed. There may be legitimate
scenarios for calling repeatedly (for example, to control the flow of
payment method selection). The fact that a successful match to a
payment method causes a user interface to be displayed mitigates the
disclosure risk. Implementations may also require a user action to
initiate a payment request or they may choose to rate limit the calls
to the API to prevent too many repeated calls.
Dependencies
This specification relies on several other underlying specifications.
Payment Method Identifiers
The term payment method
identifier is defined by [[!payment-method-id]]. It's an unique
identifier for a payment method.
HTML
The following are defined by [[!HTML]]:
EventHandler
queue a task
user
interaction task source
top-level
browsing context
current settings
object
allowed to use
triggered by
user activation
in parallel
the iframe element
the allowpaymentrequest
attribute
ECMA-262 6th Edition, The ECMAScript 2015 Language Specification
The terms Promise, internal
slot,
TypeError, and JSON.stringify are
defined by [[!ECMA-262-2015]].
The term JSON-serialize applied to
a given object means to run the algorithm specified by the original
value of the JSON.stringify function on the supplied object,
passing the supplied object as the sole argument, and return the
resulting string. This can throw an exception.
Writing Promise-Using Specifications
The terms upon
fulfillment and upon rejection are defined by
[[!PROMISES-GUIDE]].
DOM
The Event interface,
The EventInit dictionary, and the
terms fire an event,
dispatch flag,
stop propagation
flag, isTrusted attribute, and
stop immediate
propagation flag are defined by [[!DOM]].
Web IDL
When this specification says to throw an error, the user agent must
throw an error as described in [[!WEBIDL]]. When this occurs in a
sub-algorithm, this results in termination of execution of the
sub-algorithm and all ancestor algorithms until one is reached that
explicitly describes procedures for catching exceptions.
The algorithm for converting an ECMAScript value to a dictionary
is defined by [[!WEBIDL]].
DOMException and the
following DOMException types from [[!WEBIDL]] are used:
"AbortError"
"InvalidStateError"
"NotAllowedError"
"NotSupportedError"
"SecurityError"
There is only one class of product that can claim conformance to this
specification: a user agent.
Although this specification is primarily targeted at web browsers, it
is feasible that other software could also implement this specification
in a conforming manner.
User agents MAY implement algorithms given in this specification in any
way desired, so long as the end result is indistinguishable from the
result that would be obtained by the specification's algorithms.
User agents MAY impose implementation-specific limits on otherwise
unconstrained inputs, e.g., to prevent denial of service attacks, to
guard against running out of memory, or to work around
platform-specific limitations. When an input exceeds
implementation-specific limit, the user agent MUST throw, or, in the
context of a promise, reject with, a TypeError optionally
informing the developer of how a particular input exceeded an
implementation-specific limit.
The working group will demonstrate implementation experience by
creating a
test suite and having at least two independent implementations pass
each mandatory test (i.e., each test the corresponds to a MUST
requirements of the specification). The working group hopes to
demonstrate, in the form of an implementation report, interoperability
from two or more vendors on both mobile and desktop web browsers.
There has been no change in dependencies on other workings groups
during the development of this specification.
