Menu
Back to homepage

PAYMENT GATEWAY

Back to homepage

[THK] D.3.1.2 Two-step payment – MBWAY [Server-to-Server Integration]

Prerequisites (once per merchant/environment)

You need the following credentials and configuration elements before calling the SIBS SPG APIs:

  • AuthToken : used as Authorization: Bearer <AuthToken> for REST calls
  • TerminalId : the terminal ID assigned to the merchant, by the SIBS OnBoarding team
  • X-IBM-Client-Id : merchant application identifier assigned by the SIBS OnBoarding team

Choose environment root URLs (you will use them in the API base URL).

Please refer to the API Requests documentation page for more information.

API Request Flow

In a Two-step MB WAY (AUTH → CAPTURE) Server-to-Server Integration, the process is divided into:

  1. Checkout creation (server-to-server – AUTH configuration)
  2. MB WAY Authorization (customer approval in MB WAY app)
  3. Authorization status validation (backend)
  4. Capture the authorized transaction (server-to-server)
  5. Capture status validation (backend)

MB WAY is an asynchronous payment method. Authorization depends on the customer approving the transaction in the MB WAY mobile application.

1) Prepare the checkout (server-to-server)

Goal: Create a checkout session configured for Authorization only (paymentType = AUTH) and obtain the identifiers required for the subsequent server-to-server operations (authorization, status validation and capture).

What you do

1.1 POST Checkout Payment to:

curl -X POST "https://api.qly.sibspayments.com/sibs/spg/v2/payments" \
  --header "Authorization: Bearer <AuthToken>" \
  --header "X-IBM-Client-Id: <ClientId>" \
  --header "Content-Type: application/json" \
  --header "Accept: application/json" \
  --data '{
    "merchant": {
        "terminalId": "<terminalId>",
        "channel": "web",
        "merchantTransactionId": "unique-order-id"
    },
    "transaction": {
        "transactionTimestamp": "2026-02-27T17:57:06.498Z",
        "description": "Transaction short description",
        "moto": false,
        "paymentType": "AUTH",
        "amount": {
            "value": 5.10,
            "currency": "EUR"
        },
        "paymentMethod": ["MBWAY"]
    }
  }'

Important

  • paymentType must be set to “AUTH
  • paymentMethod must include "MBWAY" (i.e., ["MBWAY"])
  • merchantTransactionId must be unique per transaction

Headers

  • Authorization: Bearer <AuthToken>
  • X-IBM-Client-Id: <ClientId>
  • Content-Type: application/json
  • Accept: application/json

What you do in this step

  • Create a new payment session.
  • Define the payment type (AUTH for the first step for the two-step payment).
  • Restrict the payment method to "MBWAY".
  • Send the total amount and currency.

This call registers the payment and prepares the transaction for the subsequent server-to-server operations.

1.2. Store from the successful response:

From the Checkout response, you must store:

  • transactionID : used in subsequent calls
  • transactionSignature: required to authorize the MB WAY purchase call (Authorization: Digest {transactionSignature})

Also, the following values will have an important role after the authorization, namely:

  • transactionID : used to capture the final amount
  • merchantTransactionId : internal reconciliation id
  • Authorized amount : amount reserved after successful MB WAY approval

Field Notes

merchant

  • terminalId : Merchant terminal provided by SIBS
  • channel : Integration channel (web, app, etc.)
  • merchantTransactionId : Unique merchant-side identifier (use idempotency controls to prevent duplicates)

transaction

  • transactionTimestamp : Current timestamp in ISO 8601 format
  • description : Free text description
  • moto : Mail Order / Telephone Order flag
  • paymentType : AUTH (Authorization only for two-step flow)
  • amount.value : Decimal value (dot as decimal separator, e.g. 19.20)
  • amount.currency : ISO currency code
  • paymentMethod : Must include "MBWAY"

Notes

  • merchantTransactionId is your internal order identifier (maximum 35 characters, unique per transaction).
  • paymentType must be "AUTH" for two-step purchase
  • The checkout session expires after 4 minutes. After expiration, you cannot initiate the MB WAY operation and must create a new Checkout.

2) PERFORM MB WAY AUTHORIZATION (SERVER-TO-SERVER)

Goal: Trigger the MB WAY authorization request so that the customer receives a push notification in the MB WAY mobile app.

This step performs the Authorization only. Funds are reserved (authorized) but not captured.

2.1 Collect the customer phone number

The MB WAY alias is the customer mobile phone number.

MBWAY Alias format:

351#910000000

This represents:

  • Country code (e.g., 351 for Portugal)
  • Separator #
  • MBWAY Account Mobile number

2.2 Initiate the MB WAY purchase (Authorization step)

curl --location 'https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/mbway-id/purchase' \
--header "X-IBM-Client-Id: b824198a-321c-4f53-9bcb-832281d95735" \
--header "Authorization: Digest {transactionSignature}" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{
    "customerPhone": "351#910000000",
    "inApp": true
}'

Headers

  • Authorization: Digest {transactionSignature}
  • X-IBM-Client-Id: {clientId}
  • Content-Type: application/json
  • Accept: application/json

2.3 Request body

{
  "customerPhone": "351#910000000",
  "inApp": true
}

Where:

  • customerPhone: MB WAY alias (required)
  • inApp: optional boolean to optimize mobile experiences

2.4 Immediate response behaviour

After the purchase request:

  • MB WAY is an asynchronous payment method. After the authorization request, the transaction typically moves to Pending while the customer authorizes the payment in the MB WAY app.
  • The customer receives a push notification in the MB WAY app
  • The final result is asynchronous
  • The operation response does not represent the final authorization result.

Optional inApp behaviour:

  • If inApp = true, the customer can be redirected back to the merchant mobile app after accepting or declining the payment.
  • If inApp is absent from the request payload, the default is false

3) CHECK PAYMENT STATUS UNTIL IT IS AUTHORIZED (BACK-END)

Goal: Confirm the final authorization outcome after the customer completes the MB WAY authorization flow.

Even though MB WAY is a near real-time payment method, the final result must always be validated server-to-server.

3.1 When to check status

You must verify the transaction status:

  • After receiving a Merchant Notification (recommended, if configured)
  • Or, if you don’t use notifications, poll the /status endpoint until the authorization becomes final.

Unlike Multibanco Reference, MB WAY payments do not remain pending for extended periods.

The authorization must only be considered finalized after confirming the status via API.

3.2 Status endpoints you can use

SIBS SPG documents two common options:

  • GET /api/v2/payments/{transactionID}/status (where {transactionID} is transactionID from the checkout operation)
  • GET /api/v2/payments/status?merchantTransactionId=... (query by your merchant transaction id)
curl -v -X GET "https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/status" \
--header "X-IBM-Client-Id: <ClientId>" \
--header "Authorization: Bearer <AuthToken>" \
--header "Accept: application/json" \
--header "Content-Type: application/json"

Where {transactionID} is the value obtained in the Checkout response (Step 1).

3.3 Required headers (status call)

  • Authorization: Bearer <AuthToken>
  • X-IBM-Client-Id: <clientid>
  • Content-Type: application/json
  • Accept: application/json

3.4 What statuses to expect (high level)

The response includes paymentStatus, typically with values such as:

  • Success
  • Declined
  • Error
  • Pending
  • InProcessing
  • Timeout

MB WAY Behaviour

  • Success : Authorization approved (funds reserved)
  • Declined : Authorization refused or cancelled
  • Error : Technical or processing error
  • Pending : Temporary state during authentication or processing
  • Timeout : Authorization timed out (customer did not approve within allowed time)

The authorization must only be considered successful when:

  • paymentStatus = "Success
  • returnStatus.statusCode = "000

Only then should the transaction be considered Authorized. Funds are now reserved but not captured.

3.5 Polling strategy (minimal, practical skeleton)

  • Poll GET /api/v2/payments/{transactionID}/status every 3-5 seconds (recommended)
  • Stop when paymentStatus is one of: Success, Declined, Error, Timeout
  • If still Pending / InProcessing, continue polling (with a 60–120 second max time cap)

Even if polling is implemented, SIBS SPG supports Merchant Notification (webhooks) for asynchronous payments. This is the recommended approach for MB WAY.

Important Notes

  • MB WAY is a near real-time payment method.
  • There is no extended waiting period (unlike Multibanco Reference).
  • The final payment confirmation must always be validated server-to-server.

4) CAPTURE THE AUTHORIZED TRANSACTION (SERVER-TO-SERVER)

Goal: Convert a previously authorized transaction (funds reserved) into a settled payment by executing a Capture operation.

In a Two-step flow, authorization does not transfer funds.
Funds are only settled after this capture call.

What you do

4.1 Decide when to capture

Capture is triggered after your business condition is met, for example:

  • Order validated / stock confirmed
  • Service delivered or ready to deliver
  • Shipment confirmed
  • Manual approval completed

Important: Capture must occur within the authorization validity window defined by MB WAY / acquiring configuration.

4.2 POST Capture request

curl -v -X POST "https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/capture" \
--header "X-IBM-Client-Id: <ClientId>" \
--header "Authorization: Bearer <AuthToken>" \
--header "Accept: application/json" \
--header "Content-Type: application/json"
--data '{
    "merchant": {
        "terminalId": "<terminalId>",
        "channel": "web",
        "merchantTransactionId": "unique-capture-id"
    },
    "transaction": {
        "transactionTimestamp": "2026-02-27T18:03:05.190Z",
        "description": "Capture operation",
        "amount": {
            "value": 5.00,
            "currency": "EUR"
        }
    }
}'

Where:

  • {transactionID} is the original AUTH transactionID (from the Checkout/Authorization flow).

The capture must only be considered successful (capture transaction) when:

  • paymentStatus = "Success
  • returnStatus.statusCode = "000

What happens

  • SPG validates that the transaction is in a capturable state (Authorized).
  • If valid, SPG captures the amount (full or partial if supported/configured).
  • The transaction moves toward a final state where settlement is completed.

What to store from the response

Store at least:

  • Capture result status (success/failure)
  • The transactionID returned in the capture response (it is different from the original authorization transactionID).
  • Your merchantTransactionId for reconciliation/audit
  • Captured amount

Important Notes

  • The capture amount must not exceed the authorized amount.
  • Partial capture depends on merchant configuration / acquiring configuration.
  • Capture operations must be implemented idempotently to prevent duplicate settlement in case of retry scenarios or network failures.
  • If the authorization expires before capture, the funds are released and capture will fail.

5) CHECK PAYMENT (CAPTURE) STATUS (BACK-END)

Goal: Confirm the final capture outcome after the capture operation.

5.1 When to check status

You must verify the capture transaction status right after the capture operation returns successfully. The transaction must only be considered finalized after confirming the status via API.

5.2 Status endpoints you can use

SIBS SPG documents two common options:

  • GET /api/v2/payments/{transactionID}/status (where {transactionID} is the value returned by the Capture operation – different from the AUTH transactionID)
curl -v -X GET "https://api.qly.sibspayments.com/sibs/spg/v2/payments/{transactionID}/status" \
--header "X-IBM-Client-Id: <ClientId>" \
--header "Authorization: Bearer <AuthToken>" \
--header "Accept: application/json" \
--header "Content-Type: application/json"

Where {transactionID} is the value obtained in the Capture response (Step 4).

5.3 Required headers (status call)

  • Authorization: Bearer <AuthToken>
  • X-IBM-Client-Id: <clientid>
  • Content-Type: application/json
  • Accept: application/json

5.4 What statuses to expect (high level)

The response includes paymentStatus, typically with values such as:

  • Success
  • Declined
  • Error
  • Pending
  • InProcessing
  • Timeout

MB WAY Behaviour

  • Success : Capture approved and funds settled.
  • Declined : Capture refused or cancelled
  • Error : Technical or processing error
  • Pending : Temporary state while the capture is being processed by SPG.

The capture must only be considered successful when:

  • paymentStatus = "Success
  • returnStatus.statusCode = "000

Only then should the transaction be considered Captured and Settled.

On this page:

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.