search

Authorization

hashtag
Overview

The Authorization endpoint authorizes a payment without capturing it. This is useful when you need to verify funds availability or when the final amount might change before capture. The funds are held on the customer's card but not yet collected.

POST /v1/payments/

hashtag
What Happens Internally

Client Request → Firstoken API → [Tokenization + Authorization] → Response

  1. Tokenization: Card data is securely tokenized

  2. Authorization: Payment is authorized and funds are held

  3. Response: Authorization details returned (capture required separately)

hashtag
Request Body

The request format is identical to the Payment endpoint, but with "type": "authorization" instead of "type": "payment".

hashtag
Minimal Required Fields

{
  "transaction_info": {
    "type": "authorization",
    "reference_code": "1753550023570"
  },
  "card": {
    "number": "4225289837059229",
    "expiration_date": "01/2030",
    "security_code": "123",
    "holder": "John Doe Jones"
  },
  "order_info": {
    "amount_details": {
      "total_amount": 1000,
      "currency": "BRL",
      "items_amount": 1000
    },
    "installments": 1,
    "descriptor": "Test Payment"
  },
  "cardholder_info": {
    "first_name": "John",
    "last_name": "Doe",
    "document": {
      "type": "CPF",
      "number": "54672396002",
      "nationality": "BR"
    },
    "country": "BR",
    "address_1": "123 Main St",
    "city": "Sao Paulo",
    "state": "SP",
    "postal_code": "04001-000",
    "email": "john_autoaccept@test.com",
    "phone_number": "4158880000",
    "phone_type": "Mobile",
    "phone_area_code": "22"
  },
  "bill_to": {
    "id": "1234567890",
    "first_name": "John",
    "last_name": "Doe",
    "document": {
      "type": "CPF",
      "number": "54672396002",
      "nationality": "BR"
    },
    "country": "BR",
    "address_1": "123 Main St",
    "city": "Sao Paulo",
    "state": "SP",
    "postal_code": "04001-000",
    "email": "test@cybs.com",
    "phone_number": "4158880000",
    "phone_type": "Mobile",
    "phone_area_code": "22",
    "profile": "1"
  },
  "line_items": [
    {
      "category": {
        "id": "1",
        "name": "Category 1"
      },
      "id": "1",
      "name": "Item 1",
      "price": 1500,
      "quantity": 1,
      
      "type": "Generic"
    }
  ],
  "device_info": {
    "ip_address": "127.0.0.1",
    "fingerprint_session_id": "0a76c25669713d8d6d306ba8c21259b7",
  }
}

hashtag
Complete Request with All Fields

hashtag
Field Specifications

All field specifications are identical to the Payment endpoint, except:

  • transaction_info.type must be "authorization"

hashtag
Response Format

hashtag
Success Response (200)

hashtag
Failed Authorization Response (200)

hashtag
Error Response (400/500)

hashtag
Response Fields

hashtag
transaction_info

Field
Type
Description

type

String

Response type (authorization_response, payment_response, etc.)

reference_code

String

Merchant reference code from request

transaction_id

String

Unique transaction identifier generated by KOIN

request_id

String

Unique request identifier

status

String

Transaction status (Authorized, Declined, Pending, etc.)

response_code

String

Internal response code

created_at

String

Transaction creation timestamp (ISO 8601)

hashtag
order_info

Field
Type
Description

amount_details.authorized_amount

Number

Authorized amount in cents

amount_details.currency

String

Transaction currency

hashtag
risk_info

Field
Type
Description

status

String

Antifraud status: Approved, Rejected, Pending

date

String

Date of antifraud evaluation (ISO 8601)

strategies

Array

Array of antifraud strategies applied (see Strategies section)

hashtag
error_info (present when transaction fails)

Field
Type
Description

reason

String

Failure reason (InsufficientFunds, InvalidCard, etc.)

message

String

Human-readable error message

hashtag
Antifraud Strategies

The strategies array contains objects with antifraud strategies that were applied to the transaction. Each strategy object contains:

Field
Type
Description

type

String

Strategy type (VerificationCode ,DocumentScan ,ManualVerification ,CollectAuthRecovery )

link

String

Reference link for strategy details

Note: Strategies must be configured in your KOIN account to appear in responses. If no strategies are configured, the array will be empty [].

hashtag
cURL Example

hashtag
Important Notes

hashtag
Authorization Expiration

  • Typical Expiration: Authorizations expire after 7 days if not captured

  • Best Practice: Capture within 24-48 hours for best success rates

hashtag
Next Steps After Authorization

After a successful authorization, you have three options:

  1. Capture: Collect the authorized amount (or less)

  2. Authorization Void: Cancel the authorization

  3. Wait for Expiration: Authorization will automatically expire

hashtag
Authorization vs Payment

Aspect
Authorization
Payment

Funds Collection

Holds funds only

Collects funds immediately

Customer Experience

Pending charge

Completed charge

Next Step Required

Yes (capture or reversal)

No

Use Case

Variable amounts, pre-auth

Fixed amounts, direct sales

Expiration

7 days typically

N/A (already collected)

PreviousPayments - Complete FlowNextCard Validation

Last updated