Create a hosted session
const url = 'https://api.govifi.com/v1/hosted-sessions';const options = { method: 'POST', headers: { 'X-Payment-Account-Uid': 'example', Authorization: 'Bearer <token>', 'Content-Type': 'application/json' }, body: '{"amount":14650,"currency":"USD","description":"example","line_items":[{"description":"example","amount":1,"quantity":1,"metadata":{}}],"customer_id":"example","customer_email":"hello@example.com","success_url":"https://example.com","cancel_url":"https://example.com","layout":"hosted","allowed_methods":["card"],"setup_future_usage":"off","scope":"payment","expires_in_seconds":1800,"branding":{"logo_url":"https://example.com","accent_color":"example","merchant_display_name":"example"},"required_avs_fields":["cardholder"],"metadata":{"additionalProperty":"example"},"fraud_signals":{"ip_address":"example","user_agent":"example","email":"hello@example.com","phone":"example","account_type":"example","request_timestamp":1,"is_authorized":true,"is_admin":true}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://api.govifi.com/v1/hosted-sessions \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --header 'X-Payment-Account-Uid: example' \ --data '{ "amount": 14650, "currency": "USD", "description": "example", "line_items": [ { "description": "example", "amount": 1, "quantity": 1, "metadata": {} } ], "customer_id": "example", "customer_email": "hello@example.com", "success_url": "https://example.com", "cancel_url": "https://example.com", "layout": "hosted", "allowed_methods": [ "card" ], "setup_future_usage": "off", "scope": "payment", "expires_in_seconds": 1800, "branding": { "logo_url": "https://example.com", "accent_color": "example", "merchant_display_name": "example" }, "required_avs_fields": [ "cardholder" ], "metadata": { "additionalProperty": "example" }, "fraud_signals": { "ip_address": "example", "user_agent": "example", "email": "hello@example.com", "phone": "example", "account_type": "example", "request_timestamp": 1, "is_authorized": true, "is_admin": true } }'Authorizations
Section titled “Authorizations ”Parameters
Section titled “ Parameters ”Header Parameters
Section titled “Header Parameters ”Identifies the tenant (payment account) for the server-side, Cognito-admin-authenticated operations (create / update / expire). Same header /api/paymentaccounts uses.
Request Body required
Section titled “Request Body required ”object
Cents
Example
14650Example
USDobject
Cents
object
Govifi customer id; if set, saved methods will be hydrated
Hint to the component about which chrome to render
Capability scope minted into the session credential. payment (default) may quote, run challenges, and confirm a charge. wallet is for saved-method management only — its credential is rejected (403 insufficient_scope) at the payment endpoints (confirm/quote-fee/challenge).
object
object
Raw fraud/risk inputs observed by the merchant backend at session creation, forwarded so the API can enforce timing/risk server-side on confirm (API-9). Contains PII; stored server-side and never returned in the sanitized session config.
object
Phone for SMS challenges on high-risk sessions.
Unix epoch milliseconds when the payment form loaded (drives timing validation).
Responses
Section titled “ Responses ”Session created
object
The browser credential — sent as Authorization: Bearer on every browser call. Authenticates and is reusable for the chatty reads; expires with the session. Not single-use (the confirm-on-success is).
Example
{ "session_id": "cs_3oNkLp9aBcDeFgHi", "client_secret": "cs_3oNkLp9aBcDeFgHi_secret_7Qx...", "hosted_url": "https://checkout.govifi.com/cs_3oNkLp9aBcDeFgHi", "embed_url": "https://checkout.govifi.com/embed/cs_3oNkLp9aBcDeFgHi"}Validation error
object
Example
{ "code": "card_declined"}Bad or missing credential (Cognito admin token or session credential)
object
Example
{ "code": "card_declined"}