Alipay+ DocsAlipay+ Docs
APIs & SDKs

Account unbinding

Alipay+ allows a user to unbind the payment account in the following two methods:

  • Unbind the payment account from the merchant side.
  • Initiate the account unbinding process from the Mobile Payment Provider (/wallet) side.
  • If the merchant allows the user to unbind the payment account from the wallet side, the user can complete the account unbinding process at the wallet side.
  • Otherwise, the user is guided to the merchant side to complete the account unbinding.

Account unbinding is implemented by revoking the access token that is related to the specified authorization record. Once the access token is deactivated at the wallet side, the merchant cannot use the access token for any further interactions.

This topic shows you how the Mobile Payment Provider (MPP) uses the Alipay+ interfaces to process account unbinding in the two methods.

Note: In the following paragraphs, "MPP" is used as an abbreviation of "Mobile Payment Provider", and "ACQP" is used as an abbreviation of "Acquiring Service Provider".

Unbinding from the merchant side

Workflow

The following figure illustrates the account unbinding workflow that is initiated from the merchant side:

cancelToken.jpg

Figure 1. Workflow of account unbinding from the merchant side

The account unbinding workflow contains the following steps:

  1. The merchant initiates an account unbinding request to the ACQP. (Step 1)
  2. The ACQP calls the cancelToken interface to revoke the specified access token. (Step 2).
  3. The Alipay+ calls the cancelToken interface to revoke the specified access token. (Step 3).
  4. Alipay+ interacts with the MPP to deactivate the access token, and returns the processing result. (Step 4-7)
  5. Alipay+ calls the authNotify interface to notify the ACQP of the token cancelation result. The ACQP acknowledges the notification and syncs the same information with the merchant. (Step 8-9)

MPP actions

The following procedure describes the actions that the MPP needs to perform to process account unbinding that is initiated from the merchant side.

Step 1. Handle the cancelToken request to revoke the access token

Once receiving the cancelToken request from Alipay+, the MPP needs to handle the request and deactivate the access token that is specified in the request.

Processing logic

  • The request parameter accessToken is used for the idempotency control. If an authorization revocation request with a specific access token is processed successfully, the MPP must return the result status of S for subsequent requests of revoking the authorization with the same access token.
  • If the value of the result.resultStatus parameter is S, the authorization is successfully canceled. The access token cannot be used to access the user's resources, and the relative refresh token cannot be used to retrieve the new access token.

Sample

  1. Alipay+ sends the request to THE MPP.
copy
{
  "acquirerId":"10221880000000****",
  "pspId":"10220880000000****",
  "accessToken": "281010033AB2F588D14B43238637264FCA5A****",
  "authClientId": "218812341234****"
}
  1. Mobile Payment Provider returns the result to Alipay+.
copy
{
 "result": {
    "resultCode":"SUCCESS",
    "resultStatus":"S",
    "resultMessage":"Success"
  }
}

More information

For more information about how to handle the cancelToken API request and return the response, see cancelToken.

Step 2. Notify Alipay+ of the unbinding result

After the access token was revoked at the wallet side, to ensure the unbinding result to be synced with the ACQP side, the MPP needs to call the authNotify interface to asynchronously notify Alipay+ of the unbinding result.

Processing logic

When configuring the authNotify API request, the MPP needs to set the authorizationNotifyType parameter to TOKEN_CANCELED to indicate that the notification is about access token cancellation.

Sample

Mobile Payment Provider sends a request to Alipay+ to notify that the access token is revoked at the wallet side.

copy
{
  "authorizationNotifyType":"TOKEN_CANCELED",
  "authClientId": "218823863726*********",
  "accessToken": "281010033AB2F588D14B4323*********"
}

Alipay+ returns a response to Mobile Payment Provider.

copy
{
   "result": {
    "resultCode":"SUCCESS",
    "resultStatus":"S",
    "resultMessage":"success"
   },
  "acquirerId": "102xxxxxxxxxxxx0001",
  "pspId":"102xxxxxxxxxxxx0001"

More information

For more information about how to send the authNotify API request and handle the response, see authNotify.

Unbinding from the wallet side

Workflow

The following figure illustrates the account unbinding workflow that is initiated from the wallet side:

image.png

Figure 2. Workflow of account unbinding from the wallet side

The account unbinding workflow contains the following steps:

  1. A user initiates the account unbinding process by clicking an authorization record in the MPP client (for example, the wallet app).
  2. The MPP client initiates a consultation request about account unbinding, then the MPP server calls the consultUnbinding interface, and then Alipay+ passes the request to the ACQP.
  3. The ACQP checks whether the merchant allows the corresponding access token to be revoked from the wallet side. The consultation result is then returned to the MPP client and cached in the MPP server. The consultation result contains the result.resultStatus and allowUnbinding parameters.
  1. If the merchant does not allow the access token to be revoked from the wallet side, the MPP client hides the button for unbinding and guides the user to unbind the payment account from the merchant side.
  2. Otherwise, the MPP client displays the button for unbinding. After the user clicks the button to confirm unbinding, the MPP server checks the cached consultation result and the expiration time of the access token.
  • If the merchant does not allow the access token to be revoked from the wallet side or the access token is expired, theMPP server syncs with the MPP client that the unbinding fails. Then the MPP client displays the related information and guides the user to unbind the payment account from the merchant side.
  • If the merchant allows the access token to be revoked from the wallet side and the access token is within the expiration time,the MPP server completes account unbinding and syncs with the MPP client that the unbinding succeeds. At the same time, the MPP also calls the authNotify interface to notify Alipay+ of the unbinding result, thus triggering the ACQP to complete the account unbinding.

MPP actions

The following procedure describes the actions that the MPP needs to perform to process account unbinding that is initiated from the wallet side.

Step 1. Consult about account unbinding

TheMPP needs to call the cousultUnbinding interface to get the consultation result of whether the merchant allows the corresponding access token to be revoked from the wallet side.

Processing logic

The following parameters are returned in the consultation result:

  • result: indicates the API call result.
  • allowUnbinding: indicates whether the merchant allows the access token to be revoked from the wallet side.

Only when the value of result.resultStatus is S, which means the consultation about unbinding succeeds, you need to further retrieve the value of the allowUnbinding parameter. Depending on the value of the allowUnbinding parameter, the MPP needs to take different further actions:

  • If the value of allowUnbinding is false, the merchant does not allow the access token to be revoked from the wallet side. For this case, the MPP needs to:
  • Hide the button that is used for account unbinding, and guide the user to unbind the account from the merchant side.
  • Integrate the cancelToken interface to revoke the access token. For more information, see Unbinding from the merchant side.
  • If the value of allowUnbinding is true, the merchant allows the access token to be revoked from the wallet side. For this case, the MPPneeds to perform the following things:
  • On the Authorization detail Page, display the button that is used for account unbinding. It is recommended to pop up a service cancellation page for users to double confirm their determination.
  • Cache the consultation result in the MPP server so that the MPP can double-check it when the user clicks the button to confirm unbinding. It is recommended to set the caching time as 30 minutes. When the caching time expires, the MPP needs to guide the user to refresh/reopen the Authorization detail Page and reinitiate the account unbinding process.

For more information about how to design pages, see Auto Debit UX Design Guideline.

Sample

The MPP sends a request to Alipay+.

copy
{
  "authClientId": "218882112121**",
  "referenceMerchantId": "218882112121**",
  "accessToken": "2810120412122ojsalksa***"
}

Alipay+ returns a response to the MPP.

copy
{
   "result": {
    "resultCode":"SUCCESS",
    "resultStatus":"S",
    "resultMessage":"success"
   },
  "acquirerId": "102xxxxxxxxxxxx0001",
  "pspId":"102xxxxxxxxxxxx0001",
  "allowUnbinding": "false",
  "refuseReason": "merchant not allow unbinding"
}

More information

For more information about how to send the consultUnbinding API request and handle the response, see consultUnbinding.

Step 2. Revoke authorization and notify Alipay+ of the unbinding result

When the user clicks the button to confirm unbinding, the MPP needs to perform the following actions:

  • Deactivate the access token at its side.
  • Call the authNotify interface to notify Alipay+ of the unbinding result and thus trigger the ACQP to revoke authorization.

For more information, see Notify Alipay+ of the unbinding result.

Note: Due to the great pressure of customer complaints, the Mobile Payment Provider might have to deactivate the access token directly from the back-end system. For this case, the MPP needs to call the authNotify interface and identify the account binding request by specifying a reason on the reason parameter.

Learn more about

Home
Get Support
Need more help?