Antom, leading provider of tailored payment solutionsAntom, leading provider of tailored payment solutions

Revoke

After authorization is completed, the buyer can cancel the authorization either on the merchant side or the payment method side. Once canceled, the token will become invalid and can no longer be used for authorized payments.

  • Cancel authorization on the merchant side: Providing an authorization cancellation function on the merchant side ensures buyers' right to manage their authorization agreements. Buyers can terminate existing authorizations at any time based on their personal account security policies or service usage requirements.

Note: Due to restrictions by some payment methods, a single e-wallet may only maintain one or a limited number of valid authorization credentials per merchant.

  • Cancel authorization on the payment method side: If the buyer cancels the authorization on the payment method side, you will receive an authorization result notification upon successful cancellation.

Note: Currently, Alipay, TrueMoney, Boost, and Touch'n Go eWallet all support revocation of authorization on the payment method side. However, the system only sends notifications when authorization is successfully revoked for Alipay, Boost, and Touch'n Go eWallet. As capabilities may be upgraded in the future, it is recommended to integrate authorization cancellation notifications during initial integration.

Cancel authorization on the merchant side

When the buyer cancels authorization in your application, you call the revoke API and pass in the corresponding accessToken to invalidate the payment token, which is obtained from the authorization result notification. When the API is successfully called, the payment token will immediately become invalid.

The following code shows how to call the revoke API:

copy
public static void Cancel() {
    AlipayAuthRevokeTokenRequest alipayAuthRevokeTokenRequest = new AlipayAuthRevokeTokenRequest();

    // replace with your accessToken
    alipayAuthRevokeTokenRequest.setAccessToken("281010033AB2F588D14B43238637264FCA5Axxxx");

    AlipayAuthRevokeTokenResponse alipayAuthRevokeTokenResponse = null;
    try {
        alipayAuthRevokeTokenResponse = CLIENT.execute(alipayAuthRevokeTokenRequest);
    } catch (AlipayApiException e) {
        String errorMsg = e.getMessage();
        // handle error condition
    }
}

The following is an example of a request message:

copy
{
  "accessToken": "281010033AB2F588D14B43238637264FCA5Axxxx"
}

The following is an example of a response message:

copy
{
  "result": {
    "resultCode": "SUCCESS",
    "resultStatus": "S",
    "resultMessage": "Success"
  }
}

The table below displays the possible values returned in the resultStatus field of the revoke response. Please follow the corresponding instructions for handling:

resultStatus

Description

Suggestions

S

The authorization is revoked successfully.

No further action is required.

F

The authorization failed to be revoked.

Please verify and validate that all required request fields (including headers and body) for the current API are correctly passed and valid.

U

The authorization cancellation status is unknown.

Keep the accessToken unchanged and re-call the API again to solve the problem. If the problem is not resolved, contact Antom Technical Support.

Note: If you do not receive a response message, it may be due to a network timeout. Keep the accessToken unchanged and re-call the API to solve the problem. If the problem is not resolved, contact Antom Technical Support.

Cancel authorization on the payment method side

When the buyer cancels authorization on the payment method side, the system will send you an asynchronous authorization cancellation notification. To ensure that you receive such notifications, you need to pre-configure the URL where you want to receive authorization cancellation notification. The notification will contain the payment token (accessToken) corresponding to the revoked auto debit agreement.

  1. Set notification Webhook URL:

Log in to Antom Dashboard > Developer > Notification URL. Add the notification URL to alipay.ams.authorizations.notify. Please refer to the Notification URL for specific operations.

Below is a code example for the authorization cancellation asynchronous notification request:

copy
{
  "authorizationNotifyType": "TOKEN_CANCELED",
  "accessToken": "28100103_20215703001538122119",
  "result": {
    "resultCode": "SUCCESS",
    "resultMessage": "success",
    "resultStatus": "S"
  }
}

You may receive result.resultStatus field with different values in the request message. Please follow the following table to process:

result.resultStatus

INFORMATION

Operational recommendations

S (The value is fixed as S)

Authorization successfully canceled.

Process subsequent operations based on the returned fields:

  • accessTokenThe auto debit ID generated by Antom for subsequent payment .
  • authorizationNotifyType: In this scenario,  TOKEN_CANCELED is returned, which indicates that the authorization is canceled. When you receive this notification, you need to terminate the user's contract in your system.
  1. The result notification sent by Antom is signed by Antom, it is recommended that you verify the signature to confirm that the notification was sent by Antom. Refer to the following code example to check the notification:
copy
@PostMapping("/receiveAuthNotify")
@ResponseBody
public Result receiveAuthNotify(HttpServletRequest request, @RequestBody String notifyBody) {
    // retrieve the required parameters from http request
    String requestUri = request.getRequestURI();
    String requestMethod = request.getMethod();

    // retrieve the required parameters from request header
    String requestTime = request.getHeader("request-time");
    String clientId = request.getHeader("client-id");
    String signature = request.getHeader("signature");

    try {
        // verify the signature of notification
        boolean verifyResult = WebhookTool.checkSignature(requestUri, requestMethod, clientId,
                requestTime, signature, notifyBody, ANTOM_PUBLIC_KEY);
        if (!verifyResult) {
            throw new RuntimeException("Invalid notify signature");
        }

        // deserialize the notification body
        AlipayAuthNotify authNotify = JSON.parseObject(notifyBody,AlipayAuthNotify.class);

        if (authNotify != null && "SUCCESS".equals(authNotify.getResult().getResultCode())
                 && "TOKEN_CANCELED".equals(authNotify.getAuthorizationNotifyType())) {
            // save user's PaymentMethodType corresponding to accessToken
            PaymentVO payment = authStatePayment.get(authNotify.getAuthState());
            User user = users.get(payment.getUserId());
            user.getPaymentMethodTypeAccessToken().put(payment.getPaymentMethodType(), authNotify.getAccessToken());
            return Result.builder().resultCode("SUCCESS").resultMessage("success.").resultStatus(ResultStatusType.S).build();
        }
        // other types of notifications

    } catch (Exception e) {
        return Result.builder().resultCode("FAIL").resultMessage("fail.").resultStatus(ResultStatusType.F).build();
    }

    return Result.builder().resultCode("SYSTEM_ERROR").resultMessage("system error.").resultStatus(ResultStatusType.F).build();
}
  1. After receiving the notification, you are not required to sign the response, but must reply to every notification request in the following standardized format, regardless of whether the authorization cancellation was successful or not.
copy
{
  "result": {
    "resultCode": "SUCCESS",
    "resultStatus": "S",
    "resultMessage": "success"
  }
}

Common Question

Q: Do all payment methods support authorization cancellation from the payment method side?

A: Currently, Alipay, TrueMoney, Boost, and Touch'n Go eWallet all support revocation of authorization on the payment method side.

Q: Is it required for merchants to display a cancellation option on their side?

A: To ensure a better user experience, merchants need to expose a cancellation option.