Developer Suite
Register Sandbox
Register Sandbox
    • Overview
    • API Endpoints
    • Ecommerce Checkout
      • Purchase
        POST
      • Get a transaction details
        POST
      • Close transaction
        POST
      • Check transaction
        POST
      • Refund API
        POST
      • Get transaction list
        POST
      • Exchange rate
        POST
    • Checkout Plugins
      • Prestashop
      • Woocommerce
    • Credentials on File
      • Link Account
        POST
      • Link Card
        POST
      • Payment
        POST
      • Renew Token
        POST
      • Get token details
        POST
      • Remove token
        POST
    • ABA QR API
      • QR API
        POST
    • Payment Link
      • Create payment link
        POST
      • Get payment link details
        POST
    • Pre-auth
      • Complete pre-auth transactions
        POST
      • Complete pre-auh transaction with payout
        POST
      • Cancel pre-purchase transaction
        POST
    • Payout
      • Payout
      • Update a beneficiary status
      • Add a beneficiary to whitelist
    • KHQR Guideline
    • Resources

    Credentials on File

    1. Introduction#

    Credential on File (CoF) is an innovative solution that allows businesses to securely store customer payment details for on-demand or automatic future payments. Customers save their ABA account or their credit/debit card once, and they can make future payments without re-entering their details.

    Common Use Cases:#

    Subscription Services – Automatic recurring billing for weekly/monthly plans
    One-Click Purchase – Faster checkout experience for returning customers
    Recurring Bills - Utilities, insurance, loan payments processed automatically
    Usage-Based Billing - Dynamic charging based on consumption metrics

    Types of stored credential transactions#

    PayWay Credentials on File supports different types of transactions, including one-time, recurring, and unscheduled payments. The type of transaction is shown by a code starting with C (customer-initiated) or M (merchant-initiated):
    CITI_FLEX (CIT Initial): The customer saves their card/account for future purchase with varied amount (e.g., setting up a profile for future payments).
    CITU_FLEX (CIT Unscheduled): The customer makes a one-time payment using a card/account saved earlier (e.g., buying something online).
    CITO_FLEX (CIT Other): The customer saves their card/account and allow merchant to initiate future purchase with varied amount (e.g., setting up a profile for a toll).
    MITU_FLEX (MIT Unscheduled): The merchant charges the customer when needed with varied amount, without a fixed schedule (e.g., auto-recharge for a toll card).
    CITR_FIX (CIT Recurring): The customer starts a subscription or recurring payment with fix amount (e.g., signing up for a gym membership).
    MITR_FIX (MIT Recurring): The merchant charges the customer regularly at set intervals (e.g., monthly magazine subscription).

    2. How it works#

    ABA Account
    Credit/Debit card
    1.
    The customer selects "Link ABA Account” on your platform.
    Desktop users will see a QR code to scan with ABA Mobile. Mobile users are sent via deeplink to open ABA Mobile
    The user confirms and authorises the account link in the app.
    PayWay generates and sends a secure token to your platform.
    2.
    You store the token securely for future payments.
    3.
    When the customer wants to pay, they select their linked ABA account and process the payment.
    4.
    PayWay processes the transaction and confirms the status.

    3. Set up your COF UI#

    To integrate PayWay Credentials on File and allow your customers to add their ABA account or Credit/Debit card to your platform, you must have UI section where customers can:
    Add or link their ABA account or credit/debit card
    View all their saved payment methods
    Remove any linked payment method when needed
    You must follow PayWay Credential on file guidelines to ensure proper customer card/account storage.
    Web UI Guideline
    To store ABA accounts or cards securely on your website
    Mobile UI Guideline
    To store ABA accounts or cards securely on your mobile apps

    4. Integration Steps#

    1
    Linking Process
    Link ABA Account
    Link Credit/Debit Card
    To allow your customers to link their ABA account on your platform, use the Link Account API. Here’s a sample of a successful API response:
    {
    "status": {
        "code": "00",
        "message": "Success",
        "trace_id": "bce9c83c-922e-4672-87f5-7f92cd15047c"
    },
    "data": {
        "deeplink": "abamobilebank://ababank.com?type=account_on_file&qrcode=ABA...gFses",
        "qr_string": "ABAAOF+hEGxkym...6SbF19enqLB2xU46jTzVY",
        "expire_in": 1627113926
    }
}
    Web Browser
    Mobile Browser
    Android
    iOS
    Display a QR code using qr_string for customers to scan with ABA Mobile and authorise the account linking.
    After user linked their ABA account/Card, PayWay will call your callback_url param and passing the following information. Your callback_url must accept http method POST and content type application/json.
    {
    "request_id": "175317626731593",
    "payment_credential": {
      "ctid": "64513556cc930062e8cb3ae59eee8fbf459c53e",
      "pwt": "6451355C97035CDE21FB13..E0945C21007136F3D423A1B",
      "source_of_fund": "*****5312",
      "type": "ABA ACCOUNT",
      "status": 1,
      "expired_at": "2025-10-20T08:20:03",
      "token_flag": "CITI_FLEX",
      "frequency": "",
      "subscribed_amount": 0.0,
      "amount_limit_per_tran": 0.0
    }
  }
    request_id string
    Your original requst ID.
    payment_credential object
    ctid string
    Your consumer identification number.
    pwt string
    PWT (PayWay Token) is a unique token automatically generated by the PayWay system and is used to complete the purchase..
    source_of_fund string
    This field displays either the card number or the ABA account number, depending on the payer's selected payment method. For security reasons, the number is masked and only the last 4 digits are shown.
    type string
    Visa - Visa card
    MC - Mastercard
    CUP - UnionPay card
    JCB - JCB card
    ABA ACCOUNT - ABA Account
    status string
    0 - Token has been removed.
    1 - Token is active.
    2 - Token has been frozen.
    expired_at string
    Expiry date of the token.
    token_flag string
    Possible values: CITI_FLEX, CITO_FLEX, and CITR_FIX.
    frequency string
    This field will be empty if the token flag is CITI_FLEX or CITO_FLEX. If the token flag is CITR_FIX, the possible values are:
    1W – Weekly
    1M – Monthly
    2M – Every 2 months
    subscribed_amount number
    Refers to the fixed amount of money that the customer agrees to pay regularly as part of a subscription or recurring payment. 0 if token flag is CITI_FLEX or CITO_FLEX.
    amount_limit_per_tran string
    Token payment amount limit per transaction. If token flag is CITR_FIX this value is equal to value of subscribed_amount.
    If you encounter issues with the pushback notification and do not receive the details, you can manually retrieve the linked account information using the Get token details API.
    2
    Purchase using token
    To perform purchase using the token, please follow the specification of Payment API.
    You should receive a real-time callback response within 3 seconds. If you do not receive a response, we recommend using the Check transaction API to verify the payment status.
    Sample callback data
    {
  "request_id": "20250819101221",
  "apv": "",
  "status": 0,
  "payment_credential": {
    "ctid": "SIDARA20250819101221",
    "pwt": "6451397E0985C46F51768A7A78174ADC9D10A7A1120DD0F5810151ED2560F66C0B61A6B",
    "source_of_fund": "515683******7631",
    "type": "MC",
    "status": 0,
    "expired_at": "2027-06-01T00:00:00",
    "token_flag": "CITI_FLEX",
    "frequency": "",
    "subscribed_amount": 0.0,
    "amount_limit_per_tran": 0
  }
}
    Previous
    Woocommerce
    Next
    Link Account