# authNotify

Alipay+ uses the **authNotify** API to inform the Acquiring Service Provider (ACQP) in the following scenarios:

-   An authorization code is created at the Mobile Payment Provider (MPP) side. Alipay+ sends the authorization code and related parameters to the ACQP.
-   An access token is created at the MPP side. Alipay+ sends the access token and related parameters to the ACQP.
-   An access token is canceled at the MPP side due to one of the following reasons:

-   A user successfully unbinds the merchant platform account and the MPP platform account through the merchant platform with the **cancelToken** API.
-   A user successfully unbinds the merchant platform account and the MPP platform account the through the MPP side.
-   The MPP has to unbind the user account directly from the back-end system. 

## Structure

A message consists of a header and body. The following sections are focused on the body structure. For the header structure, see:

-   [Request header](api_overview#3mLq0)
-   [Response header](api_overview#YdmVS)

**Note**:

Set the data type of each field (except array) as String. This means that you must use double quotation marks (" ") to enclose the field value. Examples:

-   If the data type of a field is Integer and its value is 20, set it as "20". 
-   If the data type of a field is Boolean and its value is `true`, set it as "true".

## Request parameters

#### authorizationNotifyType (String, REQUIRED)

The type of authorization notification. Valid values are:

-   `TOKEN_CREATED`: indicates that the access token is created by the MPP and is provided in the request.
-   `TOKEN_CANCELED`: indicates that the access token in the request is revoked.
-   `AUTHCODE_CREATED`: indicates that the authorization code is created by the MPP and is provided in the request.

#### authClientId (String, REQUIRED)

The unique ID that is assigned by the ACQP to identify the auth client, which is usually the merchant. For an authorization result notification, the value of the _authClientId_ parameter in the **authNotify** API is the same as the one in the **prepare** API.

More information:

- Maximum length: 64 characters

#### referenceMerchantId (String, REQUIRED)

The unique ID that is assigned by the ACQP to identify a merchant.

More information:

- Maximum length: 32 characters

#### accessToken (String)

The token that is used to access the MPP user's resources.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` or `TOKEN_CANCELED`.

More information:

- Maximum length: 128 characters

#### authCode (String)

The authorization code is used by the auth client to get an access token.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is 

`AUTHCODE_CREATED`.

More information:

- Maximum length: 64 characters

#### authState (String)

A string that is generated by the auth client to represent the **prepare** API request. The value of this parameter must be the same as the one specified in the **prepare** API.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `AUTHCODE_CREATED`.

More information:

- Maximum length: 256 characters

#### customerId (String)

The unique ID that is assigned by Alipay+ to identify an MPP user.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the MPP provides a unique ID that identifies the user.

More information:

- Maximum length: 64 characters

#### userLoginId (String)

The login ID that is used by the MPP user to log in to the MPP platform. The value of _userLoginId_ can be the user's email address or the phone number and is desensitized when returned to the ACQP. The merchant can use this parameter to learn the identity of the user that has completed the authorization.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the value of the _scopes_ parameter in the **prepare** API contains `USER_LOGIN_ID`.

More information:

- Maximum length: 64 characters

#### referenceAgreementId (String)

The unique ID that is assigned by the auth client to identify an authorization.

**Note**: Required if the value of the _authorizationNotifyType_ parameter is `AUTHCODE_CREATED` or `TOKEN_CREATED`.

More information:

- Maximum length: 64 characters

#### accessTokenExpiryTime (Datetime)

The access token expiration time, after which the access token cannot be used.

**Note:** Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED`.

More information:

- The value follows the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) standard format. For example, "2019-11-27T12:01:01+08:00".

#### refreshToken (String)

The refresh token that is used by the auth client to get a new access token to replace the existing one. With this parameter, valid access tokens can be obtained continuously without further interaction with the user.

**Notes**:

-   Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the access token is short-term effective.
-   Not Specified if the access token is long-term effective.

More information:

- Maximum length: 128 characters

#### refreshTokenExpiryTime (Datetime)

The refresh token expiration time, after which the refresh token cannot be used. Usually, the refresh token has a longer validity than the access token.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the _accessToken_ is short-term effective.

More information:

- The value follows the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) standard format. For example, "2019-11-27T12:01:01+08:00".

#### scopes (Array<String>)

The authorization scopes, which means what resources or capabilities are authorized to the auth client. Valid values are: 

-   `AGREEMENT_PAY`: indicates that the auth client can use an access token to deduct funds from the user's MPP app for Auto Debit payments.
-   `USER_LOGIN_ID`: indicates that the auth client can obtain the desensitized user login ID for the MPP app by using the applyToken API.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED`.

#### pspId (String, REQUIRED)

The unique ID that is assigned by Alipay+ to identify a MPP.

More information:

- Maximum length: 64 characters

#### acquirerId (String, REQUIRED)

The unique ID that is assigned by Alipay+ to identify an ACQP.

More information:

- Maximum length: 64 characters

#### reason (String)

The reason why the authorization is revoked.

**Note**: Specified if the value of the _authorizationNotifyType_ parameter is `TOKEN_CANCELED` and the user provides the reason for the authorization cancellation.

More information:

- Maximum length: 256 characters

#### tokenCancelSource (String)

This parameter indicates which Partner requests to cancel the access token. Valid values are:

-   `ACQUIRER`: indicates that the ACQP requests to cancel the access token.
-   `PSP`: indicates that the MPP requests to cancel the access token

**Note**: Required if the value of the _authorizationNotifyType_ parameter is `TOKEN_CANCELED`.

#### passThroughInfo (String)

The information that is passed through by Alipay+ to the ACQP. The value of this parameter is in the set of key-value pairs.

**Note**: Specified by Alipay+ if the MPP wants to pass information to the ACQP.

More information:

- Maximum length: 20000 characters

## Response parameters

#### result (Result, REQUIRED)

The result parameter that indicates whether the notification is received. See How to return the result for details.

##### resultCode (String, REQUIRED)

The result code that indicates the detailed processing result.

More information:

- Maximum length: 64 characters

##### resultStatus (String, REQUIRED)

The result status that indicates the processing result. Valid values are:

-   `S`: Successful
-   `F`: Failed
-   `U`: Unknown

##### resultMessage (String)

The result message that describes the result code in detail.

More information:

- Maximum length: 256 characters

## More information

**How to return the result**

If you received the notification successfully, set the value of _result.resultStatus_ to `S` and return an HTTP status code of `200` to indicate that your server received the call. Otherwise, Alipay+ takes the notification delivery as unsuccessful and retries the notification sending up to 7 times during a period of up to 24h22min. The intervals between two consecutive times are as follows: 2min, 10min, 10min, 1h, 2h, 6h, and 15h. After that, no notifications will be sent anymore.

## Result/Error codes

| Code | Value | Message |
| --- | --- | --- |
| SUCCESS | S | Success |
| ACCESS_DENIED | F | Access is denied. |
| INVALID_CLIENT | F | The client is invalid. |
| INVALID_SIGNATURE | F | The signature is invalid. |
| KEY_NOT_FOUND | F | The key is not found. |
| MEDIA_TYPE_NOT_ACCEPTABLE | F | The server does not implement the media type that is acceptable to the client. |
| METHOD_NOT_SUPPORTED | F | The server does not implement the requested HTTPS method. |
| NO_INTERFACE_DEF | F | API is not defined. |
| PARAM_ILLEGAL | F | Illegal parameters. For example, non-numeric input, invalid date. |
| PROCESS_FAIL | F | A general business failure occurred. Do not retry. |
| REQUEST_TRAFFIC_EXCEED_LIMIT | U | The request traffic exceeds the limit. |
| UNKNOWN_EXCEPTION | U | An API call failed, which is caused by unknown reasons. |

## Request

### ALIPAY, ALIPAY_HK, DANA, H5, AUTHCODE_CREATION_NOTIFICATION, DIRECT

```json
{
  "authorizationNotifyType": "AUTHCODE_CREATED",
  "authClientId": "218823863726123456789",
  "referenceMerchantId": "218823863726123456780",
  "authCode": "281010133AB2F588D14B432312345678",
  "authState": "663A8FA9-D836-48EE-8AA1-1FF682989DC7",
  "referenceAgreementId": "aNDJWQNNabdad1234",
  "acquirerId": "1021234567891230001",
  "pspId": "1021234567891230002"
}
```

### TOKEN_CREATION_NOTIFICATION

```json
{
  "authorizationNotifyType": "TOKEN_CREATED",
  "authClientId": "218823863726123456789",
  "referenceMerchantId": "218823863726123456780",
  "referenceAgreementId": "667d730b56123456789",
  "accessToken": "281010033AB2F588D14B4323863726123456789",
  "accessTokenExpiryTime": "2022-06-06T12:12:12+08:00",
  "refreshToken": "2810100334F62CBC577F468AAC123456789",
  "refreshTokenExpiryTime": "2021-06-08T12:12:12+08:00",
  "scopes": [
    "AGREEMENT_PAY",
    "USER_LOGIN_ID"
  ],
  "customerId": "278980891234567891234567891",
  "userLoginId": "62-***2736",
  "acquirerId": "1021234567891230001",
  "pspId": "1021234567891230002"
}
```

### TOKEN_CANCELLATION_NOTIFICATION

```json
{
  "authorizationNotifyType": "TOKEN_CANCELED",
  "authClientId": "218823863726123456789",
  "referenceMerchantId": "218823863726123456780",
  "accessToken": "281010033AB2F588D14B4323123456789",
  "acquirerId": "1021234567891230001",
  "pspId": "1021234567891230002",
  "tokenCancelSource": "ACQUIRER"
}
```

## Response

```json
{
  "result": {
    "resultCode": "SUCCESS",
    "resultStatus": "S",
    "resultMessage": "success"
  }
}
```