Dokumentasi QRIS Merchant Presented mode (MPM) Dinamis Notification v1.1

QRIS Merchant Presented mode (MPM) Dynamic Notification?

Quick Response Code Indonesian Standard or abbreviated as QRIS (read KRIS) is the unification of various QR types from various Payment System Service Providers (PJSP) using a QR Code. QRIS was developed by the payment system industry together with Bank Indonesia so that the transaction process with the QR Code can be easier, faster and more secure.

With QRIS, all payment applications from any Operator, both banks and non-banks that are used by the public, can be used in all shops, merchants, stalls, parking lots, tourist tickets, donations (merchants) with the QRIS logo, even though the QRIS provider at merchants is different from the application provider used. Public.

QRIS Customer Presented Mode (MPM) Dinamis sendiri adalah kode QR dengan metode yakni menunjukan kode QR dari aplikasi pembayaran pelanggan lalu melakukan scan pada alat yang dimiliki oleh merchant.

Example of Using the Dynamic QRIS Customer Presented Mode (CPM) API

QRIS CPM Dynamic is intended for merchants who require high transaction speeds such as transportation, parking and modern retail providers. Where customers only need to scan the QR code from the payment application to the tool provided by the merchant.

API Information

Title	QRIS Merchant Presented Mode (MPM) Dinamis Notification
Version	v1.1
URL Sandbox	provided by partners
URL Production	provided by partners

Version Control

API Version	Date	Link to document	Description
v1.0	13 April 2022	Here	Baseline version.
v1.1	19 Februari 2024	this pages	Addition of Field issuerRrn to the QR Inquiry Endpoint

Product Description

Product Overview

This document aims to explain the API specifications of the development of Dynamic QRIS - MPM Notification with the scheme of merchants issuing QRIS, customers using tools to scan / scan merchant QRIS. Then from BRI sends a notification / callback in accordance with predetermined specifications.

Enpoint

A.Get token

Endpoint Description

This endpoint is used to get an access token that serves as authentication when you want to access other APIs. Pilot tests check that the get token is not hit every time you access the endpoint (integrator).

General Information

HTTP Method	POST
Path	/snap/v1.1/access-token/b2b
Tipe Format	JSON
Authentication	Digital Signature

Header Structure

Key	Value	Format	Mandatory	Deskripsi
X-SIGNATURE			M	With the asymmetric signature algorithm SHA256withRSA (Private_Key, stringToSign). stringToSign = client_ID + "\|" + X- TIMESTAMP
X-CLIENT-KEY		Alphanumeric	M	Client's client_id (PJP name) (provided during the registration process)
X-TIMESTAMP		Datetime	M	Current client local time yyyy-MM- ddTHH:mm:ss.SSSTZD forma
Content-Type	application /json		M

Request Structure

Field	Data Type	Format	Mandatory	Length	Description	Example
grantType	String	Alphabet	M		“client_credentials” : a client may request an access token using only its client credentials (or other supported means of authentication) when the client requests access to a protected resource under its control. (OAuth 2.0: RFC 6749 & 6750)	client_credentials

Response Structure

Field	Data Type	Format	Mandatory	Description
responseCode	String	Numeric	C	Response code
responseMessage	String	Alphabet	C	Response description
accessToken	String	Alphanumeric	M	The access token type provides the client with the information necessary to successfully use the access token to protect the resource request (along with type-specific attributes) The type of token type: “Bearer”: includes the access token string during the request “Mac”: issues an authentication code key (MAC) message along with the access token that is used to sign certain components of the HTTPReference request: OAuth2.0 RFC 6749 & 6750 Referensi: OAuth2.0 RFC 6749 & 6750
tokenType	String	Alphabet	M
expiresIn	String	Alphanumeric	M	The session ends in seconds: 900 (15 minutes)

Request & Response Payload Sample

Request :

{
  "grantType": "client_credentials"
}

Normal Response :

{
   "accessToken": "jwy7GgloLqfqbZ9OnxGxmYOuGu85",
   "tokenType": "BearerToken",
   "expiresIn": "899"
}

Error Response :

{
   "responseCode": "4007301",
   "responseMessage": "Invalid Field Format"
}

List of Error/Response Code

HTTP Status	Response Code	Status	Response Description
200	-	Success	-
400	4007300	Failed	Bad Request
400	4007301	Failed	Invalid Field Format
401	4017300	Failed	Unauthorized Client
401	4017300	Failed	Unauthorized stringToSign
401	4017300	Failed	Unauthorized Signature
401	4017301	Failed	Invalid Token (B2B)
500	500000	Failed	General Error

All error responses not listed in the BRIAPI response list have a pending status and need to be checked.

Signature

Signature ensures that the transmitted data is authentic and cannot be refuted. The signature is generated by the service user and verified by the service receiver

The signature is formed from the specified payload, by implementing the HMAC_SHA512 algorithm with clientSecret as the key.

Payload

Payload tergabung dari verb, path, token, timestamp, and body. Dengan format Symetric-Signature:

HMAC_SHA512 (clientSecret, stringToSign) dengan formula stringToSign = HTTPMethod+”:“+ EndpointUrl +":"+ AccessToken+":“

+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ +TimeStamp

Example:

POST:/snap/v1.0/dummy:muhpwhwOkPRU9nNXYnyYHj8t54x3:8b4e9e83b5231cff4f84358ec8ca81951cfe9f999f635b1566452a501d5c23b2:2021-11-29T09:22:18.172+07:00

The details of each element in the payload are described below:

Path

Value pada path yaitu URL setelah hostname dan port tanpa Query Parameter

Example:

https://sandbox.partner.api.bri.co.id/qr/qr-mpm-notify menjadi qr/qr-mpm-notify

Verb

Method HTTP dengan menggunakan huruf kapital. Contoh: GET, POST, PUT, PATCH, and DELETE.

Token

The token used in the Authorisation header.

Example:

Bearer R04XSUbnm1GXNmDiXx9ysWMpFWBr

Timestamp

The time when sending the API request. The time format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ss.SSSZ). Must be within zero UTC offset.

Example:

2021-11-02T13:14:15.678+07:00

Body

Body when submitting an API request. Lowercase(HexEncode(SHA-256(minify(RequestBody))))

Example: {"hello": "world"}

SHA256 result: a47a5f14b3e78b5e3d3f81b1a1468499be964660f818c10adcac792c42709749

If there is no request body, for example using the GET method, just leave it blank.

Referensi :https://developers.bri.co.id/id/snap-bi/apidocs-oauth-snap-bi

B.Notify Payment QR MPM Dinamis

Endpoint Description

The Dynamic MPM QR Payment Notify API is used to send Dynamic MPM QR payment notifications to partners.

General Information

HTTP Method	POST
Path	/v1.1/qr-dynamic/qr-mpm-notify
Type Format	JSON
Authentication	OAuth 2.0

Header Structure

Key	Value	Mandatory	Length	Description	Example
Content-Type	application /json	M	-
Authorization	Bearer token	M	-
X-SIGNATURE	signature	M	64	Dengan algoritma asymmetric signature SHA256withRSA (Private_Key, stringToSign). stringToSign = client_ID + “\|” + X-TIMESTAMP
X-TIMESTAMP	timestamp	M	-	Current client local time yyyy-MM- ddTHH:mm:ss.SSSTZD format	2020-01-15T17:01:11+07:00
ORIGIN		O			www.hostname.com
X-PARTNER-ID		M		Partner ID provided by the partner	8215082391904062462182317473 7537
X-EXTERNAL-ID		M		External ID that is unique to each transaction	4180755335895009318416218079 7837
X-IP-ADDRESS		O		IP Address of Device	172.24.281.24
X-DEVICE-ID		O		Device ID	09864ADCASA
X-LATITUDE		O		Device Latitude	-6.108841
X-LONGITUDE		O		Device Longitude	106.7782137
CHANNEL-ID		O		ID Channel	95221

Request Structure

Field	Data Type	Mandatory	Length	Description	Example
originalReferenceNo	String	M	12	Transaction identification number in the service provider's system	123456123456
originalPartnerReferenceNo	String	M	6	The last 6 digits of the transaction identification number sent to the customer service system	123456
latestTransactionStatus	String	O	2	00 - Success 01 - Initiated 02 - Paying 03 - Pending 04 - Refunded 05 - Canceled 06 - Failed 07 - Not found	00
transactionStatusDesc	String	O	50	Description of the transaction status	success
customerNumber	String	M	64	Customer account number	6281388370001
accountType	String	O	25	Account type	tabungan
destinationAccountName	String	M	25	Name of the owner of the destination account	John Doe
amount	Object	M		The detailed contents of the object amount are in the table below
bankCode	String	O	8	Bank Code	002
additionalInfo	Object	O		Details of the contents of the additionalInfo object are in the table below

Request Structure dalam Object "amount"

Field	Data Type	Mandatory	Length	Description	Example
value	Decimal	M	18	The net amount of the transaction. If it is IDR then the value includes 2 decimal places. for example IDR 10,000,- will be placed with 10000.00	12345678.00
currency	String	M	3	3 digit ISO code Currency	IDR

Request Structure dalam Object "additionalInfo"

Field	Data Type	Mandatory	Description	Example
reffId	String	O	ID Reff	1001016773
issuerName	String	O	Issuer name	GOPAY
issuerRrn	String	O	Issuer RRN	110002756582

Response Structure

Field	Data Type	Mandatory	Length	Description	Example
responseCode	String	M	7	Code response	2005200
responseMessage	String	M	150	Response Description	Request has been processed successfully
additionalInfo	Object	O		The contents of this additionalInfo Object are described in the table below

Response Structure dalam Object "additionalInfo"

Field	Data Type	Mandatory	Description	Example
reffId	String	O	ID Reff	1001016773
issuerName	String	O	issuer name	GOPAY
issuerRrn	String	O	issuer RRN	110002756582

Request & Response Payload Sample

Request :

{
  "originalReferenceNo":"2020102977770000000009",
  "originalPartnerReferenceNo":"2020102900000000000001",
  "latestTransactionStatus":"00",
  "transactionStatusDesc":"success",
  "customerNumber":"6281388370001",
  "accountType": "tabungan",
  "destinationAccountName": "John Doe",
  "amount":
{
  "value": "12345678.00",
  "currency": "IDR"
},
  "sessionID": "0UYEB77329002HY",
  "bankCode": "002",
  "externalStoreID":"124928924949487",
  "additionalInfo":
{
  "reffId": "1001016773",
  "issuerName": "GOPAY"
  "issuerRrn": "110002756582"
}
}

Normal Response :

{
    "responseCode": "2005200",
    "responseMessage": "Successfull",
    "additionalInfo":{
    "reffId": "1001016773",
    "issuerName": "GOPAY",
    "issuerRrn": "110002756582"
}
}

List of Error/Response Code

HTTP Status	Service Code	Code	Status	Response Description	Description
200	52	00	Sukses	Successful	Sukses
400	52	01	Failed	Invalid Field Format {field name}	Invalid Format
400	52	02	Failed	Invalid Mandatory Field {field name}	Missing or invalid format on mandatory field
500	52	00	Failed	General Error	General Error
500	52	01	Failed	Internal Server Error	Retrieve Data Failed or Database Error
504	52	00	Failed	Timeout	timeout from the issuer

All error responses not listed in the BRIAPI response list have a pending status and need to be checked.

C.Get Token

Endpoint Description

The Notify Payment QR MPM Dynamic API is used to obtain tokens as a security measure from partners.

General Information

HTTP Method	POST
Path	/v1.1/qr-dynamic/token
Type Format	x-www-form-urlencoded
Authentication	OAuth 2.0

Header Structure

Key	Value	Format	Mandatory	Deskripsi
X-SIGNATURE			M	Retrieved from algoritma asymmetric signature SHA256withRSA (Private_Key, stringToSign). stringToSign = client_ID + “\|” + X-TIMESTAMP
X-CLIENT-KEY		Alphanumeric	M	Client’s client_id (Nama PJP) (given upon completion of registration process)
X-TIMESTAMP		Datetime	M	Client's current local time yyyy-MM- ddTHH:mm:ss.SSSTZD format
Content-Type	application /json		M

Request Structure

Field	Data Type	Format	Mandatory	Length	Description	Example
grantType	String	Alphabet	M		“client_credentials” : a client may request an access token using only its client credentials (or other supported means of authentication) when the client requests access to a protected resource under its control. (OAuth 2.0: RFC 6749 & 6750)	client_cre dentials

Response Structure

Field	Data Type	Format	Mandatory	Description
responseCode	String	Numeric	C	Response code
responseMessage	String	Alphabet	C	Response Description
accessToken	String	Alphanum eric	M	The access token type provides the client with the information necessary to successfully use the access token to protect the resource request (along with type-specific attributes) The type of token type: “Bearer”: includes the access token string during the request “Mac”: ssues an authentication code key (MAC) message along with the access token that is used to sign certain components of the HTTPReference request: OAuth2.0 RFC 6749 & 6750 Referensi: OAuth2.0 RFC 6749 & 6750
tokenType	String	Alphabet	M
expiresIn	String	Alphanum eric	M	The session ends in seconds: 900 (15 minutes)

Request & Response Payload Sample

Request :

{
   "grantType": "client_credentials"
}

Normal Response :

{
    "accessToken": "jwy7GgloLqfqbZ9OnxGxmYOuGu85",
    "tokenType": "BearerToken",
    "expiresIn": "899"
  }

Error Response :

{
   "responseCode": "4007301",
   "responseMessage": "Invalid Field Format"
}

List of Error/Response Code

HTTP Status	Response Code	Status	Response Description
200	-	Success	-
400	4007300	Failed	Bad Request
400	4007301	Failed	Invalid Field Format
401	4017300	Failed	Unauthorized Client
401	4017300	Failed	Unauthorized stringToSign
401	4017300	Failed	Unauthorized Signature
401	4017301	Failed	Invalid Token (B2B)
500	500000	Failed	General Error

All error responses not listed in the BRIAPI response list have a pending status and need to be checked.

QRIS Merchant Presented mode (MPM) Dinamis Notification v1.1

Simplify Your Business with BRIAPI

QRIS Merchant Presented mode (MPM) Dynamic Notification?

Example of Using the Dynamic QRIS Customer Presented Mode (CPM) API

API Information

Version Control

Product Description

Product Overview

Enpoint

A.Get token

Endpoint Description

General Information

Header Structure

Request Structure

Response Structure

Request & Response Payload Sample

List of Error/Response Code

Signature

Payload

Path

Token

Timestamp

Body

B.Notify Payment QR MPM Dinamis

Endpoint Description

General Information

Header Structure

Request Structure

00 - Success

01 - Initiated

02 - Paying

03 - Pending

04 - Refunded

05 - Canceled

06 - Failed

07 - Not found

Request Structure dalam Object "amount"

Request Structure dalam Object "additionalInfo"

Response Structure

Response Structure dalam Object "additionalInfo"

Request & Response Payload Sample

List of Error/Response Code

C.Get Token

Endpoint Description

General Information

Header Structure

Request Structure

Response Structure

Request & Response Payload Sample

List of Error/Response Code

How do you like to contact us?