# authNotify `POST /aps/api/v1/authorizations/authNotify` The Mobile Payment Provider (MPP) uses the **authNotify** API to inform Alipay+ in the following scenarios: - An authorization code is created at the MPP side. The MPP sends the authorization code and related parameters to Alipay+. - An access token is created at the MPP side. The MPP sends the access token and related parameters to Alipay+. - An access token is canceled at the MPP side due to one of the following reasons: - A user successfully unbinds the merchant platform account and the MPP platform account through the merchant platform with the **cancelToken** API. - A user successfully unbinds the merchant platform account and the MPP platform account through the MPP side. - The MPP has to unbind the user account directly from the back-end system. **Note**: In the following sections, the MPP is also known as PSP. For example, _pspId_ refers to the ID that identifies an MPP.  ## Structure A message consists of a header and body. The following sections are focused on the body structure. For the header structure, see: - [Request header](api_overview#3mLq0) - [Response header](api_overview#YdmVS) > **Note**: > > 1. Set the data type of each parameter (except array) as String. This means that you must use double quotation marks (" ") to enclose the parameter value. Examples: > > - If the data type of a parameter is Integer and its value is 20, set it as "20". > - If the data type of a parameter is Boolean and its value is `true`, set it as "true". > > 3. For optional parameters that are not required in your case, you can take one of the following actions: > > - Exclude the parameters from the request body. > - Set the parameter values as `null` (without the double quotation marks). > > Do NOT leave the optional parameters empty by setting their values as `""`; otherwise, an error might occur. ## Request parameters #### authorizationNotifyType (String, REQUIRED) The type of authorization notification. Valid values are: - `TOKEN_CREATED`: indicates that the access token is created by the MPP and is provided in the request. - `TOKEN_CANCELED`: indicates that the access token in the request is revoked. - `AUTHCODE_CREATED`: indicates that the authorization code is created by the MPP and is provided in the request. #### authClientId (String, REQUIRED) The unique ID that is assigned by the Acquiring Service Provider (ACQP) to identify the auth client, which is usually the merchant. More information: - Maximum length: 64 characters #### referenceMerchantId (String, REQUIRED) The unique ID that is assigned by the Acquiring Service Provider to identify a merchant. More information: - Maximum length: 32 characters #### accessToken (String) The token that is used to access the MPP user's resources. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` or `TOKEN_CANCELED`. More information: - Maximum length: 128 characters #### authCode (String) The authorization code that is used by the auth client to get an access token. **Notes**:  - Required when the value of the _authorizationNotifyType_ parameter is `AUTHCODE_CREATED`. - The first 8 digits of the authorization code must be in the format of `281***13`. The fourth to sixth digits are assigned by Alipay+. More information: - Maximum length: 32 characters #### authState (String) A string that is generated by the auth client to represent the **prepare** API request. The value of this parameter must be the same as the one specified in the **prepare** API. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `AUTHCODE_CREATED`. More information: - Maximum length: 256 characters #### userLoginId (String) The login ID that is used by the MPP user to log in to the MPP platform. The value of _userLoginId_ can be the user's email address or the phone number and is desensitized when returned to the ACQP. The merchant can use this parameter to learn the identity of the user that has completed the authorization. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the value of the _scopes_ parameter in the **prepare** API contains `USER_LOGIN_ID`. More information: - Maximum length: 64 characters #### customerId (String) The unique ID that is assigned by the MPP to identify an MPP user. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED`. More information: - Maximum length: 64 characters #### referenceAgreementId (String) The unique ID that is assigned by the auth client to identify an authorization. Specify this parameter if the value of the _authorizationNotifyType parameter_ is `TOKEN_CREATED` or `AUTHCODE_CREATED`. More information: - Maximum length: 64 characters #### accessTokenExpiryTime (Datetime) The access token expiration time, after which the access token cannot be used. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED`. More information: - The value follows the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) standard format. For example, "2019-11-27T12:01:01+08:00". #### refreshToken (String) The refresh token is used by the auth client to replace the old access token with a new one. With this parameter, valid access tokens can be obtained continuously without further interaction with the user. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the access token is short-term effective. You are not required to specify this parameter if the access token is long-term effective, that is, 10 years or longer. More information: - Maximum length: 128 characters #### refreshTokenExpiryTime (Datetime) The refresh token expiration time, after which the refresh token cannot be used. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED` and the access token is short-term effective. More information: - The value follows the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) standard format. For example, "2019-11-27T12:01:01+08:00". #### scopes (Array) The authorization scopes, which means what is authorized to the auth client. Valid values are:  - `AGREEMENT_PAY`: indicates that the auth client can use an access token to deduct funds from the user's MPP account for Auto Debit payments. - `USER_LOGIN_ID`: indicates that the auth client can obtain the desensitized user login ID for the MPP platform by using the **applyToken** API. - `BASE_USER_INFO`: indicates that the auth client can obtain the unique user ID of the MPP platform. - `HASH_LOGIN_ID`: indicates that the auth client can obtain the hash user login ID of the MPP platform. - `SEND_OTP`: indicates that the auth client can send OTPs to the user. - `PLAINTEXT_USER_LOGIN_ID`: indicates that the auth client can obtain the plain-text user login ID for the MPP platform by using the **applyToken** API. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CREATED`. #### reason (String) The reason why the authorization is revoked. Specify this parameter if the value of the _authorizationNotifyType_ parameter is `TOKEN_CANCELED` and the user provides the reason for the authorization cancellation. More information: - Maximum length: 256 characters #### passThroughInfo (String) The information that is passed through by the MPP to Alipay+. The value of this parameter is in the set of key-value pairs. Specify this parameter if the MPP wants to pass information to the ACQP. More information: - Maximum length: 20000 characters ## Response parameters #### result (Result, REQUIRED) The result parameter that indicates whether the notification is received. For more information about how to handle the result of the **authNotify** API, see _How to handle the result_. ##### resultCode (String, REQUIRED) The result code that indicates the detailed processing result. More information: - Maximum length: 64 characters ##### resultStatus (String, REQUIRED) The result status that indicates the processing result. Valid values are: - `S`: Successful - `F`: Failed - `U`: Unknown ##### resultMessage (String) The result message that describes the result code in detail. More information: - Maximum length: 256 characters #### acquirerId (String) The unique ID that is assigned by Alipay+ to identify an ACQP. This parameter is returned by Alipay+ if the value of the _result.resultCode_ parameter is `SUCCESS`. More information: - Maximum length: 64 characters #### pspId (String) The unique ID that is assigned by Alipay+ to identify an MPP. This parameter is returned by Alipay+ if the value of the _result.resultCode_ parameter is `SUCCESS`. More information: - Maximum length: 64 characters ## More information ### How to handle the result You might receive different results from Alipay+. Follow the instructions below to handle the result.  | result.resultStatus | result.resultCode | Notification status | Actions | |---------------------|-------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------| | `S` | `SUCCESS` | Notification succeeds. | N/A | | `F` | Multiple possible values, such as `ACCESS_DENIED`, `KEY_NOT_FOUND`, etc. | Notification fails. | Take actions according to the error message in `result.resultCode`. If the problem persists, contact connect_support@service.alipay.com. | | `U` | Multiple possible values, such as `UNKNOWN_EXCEPTION`, `REQUEST_TRAFFIC_EXCEED_LIMIT`, etc. | Unknown | Unknown exception, which might be caused by network timeout. It is recommended that the MPP server retries the **authNotify** API request. | | No result received | No result received | Unknown | It is recommended that the MPP server retry the **authNotify** API request. | ### Retry mechanism After receiving the notification, Alipay+ responds with an HTTP status code of `200` and sends an acknowledgment with _result_._resultStatus_ of `S` to indicate that the Alipay+ server received and processed the call. The MPP must be able to detect whether Alipay+ failed to send the acknowledgment, and has the capability to retry the notification sending. The retry rule is suggested as below: - Retry 1~2 times within 5 seconds. - The subsequent intervals increase consecutively. For example, 30sec, 1min, 2min, ... - A total of 15 retries are suggested.   ### Sample #### AuthCode creation notification The MPP sends a request to Alipay+ to notify that the authorization code is created at the MPP side.  { "authorizationNotifyType":"AUTHCODE\_CREATED", "authClientId": "218823863726123456789", "referenceMerchantId": "218823863726123456789", "authCode": "281010133AB2F588D14B432312345678", "authState": "663A8FA9-D836-48EE-8AA1-1FF682989DC7", "referenceAgreementId": "aNDJWQNNabdad1234" } Alipay+ returns a response to the MPP.  { "result": { "resultCode":"SUCCESS", "resultStatus":"S", "resultMessage":"success" }, "acquirerId": "1021234567891230001", "pspId":"1021234567891230002" } #### Token cancellation notification The MPP sends a request to Alipay+ to notify that the access token is cancelled at the MPP side.   { "authorizationNotifyType":"TOKEN\_CANCELED", "authClientId": "218823863726123456789", "referenceMerchantId": "218823863726123456789", "accessToken": "281010033AB2F588D14B4323123456789" } Alipay+ returns a response to the MPP.  { "result": { "resultCode":"SUCCESS", "resultStatus":"S", "resultMessage":"success" }, "acquirerId": "1021234567891230001", "pspId":"1021234567891230002" } #### Token creation notification The MPP sends a request to Alipay+ to notify that the access token is created at the MPP side.  { "authorizationNotifyType":"TOKEN\_CREATED", "authClientId": "218823863726123456789", "referenceMerchantId": "218823863726123456789", "referenceAgreementId": "667d730b56123456789", "accessToken": "281010033AB2F588D14B4323863726123456789", "accessTokenExpiryTime": "2022-06-06T12:12:12+08:00", "refreshToken": "2810100334F62CBC577F468AAC123456789", "refreshTokenExpiryTime": "2022-06-08T12:12:12+08:00", "scopes": \["AGREEMENT\_PAY"\], "customerId":"2789808912345678912345671", "userLoginId":"62-\*\*\*2736" } Alipay+ returns a response to the MPP.  { "result": { "resultCode":"SUCCESS", "resultStatus":"S", "resultMessage":"success" }, "acquirerId": "1021234567891230001", "pspId":"1021234567891230002" } ## Result/Error codes | Code | Value | Message | Further action | | --- | --- | --- | --- | | SUCCESS | S | Success | N/A | | ACCESS_DENIED | F | Access is denied. | It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue. | | INVALID_CLIENT | F | The client is invalid. | It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue. | | INVALID_SIGNATURE | F | The signature is invalid. | Check whether the public key, signed message, and signature algorithm are as expected. | | KEY_NOT_FOUND | F | The key is not found. | It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue. | | MEDIA_TYPE_NOT_ACCEPTABLE | F | The server does not implement the media type that is acceptable to the client. | Use a media type that is accepted by Alipay+. | | METHOD_NOT_SUPPORTED | F | The server does not implement the requested HTTPS method. | Ensure the HTTP method is POST. | | NO_INTERFACE_DEF | F | API is not defined. | Check whether the request URL is correct. Ensure that the endpoint of the called API is correct. | | PARAM_ILLEGAL | F | Illegal parameters. For example, non-numeric input, invalid date. | Check whether the request parameters, including the header parameters and body parameters, are correct and valid. For more information about the parameters of each API, see the Structure section of the specific API reference topic. | | PROCESS_FAIL | F | A general business failure occurred. Do not retry. | It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue. | | REQUEST_TRAFFIC_EXCEED_LIMIT | U | The request traffic exceeds the limit. | Reduce the frequency of API calls. | | UNKNOWN_EXCEPTION | U | An API call failed, which is caused by unknown reasons. | Try to recall the API. | ## Request ### ALIPAY, ALIPAY_HK, DANA, H5, AUTHCODE_CREATION_NOTIFICATION, DIRECT ```json { "authorizationNotifyType": "AUTHCODE_CREATED", "authClientId": "218823863726123456789", "referenceMerchantId": "218823863726123456789", "authCode": "281010133AB2F588D14B432312345678", "authState": "663A8FA9-D836-48EE-8AA1-1FF682989DC7", "referenceAgreementId": "aNDJWQNNabdad1234" } ``` ### TOKEN_CREATION_NOTIFICATION ```json { "authorizationNotifyType": "TOKEN_CREATED", "authClientId": "218823863726123456789", "referenceMerchantId": "218823863726123456789", "referenceAgreementId": "667d730b56123456789", "accessToken": "281010033AB2F588D14B4323863726123456789", "accessTokenExpiryTime": "2022-06-06T12:12:12+08:00", "refreshToken": "2810100334F62CBC577F468AAC123456789", "refreshTokenExpiryTime": "2022-06-08T12:12:12+08:00", "scopes": [ "AGREEMENT_PAY" ], "customerId": "2789808912345678912345671", "userLoginId": "62-***2736" } ``` ### TOKEN_CANCELLATION_NOTIFICATION ```json { "authorizationNotifyType": "TOKEN_CANCELED", "authClientId": "218823863726123456789", "referenceMerchantId": "218823863726123456789", "accessToken": "281010033AB2F588D14B4323123456789" } ``` ## Response ### AUTH_CODE_REPONSE ```json { "result": { "resultCode": "SUCCESS", "resultStatus": "S", "resultMessage": "success" }, "acquirerId": "1021234567891230001", "pspId": "1021234567891230002" } ```