Design Patterns and Essential Elements of External Payment System Interfaces

As a website with user transaction capabilities, enriching its payment channels is crucial for user acquisition and daily active user growth. The author summarizes design patterns of external payment system interfaces based on dozens of integrations they have encountered.

1. Alipay

Alipay is the largest domestic payment platform, and most websites integrate with it; many smaller channels also follow its interface design. The payment flow is illustrated in the diagram below.

The flow includes many hidden security details such as data encryption and signature verification, IP whitelist for asynchronous callbacks, and order verification against the site’s own records. Optional steps like synchronous callbacks can be omitted to improve user experience, relying solely on asynchronous callbacks for order confirmation.

2. WeChat Pay

The transaction volume of WeChat Pay is also considerable, and its flow is shown in the following diagram.

Compared with Alipay, the order creation step differs: WeChat Pay’s order request is made by the server, while Alipay’s is initiated from the front end. Server‑side order creation hides order details from the client, reducing the risk of tampering and improving security.

3. Deep‑Cooperation Point Deduction Model

Some sites or games cooperate with third‑party platforms to allow users to deduct points for goods or items. The third party provides a trusted API that lets the site deduct a user’s points after the user binds accounts. The flow, shown below, is relatively simple and usually involves only backend API calls without a front‑end checkout page.

This model requires proper interface encryption, signature verification, and agreed settlement rules, and benefits from the third party’s ability to query orders by the site’s order number for reconciliation.

4. Summary: Essential Elements of Payment System Interfaces

4.1 Interface Components

Order creation interface

Synchronous callback notification (must include both order IDs, amount, user info, status)

Asynchronous callback notification (same content as synchronous)

Transaction order query interface (supports querying by either party’s order ID to verify order validity and handle cases where callbacks are missed)

4.2 Security Components

Data encryption: HTTPS, AES, asymmetric encryption (public/private keys)

Signature rules: apply a hash (e.g., SHA‑256) to the whole payload and transmit the signature to prevent tampering

IP whitelist: restrict server‑to‑server calls to trusted IPs

Order information verification: actively query the payment channel to ensure order accuracy

Source: PHP Architecture public account

Copyright statement: Content originates from the web, copyright belongs to the original author. If any infringement is found, please notify us for removal.

-END-