Welcome

Welcome to Clearhaus Merchant API.

The Merchant API is currently in Public Beta.

General guidelines

  1. Use the link relations provided to interact with the API; don’t rely on URLs (which are not supplied, on purpose)
  2. To query a resource or a collection of resources use GET
  3. To create a resource use POST on a collection link
  4. To update a resource use PATCH on a resource link
  5. To remove a resource use DELETE on a resource link
  6. If you have doubts about what you can do with a given link use OPTIONS
  7. Templated URLs will be provided when appropriate. See URI Template (RFC 6570).

Entrypoints

https://merchant.clearhaus.com       # Production
https://merchant.test.clearhaus.com  # Sandbox

Authentication

Authentication is done via HTTP Bearer scheme.

curl -X GET https://merchant.test.clearhaus.com -H "Authorization: Bearer <access_token>"

The means by which the access_token is obtained follow the OAuth 2.0 Authorization Framework (https://tools.ietf.org/html/rfc6749). See also Client registration and Supported grants.

Client registration

To obtain an access_token and start calling the Merchant API, developers need to register an OAuth Client with Clearhaus to obtain client credentials, client_id and client_secret.

See OAuth Clients to create and manage your Clients.

Client registration can also be done programatically. It follows the OAuth 2.0 Dynamic Client Registration Protocol specification and supports Protected Client Registration (see https://tools.ietf.org/html/rfc7591#appendix-A.1 for information about Open versus Protected Client Registration).

The implementation currently defines the following extension parameter:

name description
description Short description of the purpose of the Client

Example request:

curl -X POST https://merchant.test.clearhaus.com/oauth/clients \
     -H "Authorization: Bearer <access_token>" \
     -H "Content-Type: application/json" \
     -d '{
           "client_name": "Transactions collector bot",
           "grant_types": ["client_credentials"],
           "contacts": ["trxbot@example.com"],
           "description": "Collect and process transaction information"
         }'

Example response:

{
  "client_name": "Transactions collector bot",
  "grant_types": ["client_credentials"],
  "contacts": ["trxbot@example.com"],
  "description": "Collect and process transaction information",
  "client_id": "<client_id>",
  "client_secret": "<client_secret>",
  "_links": {
    "self": {
      "href": "https://merchant.test.clearhaus.com/oauth/clients/2c48923c-bcac-482f-b5d7-5506f32bab61"
    },
    "curies": [
      {
        "href": "https://developer.clearhaus.com/rels/{rel}",
        "templated": true,
        "name": "ch"
      }
    ]
  }
}

The only supported client type is confidential:

OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):

   confidential
      Clients capable of maintaining the confidentiality of their
      credentials (e.g., client implemented on a secure server with
      restricted access to the client credentials), or capable of secure
      client authentication using other means.
...

in OAuth 2.0 Authorization Framework: Client Types.

Supported grants

We support the Client Credentials Grant.

  1. Client Credentials Grant

    Example request:

    curl -X POST https://merchant.test.clearhaus.com/oauth/token \
         -u $CLIENT_ID:$CLIENT_SECRET \
         -H "Content-Type: application/x-www-form-urlencoded" \
         -d "audience=https://merchant.test.clearhaus.com"    \
         -d "grant_type=client_credentials"
    

    Example response:

    {
      "access_token": "<access_token>",
      "token_type": "Bearer",
      "expires_in": 86400,
      "_links": {
        "ch:root": {
          "href": "https://merchant.test.clearhaus.com"
        },
        "curies": [
          {
            "href": "https://developer.clearhaus.com/rels/{rel}",
            "templated": true,
            "name": "ch"
          }
        ]
      }
    }
    

Media types

Error handling

Error responses use application/problem+json (https://tools.ietf.org/html/rfc7807) media type.

The Merchant API currently define the following extension members:

name description
errors Describe the issues with the request invalid parameters
oauth2-token Hint at where the consumer should authenticate before trying again
request-id Used for request traceability

Invalid request parameters:

{
  "title": "Validation Error",
  "status": 400,
  "detail": "The request contains invalid parameters",
  "errors": {
    "currency": [
      "does not follow ISO 4217"
    ]
  },
  "request-id": "ecb2fc78-d992-4fc4-bef5-66cd68a639e8"
}

Unauthorized request:

{
  "title": "Unauthorized",
  "status": 401,
  "detail": "Invalid token",
  "oauth2-token": "https://merchant.test.clearhaus.com/oauth/token",
  "request-id": "98a877f6-d703-44ad-891d-4b4317d7b870"
}

Service unavailable:

{
  "title": "Service Unavailable",
  "status": 503,
  "request-id": "e3ae5e99-67ec-4ac9-a8ff-e75db5833cb8"
}

Pagination

A Collection resource will be paginated.

Pagination links (first, prev, next, last - see IANA Link Relations) are available when appropriate.

A paginated collection provides per_page as a template variable. It defaults to 20 and has a maximum value of 50.

A paginated resource will provide a templated link of the form:

{
  ...
  "_links": {
    "ch:transactions": {
      "href": "https://merchant.test.clearhaus.com/transactions{?query,per_page}",
      "templated": true
    }
  }
  ...
}

File handling

Some resources allow files to be associated with them. Examples of this are Person resources (Company director and owners, where a document with picture and address are required), the Application itself, and Disputes (where one might add copies of invoices and other relevant documentation).

To create a file resource, POST file metadata to ch:files. The resulting resource contains link relations (ch:data) for uploading and downloading the actual binary content.

curl -X POST https://merchant.test.clearhaus.com/people/3128a7e4-9594-42fb-a9bd-4f444b58110f/files \
     -H "Authorization: Bearer <access_token>" \
     -H "Content-Type: application/json" \
     -d '{
           "label": "picture_legitimation",
           "name": "passport.jpg",
           "content_type": "image/jpeg",
           "size": 1234
         }'
{
  "label": "picture_legitimation",
  "name": "passport.jpg",
  "content_type": "image/jpeg",
  "size": 1234,
  "_links": {
    "self": {
      "href": "https://merchant.test.clearhaus.com/files/93cc1a9a-70f7-48d3-afad-d5de920414bc"
    },
    "ch:person": {
      "href": "https://merchant.test.clearhaus.com/people/3128a7e4-9594-42fb-a9bd-4f444b58110f"
    },
    "ch:data": [
      {
        "href": "https://clrhs-staging-cutter.s3.amazonaws.com/5/faf8e4b963ceb372be2cf1b43d37cb3b4eaa7bba503bfb6c41c102710fd695ea.pdf?AWSAccessKeyId=AKIAJES3GRGWBQL7JHXA&Expires=1469819943&Signature=xq029mepfm1ii90b00tfZQQlg94%3D",
        "name": "upload"
      },
      {
        "href": "https://merchant.test.clearhaus.com/files/93cc1a9a-70f7-48d3-afad-d5de920414bc/content",
        "name": "download"
      }
    ],
    "curies": [
      {
        "href": "https://developer.clearhaus.com/rels/{rel}",
        "templated": true,
        "name": "ch"
      }
    ]
  }
}

Once the file resource is created, PUT the binary content to ch:data upload href.

curl -X PUT https://clrhs-staging-cutter.s3.amazonaws.com/5/faf8e4b963ceb372be2cf1b43d37cb3b4eaa7bba503bfb6c41c102710fd695ea.pdf?AWSAccessKeyId=AKIAJES3GRGWBQL7JHXA&Expires=1469819943&Signature=xq029mepfm1ii90b00tfZQQlg94%3D \
     -H "Content-Type: image/jpeg" \
     --upload-file <filepath>

Stamps

Stamps are a means of advancing a resource through a given set of steps.

For example, an Application, once it has all the necessary data, is ready to be submitted. To submit an application, PUT the submitted stamp:

curl -X PUT https://merchant.test.clearhaus.com/applications/ef7c6a50-65d7-47dd-baa6-b7f836d540b1/stamps/submitted \
     -H "Authorization: Bearer <access_token>"

Some stamps can only be added (PUT), others can be removed (DELETE). See Application as example.

Some stamps support an optional note request parameter. See Contract as example.

The documentation for each resource will have details on the supported stamps, if any.

Field comments

Field comments are used to attach comments to a specific property of a resource.

A field comment is attached to the resource with a special tag crafted by prefixing the property name with ch-field:.

Resources that support field comments have a Commentable column in the list of properties which indicates if a property supports field comments.

A comment will be rejected unless exactly one of the supported field comment tags are used when commenting on a resource that supports field comments.

Selection

Some resources support select semantics.

For example, an Application, requires the selection of a Gateway.

curl -X PUT "https://merchant.test.clearhaus.com/applications/3128a7e4-9594-42fb-a9bd-4f444b58110f/gateways/88a92fb6-cf56-4ece-bc5d-1b544ad5a1e1"
     -H "Authorization: Bearer <access_token>"

Profiles

... a profile can be described as additional semantics that can be used to process a
resource representation, such as constraints, conventions, extensions, or any other aspects
that do not alter the basic media type semantics.
...

in The ‘profile’ Link Relation Type (RFC 6906).

The API documentation is mostly organized around link relations and how to interact with them.

However, when visiting a given link relation page, there will be profile information, describing the semantics of the represented resource.

Rate limit

We use rate limits as an anti-abuse mechanism to protect the API.

From RateLimit Header Fields for HTTP we utilize the RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset headers to inform the consumer about the quota that applies to the endpoint, how many request are remaining, and when the quota usage will reset.

Gracefully handling limits

The best approach for handling rate limits it to build in retry logic for when the status code 429 is encountered.

Retry logic for rate limiting should factor in the rate limit headers returned from the API.