Prerequisites (once per merchant/environment)

You need the following credentials and configuration elements before calling the SIBS SPG APIs:

• AuthToken : used as Authorization: Bearer <AuthToken> for REST calls
• TerminalId : the terminal ID assigned to the merchant, by the SIBS OnBoarding team
• X-IBM-Client-Id : merchant application identifier assigned by the SIBS OnBoarding team

Choose environment root URLs (you will use them in the API base URL and in the widget URL).

Please refer to the API Requests documentation page for more information.

API Request Flow

In a Two-step MB WAY (AUTH → CAPTURE) Form Integration, the process is divided into:

1. Checkout creation (server-to-server)
2. Payment form rendering (frontend – SPG widget)
3. Authorization result handling (redirect + backend validation)
4. Capture the authorized transaction (server-to-server)
5. Check capture status (backend)

1) Prepare the checkout (server-to-server)

Goal: Create a checkout session configured for Authorization only (paymentType = AUTH) and obtain the parameters required to render the SPG form.

What you do

1.1 POST Checkout Payment to:

curl -X POST "https://api.qly.sibspayments.com/sibs/spg/v2/payments" \
  --header "Authorization: Bearer <AuthToken>" \
  --header "X-IBM-Client-Id: <ClientId>" \
  --header "Content-Type: application/json" \
  --header "Accept: application/json" \
  --data '{
    "merchant": {
        "terminalId": "<terminalId>",
        "channel": "web",
        "merchantTransactionId": "unique-order-id"
    },
    "transaction": {
        "transactionTimestamp": "2026-02-27T17:57:06.498Z",
        "description": "Transaction short description",
        "moto": false,
        "paymentType": "AUTH",
        "amount": {
            "value": 5.10,
            "currency": "EUR"
        },
        "paymentMethod": ["MBWAY"]
    }
  }'

Important

• paymentType must be set to “AUTH“
• paymentMethod must include "MBWAY" (i.e., ["MBWAY"])
• merchantTransactionId must be unique per transaction

Headers

• Authorization: Bearer <AuthToken>
• X-IBM-Client-Id: <ClientId>
• Content-Type: application/json
• Accept: application/json

What you do in this step

• Create a new payment session.
• Define the payment type (AUTH for the first step for the two-step payment).
• Restrict the payment method to "MBWAY".
• Send the total amount and currency.

This call registers the payment and prepares the transaction for the hosted form.

1.2. Store from the successful response:

From the Checkout response, you must store:

• transactionID : (you’ll inject it in the widget script URL)
• transactionSignature : (you’ll inject it into the HTML form attribute)
• formContext : (you’ll inject it into the HTML form attribute)
• paymentMethodList : (SIBS SPG may also return available methods)

These values are required to:

• Load the SIBS SPG widget
• Render the payment form
• Perform server-side status validation

Also, the following values will have an important role after the authorization in the form, namely:

• transactionID : used to capture the final amount
• merchantTransactionId : internal reconciliation id
• Authorization amount : authorized amount by the Client

Notes

• merchantTransactionId is your internal order identifier (maximum 35 characters, unique per transaction).
• paymentType must be "AUTH" for two-step purchase
• The checkout session expires after 4 minutes. After expiration, the hosted form cannot be rendered and a new Checkout must be created.

2) Create the payment form link (Widget) + customization (front-end)

Goal: Render the SPG hosted MB WAY form and allow the customer to perform the Authorization.

2.1 Include the SIBS SPG widget script (using transactionID)

Add the script tag to your checkout page:

<script src="https://spg.qly.site1.sibs.pt/assets/js/widget.js?id={transactionID}"></script>

This is the standard Form Integration approach. The script URL must include the transactionID returned in the Checkout response.

2.2 Add the <form> element and inject formContext + transactionSignature + config/style

You must have a form with class paymentSPG and the required SPG attributes:

<form class="paymentSPG"
      spg-context="{formContext}"
      spg-signature="{transactionSignature}"
      spg-config="{formConfig}"
      spg-style="{formStyle}">
</form>

SIBS SPG explicitly defines:

• spg-context : the formContext you received from Checkout
• spg-signature : the transactionSignature you received from Checkout
• spg-config : merchant configuration (JSON string),
• spg-style : optional styling configuration (JSON string).

2.3 formConfig – minimal config for MB WAY two-step purchase

At minimum, your config must:

• Restrict the form to MB WAY using paymentMethodList
• Set redirectUrl (where the customer returns after the form finishes)
• The amount is defined in the Checkout request and does not need to be redefined in formConfig.
• Set language to match your checkout language.

Example (conceptual):

const formConfig = JSON.stringify({
  paymentMethodList: ["MBWAY"],
  redirectUrl: "https://merchant.example.com/payment-return",
  language: "en"
});

Supported values for paymentMethodList include MBWAY, REFERENCE, CARD (display depends on merchant permissions).

2.4 formStyle – optional UI customization

If you want to align the SIBS SPG form with your brand, SIBS SPG supports a style object with parameters like layout/theme/colors/font.
Example (conceptual):

const formStyle = JSON.stringify({
  layout: "default",
  theme: "light",
  color: { 
      primary: "#0033A1" 
  }
});

Optional: react to “Pay” click events in real time

SIBS SPG supports event monitoring via window.postMessage from the iframe so you can show a spinner / tracking / UX actions when the user clicks “Pay”.

What Happens After Form Submission?

1. A push notification is sent to the MB WAY mobile app.
2. Customer authorizes the transaction in the MB WAY app.
3. The transaction is near processed in real-time.
4. Customer is redirected to redirectUrl.

MB WAY Behaviour (Two-step AUTH)

• MB WAY is a near real-time payment method.
• After customer confirmation, the transaction is authorized.
• The status must always be validated server-to-server.
• The authorization reserves funds but does not settle them.
• The authorization must only be considered completed when paymentStatus = "Success“.

Notes

• The form performs Authorization only (funds reserved).
• If the checkout session expires (4 minutes), the hosted form will no longer load correctly, and a new checkout session must be created.
• Even after redirection, the final transaction result must always be validated via the status endpoint.

3) CHECK PAYMENT STATUS UNTIL IT IS AUTHORIZED (BACK-END)

Goal: Confirm the final authorization outcome after the customer completes the MB WAY authorization flow.

Even though MB WAY is a near real-time payment method, the final result must always be validated server-to-server.

3.1 When to check status

You must verify the transaction status:

• After the customer is redirected to the redirectUrl
• After receiving a Merchant Notification (if configured)

Unlike Multibanco Reference, MB WAY payments do not remain pending for extended periods.

The authorization must only be considered finalized after confirming the status via API.

3.2 Status endpoints you can use

SIBS SPG documents two common options:

• GET /api/v2/payments/{transactionID}/status (where {transactionID} is transactionID from the checkout operation)
• GET /api/v2/payments/status?merchantTransactionId=... (query by your merchant transaction id)

curl -v -X GET "https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/status" \
--header "X-IBM-Client-Id: <ClientId>" \
--header "Authorization: Bearer <AuthToken>" \
--header "Accept: application/json" \
--header "Content-Type: application/json"

Where {transactionID} is the value obtained in the Checkout response (Step 1).

3.3 Required headers (status call)

• Authorization: Bearer <AuthToken>
• X-IBM-Client-Id: <clientid>
• Content-Type: application/json
• Accept: application/json

3.4 What statuses to expect (high level)

The response includes paymentStatus, typically with values such as:

• Success
• Declined
• Error
• Pending
• InProcessing
• Timeout

MB WAY Behaviour

• Success : Authorization approved and funds reserved
• Declined : Transaction refused by issuer
• Error : Technical or processing error
• Pending : Temporary state during authentication or processing

The authorization must only be considered successful when:

• paymentStatus = "Success“
• returnStatus.statusCode = "000“

Only then should the transaction be considered Authorized. Funds are now reserved but not captured.

3.5 Recommended validation strategy

For MB WAY Form Integration:

• After redirection, immediately call the /status endpoint.
• Do not rely solely on front-end redirection parameters.
• If Pending, retry status after a short delay (few seconds).
• Stop when a final state is reached (Success, Declined, Error).

Polling for MB WAY should be short-lived and limited to the customer confirmation window.

Important Notes

• MB WAY is a near real-time payment method.
• There is no extended waiting period (unlike Multibanco Reference).
• The final payment confirmation must always be validated server-to-server.

4) CAPTURE THE AUTHORIZED TRANSACTION (SERVER-TO-SERVER)

Goal: Convert a previously authorized transaction (funds reserved) into a settled payment by executing a Capture operation.

In a Two-step flow, authorization does not transfer funds.
Funds are only settled after this capture call.

What you do

4.1 Decide when to capture

Capture is triggered after your business condition is met, for example:

• Order validated / stock confirmed
• Service delivered or ready to deliver
• Shipment confirmed
• Manual approval completed

Important: Capture must occur within the authorization validity window (scheme rules / issuer policies).

4.2 POST Capture request

curl -v -X POST "https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/capture" \
--header "X-IBM-Client-Id: <ClientId>" \
--header "Authorization: Bearer <AuthToken>" \
--header "Accept: application/json" \
--header "Content-Type: application/json"
--data '{
    "merchant": {
        "terminalId": "<terminalId>",
        "channel": "web",
        "merchantTransactionId": "unique-capture-id"
    },
    "transaction": {
        "transactionTimestamp": "2026-02-27T18:03:05.190Z",
        "description": "Capture operation",
        "amount": {
            "value": 5.00,
            "currency": "EUR"
        }
    }
}'

Where:

• {transactionID} is the transaction created in the checkout step and authorized by the customer.

The capture must only be considered successful when:

• paymentStatus = "Success“
• returnStatus.statusCode = "000“

What happens

• SPG validates that the transaction is in a capturable state (Authorized).
• If valid, SPG captures the amount (full or partial if supported/configured).
• The transaction moves toward a final state where settlement is completed.

What to store from the response

Store at least:

• Capture result status (success/failure)
• The transactionID returned in the capture response (it is different from the original authorization transactionID).
• Your merchantTransactionId for reconciliation/audit
• Captured amount

Important Notes

• The capture amount must not exceed the authorized amount.
• Partial capture depends on merchant configuration / scheme rules.
• Capture operations must be implemented idempotently to prevent duplicate settlement in case of retry scenarios or network failures.
• If the authorization expires before capture, the funds are released and capture will fail.

5) CHECK PAYMENT (CAPTURE) STATUS (BACK-END)

Goal: Confirm the final capture outcome after the capture operation.

5.1 When to check status

You must verify the capture transaction status right after the capture operation returns successfully. The transaction must only be considered finalized after confirming the status via API.

5.2 Status endpoints you can use

SIBS SPG documents two common options:

• GET /api/v2/payments/{transactionID}/status (where {transactionID} is the transactionID returned by the Capture operation)

curl -v -X GET "https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/status" \
--header "X-IBM-Client-Id: <ClientId>" \
--header "Authorization: Bearer <AuthToken>" \
--header "Accept: application/json" \
--header "Content-Type: application/json"

Where {transactionID} is the value obtained in the Capture response (Step 4).

5.3 Required headers (status call)

• Authorization: Bearer <AuthToken>
• X-IBM-Client-Id: <clientid>
• Content-Type: application/json
• Accept: application/json

5.4 What statuses to expect (high level)

The response includes paymentStatus, typically with values such as:

• Success
• Declined
• Error
• Pending
• InProcessing
• Timeout

MB WAY Behaviour

• Success : Capture approved and funds settled.
• Declined : Transaction refused by issuer
• Error : Technical or processing error
• Pending : Temporary state while the capture is being processed by SPG.

The capture must only be considered successful when:

• paymentStatus = "Success“
• returnStatus.statusCode = "000“

Only then should the transaction be considered Captured and Settled.