Payment Request API

W3C Candidate Recommendation Draft

This version:
https://www.w3.org/TR/2021/CRD-payment-request-20210928/
Latest published version:
https://www.w3.org/TR/payment-request/
Latest editor's draft:
https://w3c.github.io/payment-request/
Test suite:
https://wpt.live/payment-request/
Implementation report:
https://w3c.github.io/test-results/payment-request/all.html
Previous version:
https://www.w3.org/TR/2021/CRD-payment-request-20210907/
Editors:
Marcos Cáceres (W3C)
Rouslan Solomakhin (Google)
Ian Jacobs (W3C)
Former editors:
Domenic Denicola (Google)
Adrian Bateman (Microsoft Corporation)
Zach Koch (Google)
Roy McElmurry (Facebook)
Danyao Wang (Google)
Participate:
GitHub w3c/payment-request
File an issue
Commit history
Pull requests
Browser support:
caniuse.com

Abstract

This specification standardizes an API to allow merchants (i.e. web sites selling physical or digital goods) to utilize one or more payment methods with minimal integration. User agents (e.g., browsers) facilitate the payment flow between merchant and user.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

The working group maintains a list of all bug reports that the group has not yet addressed. Pull requests with proposed specification text for outstanding issues are strongly encouraged.

The working group will demonstrate implementation experience by producing an implementation report. The report will show two or more independent implementations passing each mandatory test in the test suite (i.e., each test corresponds to a MUST requirement of the specification).

There has been no change in dependencies on other workings groups during the development of this specification.

This document was published by the Web Payments Working Group as a Candidate Recommendation Draft. This document is intended to become a W3C Recommendation.

GitHub Issues are preferred for discussion of this specification.

Publication as a Candidate Recommendation does not imply endorsement by the W3C Membership. A Candidate Recommendation Draft integrates changes from the previous Candidate Recommendation that the Working Group intends to include in a subsequent Candidate Recommendation Snapshot.

This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress. Future updates to this specification may incorporate new features.

This document was produced by a group operating under the 1 August 2017 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 15 September 2020 W3C Process Document.

Changes since last publication

This version of the specification removes data features from the API, essentially pushing data details to payment method descriptions. The complete list of changes, including all editorial changes, is viewable in the commit history. Key set of changes are viewable in the Changelog.

1. Introduction

This section is non-normative.

This specification describes an API that allows user agents (e.g., browsers) to act as an intermediary between three parties in a transaction:

The details of how to fulfill a payment request for a given payment method is an implementation detail of a payment handler, which is an application or service that handles requests for payment. Concretely, a payment handler defines:

Steps to check if a payment can be made:
How a payment handler determines whether it, or the user, can potentially "make a payment" is also an implementation detail of a payment handler.
Steps to respond to a payment request:
Steps that return an object or dictionary that a merchant uses to process or validate the transaction. The structure of this object is specific to each payment method.
Steps for when a user changes payment method (optional)

Steps that describe how to handle the user changing payment method or monetary instrument (e.g., from a debit card to a credit card) that results in a dictionary or object or null.

This API also enables web sites to take advantage of more secure payment schemes (e.g., tokenization and system-level authentication) that are not possible with standard JavaScript libraries. This has the potential to reduce liability for the merchant and helps protect sensitive user information.

1.1 Goals and scope

The following are out of scope for this specification:

2. Examples of usage

This section is non-normative.

In order to use the API, the developer needs to provide and keep track of a number of key pieces of information. These bits of information are passed to the PaymentRequest constructor as arguments, and subsequently used to update the payment request being displayed to the user. Namely, these bits of information are:

Once a PaymentRequest is constructed, it's presented to the end user via the show() method. The show() returns a promise that, once the user confirms request for payment, results in a PaymentResponse.

2.1 Declaring multiple ways of paying

When constructing a new PaymentRequest, a merchant uses the first argument (methodData) to list the different ways a user can pay for things (e.g., credit cards, Apple Pay, Google Pay, etc.). More specifically, the methodData sequence contains PaymentMethodData dictionaries containing the payment method identifiers for the payment methods that the merchant accepts and any associated payment method specific data (e.g., which credit card networks are supported).

Example 1: The `methodData` argument
const methodData = [
  {
    supportedMethods: "https://example.com/payitforward",
    data: {
      payItForwardField: "ABC",
    },
  },
  {
    supportedMethods: "https://example.com/bobpay",
    data: {
      merchantIdentifier: "XXXX",
      bobPaySpecificField: true,
    },
  },
];

2.2 Describing what is being paid for

When constructing a new PaymentRequest, a merchant uses the second argument of the constructor (details) to provide the details of the transaction that the user is being asked to complete. This includes the total of the order and, optionally, some line items that can provide a detailed breakdown of what is being paid for.

Example 2: The `details` argument
const details = {
  id: "super-store-order-123-12312",
  displayItems: [
    {
      label: "Sub-total",
      amount: { currency: "GBP", value: "55.00" },
    },
    {
      label: "Value-Added Tax (VAT)",
      amount: { currency: "GBP", value: "5.00" },
    },
    {
      label: "Standard shipping",
      amount: { currency: "GBP", value: "5.00" },
    },
  ],
  total: {
    label: "Total due",
    // The total is GBP£65.00 here because we need to
    // add tax and shipping.
    amount: { currency: "GBP", value: "65.00" },
  },
};

2.3 Conditional modifications to payment request

Here we see how to add a processing fee for using a card on a particular network. Notice that it requires recalculating the total.

Example 3: Modifying payment request based on card type
// Certain cards incur a $3.00 processing fee.
const cardFee = {
  label: "Card processing fee",
  amount: { currency: "AUD", value: "3.00" },
};

// Modifiers apply when the user chooses to pay with
// a card.
const modifiers = [
  {
    additionalDisplayItems: [cardFee],
    supportedMethods: "https://example.com/cardpay",
    total: {
      label: "Total due",
      amount: { currency: "AUD", value: "68.00" },
    },
    data: {
      supportedNetworks: networks,
    },
  },
];
Object.assign(details, { modifiers });

2.4 Constructing a PaymentRequest

Having gathered all the prerequisite bits of information, we can now construct a PaymentRequest and request that the browser present it to the user:

Example 4: Constructing a `PaymentRequest`
async function doPaymentRequest() {
  try {
    const request = new PaymentRequest(methodData, details, options);
    const response = await request.show();
    await validateResponse(response);
  } catch (err) {
    // AbortError, SecurityError
    console.error(err);
  }
}
async function validateResponse(response) {
  try {
    const errors = await checkAllValuesAreGood(response);
    if (errors.length) {
      await response.retry(errors);
      return validateResponse(response);
    }
    await response.complete("success");
  } catch (err) {
    // Something went wrong...
    await response.complete("fail");
  }
}
// Must be called as a result of a click
// or some explicit user action.
doPaymentRequest();

2.5 POSTing payment response back to a server

It's expected that data in a PaymentResponse will be POSTed back to a server for processing. To make this as easy as possible, PaymentResponse can use the default toJSON steps (i.e., .toJSON()) to serializes the object directly into JSON. This makes it trivial to POST the resulting JSON back to a server using the Fetch Standard:

Example 5: POSTing with `fetch()`
async function doPaymentRequest() {
  const payRequest = new PaymentRequest(methodData, details, options);
  const payResponse = await payRequest.show();
  let result = "";
  try {
    const httpResponse = await fetch("/process-payment", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: payResponse.toJSON(),
    });
    result = httpResponse.ok ? "success" : "fail";
  } catch (err) {
    console.error(err);
    result = "fail";
  }
  await payResponse.complete(result);
}
doPaymentRequest();

2.6 Using with cross-origin iframes

To indicate that a cross-origin iframe is allowed to invoke the payment request API, the allow attribute along with the "payment" keyword can be specified on the iframe element.

Example 6: Using Payment Request API with cross-origin iframes
<iframe
  src="https://cross-origin.example"
  allow="payment">
</iframe>

If the iframe will be navigated across multiple origins that support the Payment Request API, then one can set allow to "payment *". The Permissions Policy specification provides further details and examples.

3. PaymentRequest interface

WebIDL[SecureContext, Exposed=Window]
interface PaymentRequest : EventTarget {
  constructor(
    sequence<PaymentMethodData> methodData,
    PaymentDetailsInit details
  );
  [NewObject]
  Promise<PaymentResponse> show(optional Promise<PaymentDetailsUpdate> detailsPromise);
  [NewObject]
  Promise<undefined> abort();
  [NewObject]
  Promise<boolean> canMakePayment();

  readonly attribute DOMString id;

  attribute EventHandler onpaymentmethodchange;
};
Note

A developer creates a PaymentRequest to make a payment request. This is typically associated with the user initiating a payment process (e.g., by activating a "Buy," "Purchase," or "Checkout" button on a web site, selecting a "Power Up" in an interactive game, or paying at a kiosk in a parking structure). The PaymentRequest allows developers to exchange information with the user agent while the user is providing input (up to the point of user approval or denial of the payment request).

A request's payment-relevant browsing context is that PaymentRequest's relevant global object's browsing context's top-level browsing context. Every payment-relevant browsing context has a payment request is showing boolean, which prevents showing more than one payment UI at a time.

The payment request is showing boolean simply prevents more than one payment UI being shown in a single browser tab. However, a payment handler can restrict the user agent to showing only one payment UI across all browser windows and tabs. Other payment handlers might allow showing a payment UI across disparate browser tabs.

3.1 Constructor

The PaymentRequest is constructed using the supplied sequence of PaymentMethodData methodData including any payment method specific data, and the PaymentDetailsInit details.

The PaymentRequest(methodData, details) constructor MUST act as follows:

  1. If the current settings object's responsible document is not allowed to use the "payment" permission, then throw a "SecurityError" DOMException.
  2. Establish the request's id:
    1. If details.id is missing, add an id member to details and set its value to a UUID [RFC4122].
  3. Let serializedMethodData be an empty list.
  4. Process payment methods:
    1. If the length of the methodData sequence is zero, then throw a TypeError, optionally informing the developer that at least one payment method is required.
    2. Let seenPMIs be the empty set.
    3. For each paymentMethod of methodData:
      1. Run the steps to validate a payment method identifier with paymentMethod.supportedMethods. If it returns false, then throw a RangeError exception. Optionally, inform the developer that the payment method identifier is invalid.
      2. Let pmi be the result of parsing paymentMethod.supportedMethods with basic URL parser:
        1. If failure, set pmi to paymentMethod.supportedMethods.
      3. If seenPMIs contains pmi throw a RangeError DOMException optionally letting the developer this payment method identifier is a duplicate.
      4. Append pmi to seenPMIs.
      5. If the data member of paymentMethod is missing, let serializedData be null. Otherwise, let serializedData be the result of JSON-serializing paymentMethod.data into a string. Rethrow any exceptions.
      6. If serializedData is not null, and if required by the specification that defines the paymentMethod.supportedMethods:
        1. Let object be the result of JSON-parsing serializedData.
        2. Convert object to an IDL value of the type specified by the specification that defines the paymentMethod.supportedMethods Rethrow any exceptions.

          Note

          This step assures that any IDL type conversion errors are caught as early as possible.

      7. Add the tuple (paymentMethod.supportedMethods, serializedData) to serializedMethodData.
  5. Process the total:
    1. Check and canonicalize total amount details.total.amount. Rethrow any exceptions.
  6. If the displayItems member of details is present, then for each item in details.displayItems:
    1. Check and canonicalize amount item.amount. Rethrow any exceptions.
  7. Let serializedModifierData be an empty list.
  8. Process payment details modifiers:
    1. Let modifiers be an empty sequence<PaymentDetailsModifier>.
    2. If the modifiers member of details is present, then:
      1. Set modifiers to details.modifiers.
      2. For each modifier of modifiers:
        1. If the total member of modifier is present, then:
          1. Check and canonicalize total amount modifier.total.amount. Rethrow any exceptions.
        2. If the additionalDisplayItems member of modifier is present, then for each item of modifier.additionalDisplayItems:
          1. Check and canonicalize amount item.amount. Rethrow any exceptions.
        3. If the data member of modifier is missing, let serializedData be null. Otherwise, let serializedData be the result of JSON-serializing modifier.data into a string. Rethrow any exceptions.
        4. Add the tuple (modifier.supportedMethods, serializedData) to serializedModifierData.
        5. Remove the data member of modifier, if it is present.
    3. Set details.modifiers to modifiers.
  9. Let request be a new PaymentRequest.
  10. Set request.[[handler]] to null.
  11. Set request.[[state]] to "created".
  12. Set request.[[updating]] to false.
  13. Set request.[[details]] to details.
  14. Set request.[[serializedModifierData]] to serializedModifierData.
  15. Set request.[[serializedMethodData]] to serializedMethodData.
  16. Set request.[[response]] to null.
  17. Return request.

3.2 id attribute

When getting, the id attribute returns this PaymentRequest's [[details]].id.

Note

For auditing and reconciliation purposes, a merchant can associate a unique identifier for each transaction with the id attribute.

3.3 show() method

Note

The show() method is called when a developer wants to begin user interaction for the payment request. The show() method returns a Promise that will be resolved when the user accepts the payment request. Some kind of user interface will be presented to the user to facilitate the payment request after the show() method returns.

Each payment handler controls what happens when multiple browsing context simultaneously call the show() method. For instance, some payment handlers will allow multiple payment UIs to be shown in different browser tabs/windows. Other payment handlers might only allow a single payment UI to be shown for the entire user agent.

The show(optional detailsPromise) method MUST act as follows:

  1. Let request be this.
  2. If the relevant global object of request does not have transient activation:
    1. Return a promise rejected with with a "SecurityError" DOMException.
  3. Consume user activation of the relevant global object.
  4. Let document be request's relevant global object's associated Document.
  5. If document is not fully active, then return a promise rejected with an "AbortError" DOMException.
  6. Optionally, if the user agent wishes to disallow the call to show() to protect the user, then return a promise rejected with a "SecurityError" DOMException. For example, the user agent may limit the rate at which a page can call show(), as described in section § 14. Privacy and Security Considerations.

  7. If request.[[state]] is not "created" then return a promise rejected with an "InvalidStateError" DOMException.
  8. If the user agent's payment request is showing boolean is true, then:
    1. Set request.[[state]] to "closed".
    2. Return a promise rejected with an "AbortError" DOMException.
  9. Set request.[[state]] to "interactive".
  10. Let acceptPromise be a new promise.
  11. Set request.[[acceptPromise]] to acceptPromise.
  12. Optionally:

    1. Reject acceptPromise with an "AbortError" DOMException.
    2. Set request.[[state]] to "closed".
    3. Return acceptPromise.
    Note

    This allows the user agent to act as if the user had immediately aborted the payment request, at its discretion. For example, in "private browsing" modes or similar, user agents might take advantage of this step.

  13. Set request's payment-relevant browsing context's payment request is showing boolean to true.
  14. Return acceptPromise and perform the remaining steps in parallel.
  15. Let handlers be an empty list.
  16. For each paymentMethod tuple in request.[[serializedMethodData]]:
    1. Let identifier be the first element in the paymentMethod tuple.
    2. Let data be the result of JSON-parsing the second element in the paymentMethod tuple.
    3. If required by the specification that defines the identifier, then convert data to an IDL value of the type specified there. Otherwise, convert to object.
    4. If conversion results in an exception error:
      1. Set request.[[state]] to "closed".
      2. Reject acceptPromise with error.
      3. Set request's payment-relevant browsing context's payment request is showing boolean to false.
      4. Terminate this algorithm.
    5. Let registeredHandlers be a list of registered payment handlers for the payment method identifier.
    6. For each handler in registeredHandlers:
      1. Let canMakePayment be the result of running handler's steps to check if a payment can be made with data.
      2. If canMakePayment is true, then append handler to handlers.
  17. If handlers is empty, then:
    1. Set request.[[state]] to "closed".
    2. Reject acceptPromise with "NotSupportedError" DOMException.
    3. Set request's payment-relevant browsing context's payment request is showing boolean to false.
    4. Terminate this algorithm.
  18. Present a user interface that will allow the user to interact with the handlers. The user agent SHOULD prioritize the user's preference when presenting payment methods. The user interface SHOULD be presented using the language and locale-based formatting that matches the document's document element's language, if any, or an appropriate fallback if that is not available.

    Note: Localization of the payments user interface
  19. If detailsPromise was passed, then:
    1. Run the update a PaymentRequest's details algorithm with detailsPromise, request, and null.
    2. Wait for the detailsPromise to settle.
      Note

      Based on how the detailsPromise settles, the update a PaymentRequest's details algorithm determines how the payment UI behaves. That is, upon rejection of the detailsPromise, the payment request aborts. Otherwise, upon fulfillment detailsPromise, the user agent re-enables the payment request UI and the payment flow can continue.

  20. Set request.[[handler]] be the payment handler selected by the end-user.
  21. Let modifiers be an empty list.
  22. For each tuple in [[serializedModifierData]]:
    1. If the first element of tuple (a PMI) matches the payment method identifier of request.[[handler]], then append the second element of tuple (the serialized method data) to modifiers.
  23. Pass the converted second element in the paymentMethod tuple and modifiers. Optionally, the user agent SHOULD send the appropriate data from request to the user-selected payment handler in order to guide the user through the payment process. This includes the various attributes and other internal slots of request (some MAY be excluded for privacy reasons where appropriate).

    Handling of multiple applicable modifiers in the [[serializedModifierData]] internal slot is payment handler specific and beyond the scope of this specification. Nevertheless, it is RECOMMENDED that payment handlers use a "last one wins" approach with items in the [[serializedModifierData]] list: that is to say, an item at the end of the list always takes precedence over any item at the beginning of the list (see example below).

    The acceptPromise will later be resolved or rejected by either the user accepts the payment request algorithm or the user aborts the payment request algorithm, which are triggered through interaction with the user interface.

    If document stops being fully active while the user interface is being shown, or no longer is by the time this step is reached, then:

    1. Close down the user interface.
    2. Set request's payment-relevant browsing context's payment request is showing boolean to false.

3.4 abort() method

Note

The abort() method is called if a developer wishes to tell the user agent to abort the payment request and to tear down any user interface that might be shown. The abort() can only be called after the show() method has been called (see states) and before this instance's [[acceptPromise]] has been resolved. For example, developers might choose to do this if the goods they are selling are only available for a limited amount of time. If the user does not accept the payment request within the allowed time period, then the request will be aborted.

A user agent might not always be able to abort a request. For example, if the user agent has delegated responsibility for the request to another app. In this situation, abort() will reject the returned Promise.

See also the algorithm when the user aborts the payment request.

The abort() method MUST act as follows:

  1. Let request be this.
  2. If request.[[response]] is not null, and request.[[response]].[[retryPromise]] is not null, return a promise rejected with an "InvalidStateError" DOMException.
  3. If the value of request.[[state]] is not "interactive" then return a promise rejected with an "InvalidStateError" DOMException.
  4. Let promise be a new promise.
  5. Return promise and perform the remaining steps in parallel.
  6. Try to abort the current user interaction with the payment handler and close down any remaining user interface.
  7. Queue a task on the user interaction task source to perform the following steps:
    1. If it is not possible to abort the current user interaction, then reject promise with "InvalidStateError" DOMException and abort these steps.
    2. Set request.[[state]] to "closed".
    3. Reject the promise request.[[acceptPromise]] with an "AbortError" DOMException.
    4. Resolve promise with undefined.

3.5 canMakePayment() method

Note: canMakePayment()

The canMakePayment() method can be used by the developer to determine if the user agent has support for one of the desired payment methods. See § 14.8 canMakePayment() protections.

A true result from canMakePayment() does not imply that the user has a provisioned instrument ready for payment.

The canMakePayment() method MUST run the can make payment algorithm.

3.6 onpaymentmethodchange attribute

A PaymentRequest's onpaymentmethodchange attribute is an EventHandler for a PaymentMethodChangeEvent named "paymentmethodchange".

3.7 Internal Slots

Instances of PaymentRequest are created with the internal slots in the following table:

Internal Slot Description (non-normative)
[[serializedMethodData]] The methodData supplied to the constructor, but represented as tuples containing supported methods and a string or null for data (instead of the original object form).
[[serializedModifierData]] A list containing the serialized string form of each data member for each corresponding item in the sequence [[details]].modifier, or null if no such member was present.
[[details]] The current PaymentDetailsBase for the payment request initially supplied to the constructor and then updated with calls to updateWith(). Note that all data members of PaymentDetailsModifier instances contained in the modifiers member will be removed, as they are instead stored in serialized form in the [[serializedModifierData]] internal slot.
[[state]]

The current state of the payment request, which transitions from:

"created"
The payment request is constructed and has not been presented to the user.
"interactive"
The payment request is being presented to the user.
"closed"
The payment request completed.

The state transitions are illustrated in the figure below:

Figure 1 The constructor sets the initial state to "created". The show() method changes the state to "interactive". From there, the abort() method or any other error can send the state to "closed"; similarly, the user accepts the payment request algorithm and user aborts the payment request algorithm will change the state to "closed".
[[updating]] True if there is a pending updateWith() call to update the payment request and false otherwise.
[[acceptPromise]] The pending Promise created during show() that will be resolved if the user accepts the payment request.
[[response]] Null, or the PaymentResponse instantiated by this PaymentRequest.
[[handler]] The Payment Handler associated with this PaymentRequest. Initialized to null.

4. PaymentMethodData dictionary

WebIDLdictionary PaymentMethodData {
  required DOMString supportedMethods;
  object data;
};

A PaymentMethodData dictionary is used to indicate a set of supported payment methods and any associated payment method specific data for those methods.

supportedMethods member
A payment method identifier for a payment method that the merchant web site accepts.
data member
An object that provides optional information that might be needed by the supported payment methods. If supplied, it will be JSON-serialized.
Note

The value of supportedMethods was changed from array to string, but the name was left as a plural to maintain compatibility with existing content on the Web.

5. PaymentCurrencyAmount dictionary

WebIDLdictionary PaymentCurrencyAmount {
  required DOMString currency;
  required DOMString value;
};

A PaymentCurrencyAmount dictionary is used to supply monetary amounts.

currency member

An [ISO4217] well-formed 3-letter alphabetic code (i.e., the numeric codes are not supported). Their canonical form is upper case. However, the set of combinations of currency code for which localized currency symbols are available is implementation dependent.

When displaying a monetary value, it is RECOMMENDED that user agents display the currency code, but it's OPTIONAL for user agents to display a currency symbol. This is because currency symbols can be ambiguous due to use across a number of different currencies (e.g., "$" could mean any of USD, AUD, NZD, CAD, and so on.).

User agents MAY format the display of the currency member to adhere to OS conventions (e.g., for localization purposes).

Note: Digital currencies and ISO 4217 currency codes

User agents implementing this specification enforce [ISO4217]'s 3-letter codes format via ECMAScript’s isWellFormedCurrencyCode abstract operation, which is invoked as part of the check and canonicalize amount algorithm. When a code does not adhere to the [ISO4217] defined format, a RangeError is thrown.

Current implementations will therefore allow the use of well-formed currency codes that are not part of the official [ISO4217] list (e.g., XBT, XRP, etc.). If the provided code is a currency that the browser knows how to display, then an implementation will generally display the appropriate currency symbol in the user interface (e.g., "USD" is shown as U+0024 Dollar Sign ($), "GBP" is shown as U+00A3 Pound Sign (£), "PLN" is shown as U+007A U+0142 Złoty (zł), and the non-standard "XBT" could be shown as U+0243 Latin Capital Letter B with Stroke (Ƀ)).

Efforts are underway at ISO to account for digital currencies, which may result in an update to the [ISO4217] registry or an entirely new registry. The community expects this will resolve ambiguities that have crept in through the use of non-standard 3-letter codes; for example, does "BTC" refer to Bitcoin or to a future Bhutan currency? At the time of publication, it remains unclear what form this evolution will take, or even the time frame in which the work will be completed. The W3C Web Payments Working Group is liaising with ISO so that, in the future, revisions to this specification remain compatible with relevant ISO registries.

value member
A valid decimal monetary value containing a monetary amount.
Example 8: How to represent 1.234 Omani rials
{
   "currency": "OMR",
   "value": "1.234"
}

5.1 Validity checkers

A JavaScript string is a valid decimal monetary value if it consists of the following code points in the given order:

  1. Optionally, a single U+002D (-), to indicate that the amount is negative.
  2. One or more code points in the range U+0030 (0) to U+0039 (9).
  3. Optionally, a single U+002E (.) followed by one or more code points in the range U+0030 (0) to U+0039 (9).
Note
The following regular expression is an implementation of the above definition.
^-?[0-9]+(\.[0-9]+)?$

To check and canonicalize amount given a PaymentCurrencyAmount amount, run the following steps:

  1. If the result of IsWellFormedCurrencyCode(amount.currency) is false, then throw a RangeError exception, optionally informing the developer that the currency is invalid.
  2. If amount.value is not a valid decimal monetary value, throw a TypeError, optionally informing the developer that the currency is invalid.
  3. Set amount.currency to the result of ASCII uppercase amount.currency.

To check and canonicalize total amount given a PaymentCurrencyAmount amount, run the following steps:

  1. Check and canonicalize amount amount. Rethrow any exceptions.
  2. If the first code point of amount.value is U+002D (-), then throw a TypeError optionally informing the developer that a total's value can't be a negative number.
Note: No alteration of values

6. Payment details dictionaries

6.1 PaymentDetailsBase dictionary

WebIDLdictionary PaymentDetailsBase {
  sequence<PaymentItem> displayItems;
  sequence<PaymentDetailsModifier> modifiers;
};
displayItems member
A sequence of PaymentItem dictionaries contains line items for the payment request that the user agent MAY display.
Note
modifiers member
A sequence of PaymentDetailsModifier dictionaries that contains modifiers for particular payment method identifiers. For example, it allows you to adjust the total amount based on payment method.

6.2 PaymentDetailsInit dictionary

WebIDLdictionary PaymentDetailsInit : PaymentDetailsBase {
  DOMString id;
  required PaymentItem total;
};
Note

In addition to the members inherited from the PaymentDetailsBase dictionary, the following members are part of the PaymentDetailsInit dictionary:

id member
A free-form identifier for this payment request.
Note
total member
A PaymentItem containing a non-negative total amount for the payment request.
Note

6.3 PaymentDetailsUpdate dictionary

WebIDLdictionary PaymentDetailsUpdate : PaymentDetailsBase {
  PaymentItem total;
  object paymentMethodErrors;
};

The PaymentDetailsUpdate dictionary is used to update the payment request using updateWith().

In addition to the members inherited from the PaymentDetailsBase dictionary, the following members are part of the PaymentDetailsUpdate dictionary:

total member
A PaymentItem containing a non-negative amount.
Note

Algorithms in this specification that accept a PaymentDetailsUpdate dictionary will throw if the total.amount.value is a negative number.

paymentMethodErrors member

Payment method specific errors.

7. PaymentDetailsModifier dictionary

WebIDLdictionary PaymentDetailsModifier {
  required DOMString supportedMethods;
  PaymentItem total;
  sequence<PaymentItem> additionalDisplayItems;
  object data;
};

The PaymentDetailsModifier dictionary provides details that modify the PaymentDetailsBase based on a payment method identifier. It contains the following members:

supportedMethods member
A payment method identifier. The members of the PaymentDetailsModifier only apply if the user selects this payment method.
total member
A PaymentItem value that overrides the total member in the PaymentDetailsInit dictionary for the payment method identifiers of the supportedMethods member.
additionalDisplayItems member
A sequence of PaymentItem dictionaries provides additional display items that are appended to the displayItems member in the PaymentDetailsBase dictionary for the payment method identifiers in the supportedMethods member. This member is commonly used to add a discount or surcharge line item indicating the reason for the different total amount for the selected payment method that the user agent MAY display.
Note

It is the developer's responsibility to verify that the total amount is the sum of the displayItems and the additionalDisplayItems.

data member
An object that provides optional information that might be needed by the supported payment methods. If supplied, it will be JSON-serialized.

8. PaymentItem dictionary

WebIDLdictionary PaymentItem {
  required DOMString label;
  required PaymentCurrencyAmount amount;
  boolean pending = false;
};

A sequence of one or more PaymentItem dictionaries is included in the PaymentDetailsBase dictionary to indicate what the payment request is for and the value asked for.

label member
A human-readable description of the item. The user agent may display this to the user.
amount member
A PaymentCurrencyAmount containing the monetary amount for the item.
pending member
A boolean. When set to true it means that the amount member is not final. This is commonly used to show items such as shipping or tax amounts that depend upon selection of shipping address or shipping option. User agents MAY indicate pending fields in the user interface for the payment request.

9. PaymentComplete enum

WebIDLenum PaymentComplete {
  "fail",
  "success",
  "unknown"
};
"fail"
Indicates that processing of the payment failed. The user agent MAY display UI indicating failure.
"success"
Indicates the payment was successfully processed. The user agent MAY display UI indicating success.
"unknown"
The developer did not indicate success or failure and the user agent SHOULD NOT display UI indicating success or failure.

10. PaymentResponse interface

WebIDL[SecureContext, Exposed=Window]
interface PaymentResponse : EventTarget  {
  [Default] object toJSON();

  readonly attribute DOMString requestId;
  readonly attribute DOMString methodName;
  readonly attribute object details;

  [NewObject]
  Promise<undefined> complete(optional PaymentComplete result = "unknown");
  [NewObject]
  Promise<undefined> retry(optional PaymentValidationErrors errorFields = {});
};
Note

A PaymentResponse is returned when a user has selected a payment method and approved a payment request.

10.1 retry() method

Note

The retry(errorFields) method MUST act as follows:

  1. Let response be this.
  2. Let request be response.[[request]].
  3. Let document be request's relevant global object's associated Document.
  4. If document is not fully active, then return a promise rejected with an "AbortError" DOMException.
  5. If response.[[complete]] is true, return a promise rejected with an "InvalidStateError" DOMException.
  6. If response.[[retryPromise]] is not null, return a promise rejected with an "InvalidStateError" DOMException.
  7. Set request.[[state]] to "interactive".
  8. Let retryPromise be a new promise.
  9. Set response.[[retryPromise]] to retryPromise.
  10. If errorFields was passed:
    1. If errorFields.paymentMethod member was passed, and if required by the specification that defines response.payment/a>, then convert errorFields's paymentMethod member to an IDL value of the type specified there. Otherwise, convert to object.
    2. Set request's payment-relevant browsing context's payment request is showing boolean to false.
    3. If conversion results in a exception error:
      1. Reject retryPromise with error.
      2. Set user agent's payment request is showing boolean to false.
      3. Return.
    4. By matching the members of errorFields to input fields in the user agent's UI, indicate to the end user that something is wrong with the data of the payment response. For example, a user agent might draw the user's attention to the erroneous errorFields in the browser's UI and display the value of each field in a manner that helps the user fix each error. Similarly, if the error member is passed, present the error in the user agent's UI. In the case where the value of a member is the empty string, the user agent MAY substitute a value with a suitable error message.
  11. Otherwise, if errorFields was not passed, signal to the end user to attempt to retry the payment. Re-enable any UI element that affords the end user the ability to retry accepting the payment request.
  12. If document stops being fully active while the user interface is being shown, or no longer is by the time this step is reached, then:
    1. Close down the user interface.
    2. Set request's payment-relevant browsing context's payment request is showing boolean to false.
  13. Finally, when retryPromise settles, set response.[[retryPromise]] to null.
  14. Return retryPromise.
    Note

    The retryPromise will later be resolved by the user accepts the payment request algorithm, or rejected by either the user aborts the payment request algorithm or abort the update.

10.1.1 PaymentValidationErrors dictionary

WebIDLdictionary PaymentValidationErrors {
  DOMString error;
  object paymentMethod;
};
error member
A general description of an error with the payment from which the user can attempt to recover. For example, the user may recover by retrying the payment. A developer can optionally pass the error member on its own to give a general overview of validation issues, or it can be passed in combination with other members of the PaymentValidationErrors dictionary.
paymentMethod member
A payment method specific errors.

10.2 methodName attribute

The payment method identifier for the payment method that the user selected to fulfill the transaction.

10.3 details attribute

An object or dictionary generated by a payment method that a merchant can use to process or validate a transaction (depending on the payment method).

Note

10.4 requestId attribute

The corresponding payment request id that spawned this payment response.

10.5 complete() method

Note

The complete() method is called after the user has accepted the payment request and the [[acceptPromise]] has been resolved. Calling the complete() method tells the user agent that the payment interaction is over (and SHOULD cause any remaining user interface to be closed).

After the payment request has been accepted and the PaymentResponse returned to the caller, but before the caller calls complete(), the payment request user interface remains in a pending state. At this point the user interface SHOULD NOT offer a cancel command because acceptance of the payment request has been returned. However, if something goes wrong and the developer never calls complete() then the user interface is blocked.

For this reason, implementations MAY impose a timeout for developers to call complete(). If the timeout expires then the implementation will behave as if complete() was called with no arguments.

The complete() method MUST act as follows:

  1. Let response be this.
  2. If response.[[complete]] is true, return a promise rejected with an "InvalidStateError" DOMException.
  3. If response.[[retryPromise]] is not null, return a promise rejected with an "InvalidStateError" DOMException.
  4. Let promise be a new promise.
  5. Set response.[[complete]] to true.
  6. Return promise and perform the remaining steps in parallel.
  7. If document stops being fully active while the user interface is being shown, or no longer is by the time this step is reached, then:
    1. Close down the user interface.
    2. Set request's payment-relevant browsing context's payment request is showing boolean to false.
  8. Otherwise:
    1. Close down any remaining user interface. The user agent MAY use the value result to influence the user experience.
    2. Set request's payment-relevant browsing context's payment request is showing boolean to false.
    3. Resolve promise with undefined.

10.6 Internal Slots

Instances of PaymentResponse are created with the internal slots in the following table:

Internal Slot Description (non-normative)
[[complete]] Is true if the request for payment has completed (i.e., complete() was called, or there was a fatal error that made the response not longer usable), or false otherwise.
[[request]] The PaymentRequest instance that instantiated this PaymentResponse.
[[retryPromise]] Null, or a Promise that resolves when a user accepts the payment request or rejects if the user aborts the payment request.

11. Permissions Policy integration

This specification defines a policy-controlled feature identified by the string "payment" [permissions-policy]. Its default allowlist is 'self'.

Note

12. Events

12.1 Summary

This section is non-normative.

Event name Interface Dispatched when… Target
paymentmethodchange PaymentMethodChangeEvent The user chooses a different payment method within a payment handler. PaymentRequest

12.2 PaymentMethodChangeEvent interface

WebIDL[SecureContext, Exposed=Window]
interface PaymentMethodChangeEvent : PaymentRequestUpdateEvent {
  constructor(DOMString type, optional PaymentMethodChangeEventInit eventInitDict = {});
  readonly attribute DOMString methodName;
  readonly attribute object? methodDetails;
};

12.2.1 methodDetails attribute

When getting, returns the value it was initialized with. See methodDetails member of PaymentMethodChangeEventInit for more information.

12.2.2 methodName attribute

When getting, returns the value it was initialized with. See methodName member of PaymentMethodChangeEventInit for more information.

12.2.3 PaymentMethodChangeEventInit dictionary

WebIDLdictionary PaymentMethodChangeEventInit : PaymentRequestUpdateEventInit {
  DOMString methodName = "";
  object? methodDetails = null;
};
methodName member
A string representing the payment method identifier.
methodDetails member
An object representing some data from the payment method, or null.

12.3 PaymentRequestUpdateEvent interface

WebIDL[SecureContext, Exposed=Window]
interface PaymentRequestUpdateEvent : Event {
  constructor(DOMString type, optional PaymentRequestUpdateEventInit eventInitDict = {});
  undefined updateWith(Promise<PaymentDetailsUpdate> detailsPromise);
};

The PaymentRequestUpdateEvent enables developers to update the details of the payment request in response to a user interaction.

12.3.1 Constructor

The PaymentRequestUpdateEvent's constructor(type, eventInitDict) MUST act as follows:

  1. Let event be the result of calling the constructor of PaymentRequestUpdateEvent with type and eventInitDict.
  2. Set event.[[waitForUpdate]] to false.
  3. Return event.

12.3.2 updateWith() method

Note

The updateWith() with detailsPromise method MUST act as follows:

  1. Let event be this.
  2. If event's isTrusted attribute is false, then throw an "InvalidStateError" DOMException.
  3. If event.[[waitForUpdate]] is true, then throw an "InvalidStateError" DOMException.
  4. If event's target is an instance of PaymentResponse, let request be event's target's [[request]].
  5. Otherwise, let request be the value of event's target.
  6. Assert: request is an instance of PaymentRequest.
  7. If request.[[state]] is not "interactive", then throw an "InvalidStateError" DOMException.
  8. If request.[[updating]] is true, then throw an "InvalidStateError" DOMException.
  9. Set event's stop propagation flag and stop immediate propagation flag.
  10. Set event.[[waitForUpdate]] to true.
  11. Let pmi be null.
  12. If event has a methodName attribute, set pmi to the methodName attribute's value.
  13. Run the update a PaymentRequest's details algorithm with detailsPromise, request, and pmi.

12.3.3 Internal Slots

Instances of PaymentRequestUpdateEvent are created with the internal slots in the following table:

Internal Slot Description (non-normative)
[[waitForUpdate]] A boolean indicating whether an updateWith()-initiated update is currently in progress.

12.3.4 PaymentRequestUpdateEventInit dictionary

WebIDLdictionary PaymentRequestUpdateEventInit : EventInit {};

13. Algorithms

When the internal slot [[state]] of a PaymentRequest object is set to "interactive", the user agent will trigger the following algorithms based on user interaction.

13.1 Can make payment algorithm

The can make payment algorithm checks if the user agent supports making payment with the payment methods with which the PaymentRequest was constructed.

  1. Let request be the PaymentRequest object on which the method was called.
  2. If request.[[state]] is not "created", then return a promise rejected with an "InvalidStateError" DOMException.
  3. Optionally, at the top-level browsing context's discretion, return a promise rejected with a "NotAllowedError" DOMException.
    Note

    This allows user agents to apply heuristics to detect and prevent abuse of the calling method for fingerprinting purposes, such as creating PaymentRequest objects with a variety of supported payment methods and triggering the can make payment algorithm on them one after the other. For example, a user agent may restrict the number of successful calls that can be made based on the top-level browsing context or the time period in which those calls were made.

  4. Let hasHandlerPromise be a new promise.
  5. Return hasHandlerPromise, and perform the remaining steps in parallel.
  6. For each paymentMethod tuple in request. [[serializedMethodData]]:
    1. Let identifier be the first element in the paymentMethod tuple.
    2. If the user agent has a payment handler that supports handling payment requests for identifier, resolve hasHandlerPromise with true and terminate this algorithm.
  7. Resolve hasHandlerPromise with false.

13.2 Payment method changed algorithm

A payment handler MAY run the payment method changed algorithm when the user changes payment method with methodDetails, which is a dictionary or an object or null, and a methodName, which is a DOMString that represents the payment method identifier of the payment handler the user is interacting with.

  1. Let request be the PaymentRequest object that the user is interacting with.
  2. Queue a task on the user interaction task source to run the following steps:
    1. Assert: request.[[updating]] is false. Only one update can take place at a time.
    2. Assert: request.[[state]] is "interactive".
    3. Fire an event named "paymentmethodchange" at request using PaymentMethodChangeEvent, with its methodName attribute initialized to methodName, and its methodDetails attribute initialized to methodDetails.

13.3 PaymentRequest updated algorithm

The PaymentRequest updated algorithm is run by other algorithms above to fire an event to indicate that a user has made a change to a PaymentRequest called request with an event name of name:

  1. Assert: request.[[updating]] is false. Only one update can take place at a time.
  2. Assert: request.[[state]] is "interactive".
  3. Let event be the result of creating an event using the PaymentRequestUpdateEvent interface.
  4. Initialize event's type attribute to name.
  5. Dispatch event at request.
  6. If event.[[waitForUpdate]] is true, disable any part of the user interface that could cause another update event to be fired.
  7. Otherwise, set event.[[waitForUpdate]] to true.

13.4 User accepts the payment request algorithm

The user accepts the payment request algorithm runs when the user accepts the payment request and confirms that they want to pay. It MUST queue a task on the user interaction task source to perform the following steps:

  1. Let request be the PaymentRequest object that the user is interacting with.
  2. If the request.[[updating]] is true, then terminate this algorithm and take no further action. The user agent user interface SHOULD ensure that this never occurs.
  3. If request.[[state]] is not "interactive", then terminate this algorithm and take no further action. The user agent user interface SHOULD ensure that this never occurs.
  4. Let isRetry be true if request.[[response]] is not null, false otherwise.
  5. Let response be request.[[response]] if isRetry is true, or a new PaymentResponse otherwise.
  6. If isRetry if false, initialize the newly created response:
    1. Set response.[[request]] to request.
    2. Set response.[[retryPromise]] to null.
    3. Set response.[[complete]] to false.
    4. Set the requestId attribute value of response to the value of request.[[details]].id.
    5. Set request.[[response]] to response.
  7. Let handler be request.[[handler]].
  8. Set the methodName attribute value of response to the payment method identifier of handler.
  9. Set the details attribute value of response to an object resulting from running the handler's steps to respond to a payment request.
  10. Set request.[[state]] to "closed".
  11. If isRetry is true, resolve response.[[retryPromise]] with undefined. Otherwise, resolve request.[[acceptPromise]] with response.

13.5 User aborts the payment request algorithm

The user aborts the payment request algorithm runs when the user aborts the payment request through the currently interactive user interface. It MUST queue a task on the user interaction task source to perform the following steps:

  1. Let request be the PaymentRequest object that the user is interacting with.
  2. If request.[[state]] is not "interactive", then terminate this algorithm and take no further action. The user agent user interface SHOULD ensure that this never occurs.
  3. Set request.[[state]] to "closed".
  4. Set request's payment-relevant browsing context's payment request is showing boolean to false.
  5. Let error be an "AbortError" DOMException.
  6. Let response be request.[[response]].
  7. If response is not null:
    1. Set response.[[complete]] to true.
    2. Assert: response.[[retryPromise]] is not null.
    3. Reject response.[[retryPromise]] with error.
  8. Otherwise, reject request.[[acceptPromise]] with error.
  9. Abort the current user interaction and close down any remaining user interface.

13.6 Update a PaymentRequest's details algorithm

The update a PaymentRequest's details algorithm takes a PaymentDetailsUpdate detailsPromise, a PaymentRequest request, and pmi that is either a DOMString or null (a payment method identifier). The steps are conditional on the detailsPromise settling. If detailsPromise never settles then the payment request is blocked. The user agent SHOULD provide the user with a means to abort a payment request. Implementations MAY choose to implement a timeout for pending updates if detailsPromise doesn't settle in a reasonable amount of time.

In the case where a timeout occurs, or the user manually aborts, or the payment handler decides to abort this particular payment, the user agent MUST run the user aborts the payment request algorithm.

  1. Set request.[[updating]] to true.
  2. In parallel, disable the user interface that allows the user to accept the payment request. This is to ensure that the payment is not accepted until the user interface is updated with any new details.
  3. Upon rejection of detailsPromise:
    1. Abort the update with request and an "AbortError" DOMException.
  4. Upon fulfillment of detailsPromise with value value:
    1. Let details be the result of converting value to a PaymentDetailsUpdate dictionary. If this throw an exception, abort the update with request and with the thrown exception.
    2. Let serializedModifierData be an empty list.
    3. Validate and canonicalize the details:
      1. If the total member of details is present, then:
        1. Check and canonicalize total amount details.total.amount. If an exception is thrown, then abort the update with request and that exception.
      2. If the displayItems member of details is present, then for each item in details.displayItems:
        1. Check and canonicalize amount item.amount. If an exception is thrown, then abort the update with request and that exception.
      3. If the modifiers member of details is present, then:
        1. Let modifiers be the sequence details.modifiers.
        2. Let serializedModifierData be an empty list.
        3. For each PaymentDetailsModifier modifier in modifiers:
          1. Run the steps to validate a payment method identifier with modifier.supportedMethods. If it returns false, then abort the update with request and a RangeError exception. Optionally, inform the developer that the payment method identifier is invalid.
          2. If the total member of modifier is present, then:
            1. Check and canonicalize total amount modifier.total.amount. If an exception is thrown, then abort the update with request and that exception.
          3. If the additionalDisplayItems member of modifier is present, then for each PaymentItem item in modifier.additionalDisplayItems:
            1. Check and canonicalize amount item.amount. If an exception is thrown, then abort the update with request and that exception.
          4. If the data member of modifier is missing, let serializedData be null. Otherwise, let serializedData be the result of JSON-serializing modifier.data into a string. If JSON-serializing throws an exception, then abort the update with request and that exception.
          5. Add serializedData to serializedModifierData.
          6. Remove the data member of modifier, if it is present.
    4. If the paymentMethodErrors member is present and identifier is not null:
      1. If required by the specification that defines the pmi, then convert paymentMethodErrors to an IDL value.
      2. If conversion results in a exception error, abort the update with error.
      3. The payment handler SHOULD display an error for each relevant erroneous field of paymentMethodErrors.
    5. Update the PaymentRequest using the new details:
      1. If the total member of details is present, then:
        1. Set request.[[details]].total to details.total.
      2. If the displayItems member of details is present, then:
        1. Set request.[[details]].displayItems to details.displayItems.
      3. If the modifiers member of details is present, then:
        1. Set request.[[details]].modifiers to details.modifiers.
        2. Set request.[[serializedModifierData]] to serializedModifierData.
  5. Set request.[[updating]] to false.
  6. Update the user interface based on any changed values in request. Re-enable user interface elements disabled prior to running this algorithm.

13.6.1 Abort the update

To abort the update with a PaymentRequest request and exception exception:

  1. Optionally, show an error message to the user when letting them know an error has occurred.
  2. Abort the current user interaction and close down any remaining user interface.
  3. Queue a task on the user interaction task source to perform the following steps:
    1. Set request's payment-relevant browsing context's payment request is showing boolean to false.
    2. Set request.[[state]] to "closed".
    3. Let response be request.[[response]].
    4. If response is not null, then:
      1. Set response.[[complete]] to true.
      2. Assert: response.[[retryPromise]] is not null.
      3. Reject response.[[retryPromise]] with exception.
    5. Otherwise, reject request.[[acceptPromise]] with exception.
    6. Set request.[[updating]] to false.
  4. Abort the algorithm.
Note

Abort the update runs when there is a fatal error updating the payment request, such as the supplied detailsPromise rejecting, or its fulfillment value containing invalid data. This would potentially leave the payment request in an inconsistent state since the developer hasn't successfully handled the change event.

Consequently, the PaymentRequest moves to a "closed" state. The error is signaled to the developer through the rejection of the [[acceptPromise]], i.e., the promise returned by show().

Similarly, abort the update occurring during retry() causes the [[retryPromise]] to reject, and the corresponding PaymentResponse's [[complete]] internal slot will be set to true (i.e., it can no longer be used).

14. Privacy and Security Considerations

14.1 User protections with show() method

This section is non-normative.

To help ensure that users do not inadvertently share sensitive credentials with an origin, this API requires that PaymentRequest's show() method be invoked while the relevant Window has transient activation (e.g., via a click or press).

To avoid a confusing user experience, this specification limits the user agent to displaying one at a time via the show() method. In addition, the user agent can limit the rate at which a page can call show().

14.2 Secure contexts

This section is non-normative.

The API defined in this specification is only exposed in a secure context - see also the Secure Contexts specification for more details. In practice, this means that this API is only available over HTTPS. This is to limit the possibility of payment method data (e.g., credit card numbers) being sent in the clear.

14.3 Cross-origin payment requests

This section is non-normative.

It is common for merchants and other payees to delegate checkout and other e-commerce activities to payment service providers through an iframe. This API supports payee-authorized cross-origin iframes through [HTML]'s allow attribute.

Payment handlers have access to both the origin that hosts the iframe and the origin of the iframe content (where the PaymentRequest initiates).

14.4 Encryption of data fields

This section is non-normative.

The PaymentRequest API does not directly support encryption of data fields. Individual payment methods may choose to include support for encrypted data but it is not mandatory that all payment methods support this.

14.5 How user agents match payment handlers

This section is non-normative.

As part of show(), the user agent typically displays a list of matching payment handlers that satisfy the payment methods accepted by the merchant and other conditions. Matching can take into account payment method information provided as input to the API, information provided by the payment method owner, the payment handlers registered by the user, user preferences, and other considerations.

For security reasons, a user agent can limit matching (in show() and canMakePayment()) to payment handlers from the same origin as a URL payment method identifier.

14.6 Data usage

Payment method owners establish the privacy policies for how user data collected for the payment method may be used. Payment Request API sets a clear expectation that data will be used for the purposes of completing a transaction, and user experiences associated with this API convey that intention. It is the responsibility of the payee to ensure that any data usage conforms to payment method policies. For any permitted usage beyond completion of the transaction, the payee should clearly communicate that usage to the user.

14.7 Exposing user information

The user agent MUST NOT share information about the user with a developer without user consent.

In particular, the PaymentMethodData's data and PaymentResponse's details members allow for the arbitrary exchange of data. In light of the wide range of data models used by existing payment methods, prescribing data specifics in this API would limit its usefulness. The details member carries data from the payment handler, whether Web-based (as defined by the Payment Handler API) or proprietary. The user agent MUST NOT support payment handlers unless they include adequate user consent mechanisms (such as awareness of parties to the transaction and mechanisms for demonstrating the intention to share data).

The user agent MUST NOT share the values of the displayItems member or additionalDisplayItems member with a third-party payment handler without user consent.

The PaymentMethodChangeEvent enables the payee to update the displayed total based on information specific to a selected payment method. For example, the billing address associated with a selected payment method might affect the tax computation (e.g., VAT), and it is desirable that the user interface accurately display the total before the payer completes the transaction. At the same time, it is desirable to share as little information as possible prior to completion of the payment. Therefore, when a payment method defines the steps for when a user changes payment method, it is important to minimize the data shared via the PaymentMethodChangeEvent's methodDetails attribute. Requirements and approaches for minimizing shared data are likely to vary by payment method.

Where sharing of privacy-sensitive information might not be obvious to users (e.g., when changing payment methods), it is RECOMMENDED that user agents inform the user of exactly what information is being shared with a merchant.

14.8 canMakePayment() protections

The canMakePayment() method provides feature detection for different payment methods. It may become a fingerprinting vector if in the future, a large number of payment methods are available. purposes. User agents are expected to protect the user from abuse of the method. For example, user agents can reduce user fingerprinting by:

For rate-limiting the user agent might look at repeated calls from:

These rate-limiting techniques intend to increase the cost associated with repeated calls, whether it is the cost of managing multiple eTLDs or the user experience friction of opening multiple windows (tabs or pop-ups).

15. Accessibility Considerations

This section is non-normative.

For the user-facing aspects of Payment Request API, implementations integrate with platform accessibility APIs via form controls and other input modalities.

16. Dependencies

This specification relies on several other underlying specifications.

ECMAScript
The terms internal slot, and JSON.stringify are defined by [ECMASCRIPT].

JSON-serialize runs JSON.stringify, passing the supplied object as the sole argument, and returns the resulting string. This can throw an exception.

ISO 3166-2
Country subdivision name and country subdivision code element are defined in [ISO3166-2].

17. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, SHOULD, and SHOULD NOT in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

There is only one class of product that can claim conformance to this specification: a user agent.

Note

Although this specification is primarily targeted at web browsers, it is feasible that other software could also implement this specification in a conforming manner.

User agents MAY implement algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the specification's algorithms.

User agents MAY impose implementation-specific limits on otherwise unconstrained inputs, e.g., to prevent denial of service attacks, to guard against running out of memory, or to work around platform-specific limitations. When an input exceeds implementation-specific limit, the user agent MUST throw, or, in the context of a promise, reject with, a TypeError optionally informing the developer of how a particular input exceeded an implementation-specific limit.

A. IDL Index

WebIDL[SecureContext, Exposed=Window]
interface PaymentRequest : EventTarget {
  constructor(
    sequence<PaymentMethodData> methodData,
    PaymentDetailsInit details
  );
  [NewObject]
  Promise<PaymentResponse> show(optional Promise<PaymentDetailsUpdate> detailsPromise);
  [NewObject]
  Promise<undefined> abort();
  [NewObject]
  Promise<boolean> canMakePayment();

  readonly attribute DOMString id;

  attribute EventHandler onpaymentmethodchange;
};

dictionary PaymentMethodData {
  required DOMString supportedMethods;
  object data;
};

dictionary PaymentCurrencyAmount {
  required DOMString currency;
  required DOMString value;
};

dictionary PaymentDetailsBase {
  sequence<PaymentItem> displayItems;
  sequence<PaymentDetailsModifier> modifiers;
};

dictionary PaymentDetailsInit : PaymentDetailsBase {
  DOMString id;
  required PaymentItem total;
};

dictionary PaymentDetailsUpdate : PaymentDetailsBase {
  PaymentItem total;
  object paymentMethodErrors;
};

dictionary PaymentDetailsModifier {
  required DOMString supportedMethods;
  PaymentItem total;
  sequence<PaymentItem> additionalDisplayItems;
  object data;
};

dictionary PaymentItem {
  required DOMString label;
  required PaymentCurrencyAmount amount;
  boolean pending = false;
};

enum PaymentComplete {
  "fail",
  "success",
  "unknown"
};

[SecureContext, Exposed=Window]
interface PaymentResponse : EventTarget  {
  [Default] object toJSON();

  readonly attribute DOMString requestId;
  readonly attribute DOMString methodName;
  readonly attribute object details;

  [NewObject]
  Promise<undefined> complete(optional PaymentComplete result = "unknown");
  [NewObject]
  Promise<undefined> retry(optional PaymentValidationErrors errorFields = {});
};

dictionary PaymentValidationErrors {
  DOMString error;
  object paymentMethod;
};

[SecureContext, Exposed=Window]
interface PaymentMethodChangeEvent : PaymentRequestUpdateEvent {
  constructor(DOMString type, optional PaymentMethodChangeEventInit eventInitDict = {});
  readonly attribute DOMString methodName;
  readonly attribute object? methodDetails;
};

dictionary PaymentMethodChangeEventInit : PaymentRequestUpdateEventInit {
  DOMString methodName = "";
  object? methodDetails = null;
};

[SecureContext, Exposed=Window]
interface PaymentRequestUpdateEvent : Event {
  constructor(DOMString type, optional PaymentRequestUpdateEventInit eventInitDict = {});
  undefined updateWith(Promise<PaymentDetailsUpdate> detailsPromise);
};

dictionary PaymentRequestUpdateEventInit : EventInit {};

B. Acknowledgements

This specification was derived from a report published previously by the Web Platform Incubator Community Group.

C. Changelog

Changes from between CR2 until now:

Changes from between CR1 and CR2:

D. References

D.1 Normative references

[dom]
DOM Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://dom.spec.whatwg.org/
[ecma-402]
ECMAScript Internationalization API Specification. Ecma International. URL: https://tc39.es/ecma402/
[ECMASCRIPT]
ECMAScript Language Specification. Ecma International. URL: https://tc39.es/ecma262/multipage/
[fetch]
Fetch Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
HTML Standard. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters. WHATWG. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[infra]
Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[ISO3166-2]
ISO 3166: Codes for the representation of names of countries and their subdivisions – Part 2: Country subdivision code.. International Organization for Standardization (ISO). August 2020. Published. URL: https://www.iso.org/standard/72483.html
[ISO4217]
Currency codes - ISO 4217. ISO. 2015. International Standard. URL: http://www.iso.org/iso/home/standards/currency_codes.htm
[payment-handler]
Payment Handler API. Adrian Hope-Bailie; Ian Jacobs; Rouslan Solomakhin; Jinho Bang; Jason Normore; Tommy Thorsen; Adam Roach. W3C. 14 July 2021. W3C Working Draft. URL: https://www.w3.org/TR/payment-handler/
[payment-method-id]
Payment Method Identifiers. Marcos Caceres; Adrian Bateman; Domenic Denicola; Zach Koch; Roy McElmurry. W3C. 27 August 2021. W3C Candidate Recommendation. URL: https://www.w3.org/TR/payment-method-id/
[permissions-policy]
Permissions Policy. Ian Clelland. W3C. 16 July 2020. W3C Working Draft. URL: https://www.w3.org/TR/permissions-policy-1/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC4122]
A Universally Unique IDentifier (UUID) URN Namespace. P. Leach; M. Mealling; R. Salz. IETF. July 2005. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc4122
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[url]
URL Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://url.spec.whatwg.org/
[WebIDL]
Web IDL. Boris Zbarsky. W3C. 15 December 2016. W3C Editor's Draft. URL: https://heycam.github.io/webidl/

D.2 Informative references

[rfc6454]
The Web Origin Concept. A. Barth. IETF. December 2011. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6454
[secure-contexts]
Secure Contexts. Mike West. W3C. 18 September 2021. W3C Candidate Recommendation. URL: https://www.w3.org/TR/secure-contexts/