Changelog

Gateway-side changes. SDK-specific changelogs live on the per-SDK pages: Flutter, Angular.

Unreleased

Outbound webhook signing (X-Webhook-Signature, X-Webhook-Timestamp, HMAC-SHA256). Currently unimplemented; the signature verification page is gated until this lands.
mastercard_payment_method: "DIRECT_CAPTURE" — full PAN capture instead of hosted session. Will require integrators to meet SAQ D.
List endpoints — transaction history, payout batches. Will use the cursor pagination convention documented at Pagination.
Path renames in v2 — /api/v1/internal/sessions/create → /api/v1/merchant/sessions/create, /api/v1/payments/b2c removed (use /payments/send). See Versioning.

The current public surface. 22 documented public endpoints across the API reference. See /api-reference for the full list and schemas.

Auth-v3. Per-checkout session tokens, body binding, device-fingerprint binding (in warn mode for the first 14 days of every session), idempotency replay protection.
Three environments: sandbox (app.api.gtwy.pdirect.com), staging (staging.app.api.gtwy.pdirect.com), production (app.api.gtwy.pdirect.com).
Six locales: en, fr, es, ru, zh, ln. Translated via the Accept-Language header.
Three currencies: usd, cdf, xof.
Eight payment methods: wallet, mobile money, card (hosted session), flash, bank transfer, Google Pay, Apple Pay, plus the deferred-choice none.
Webhook delivery with 4-attempt exponential backoff (5s, 15s, 60s). No DLQ; signing not yet enforced.
Rate limiting: 30/min general, 5/5min OTP, 60/min 3DS callbacks.

These contracts are guaranteed within v1:

All 22 public endpoint paths and methods.
The error_code catalogue (1001–1599) — codes never change meaning.
Field types in request and response bodies.
The HMAC algorithm and header names once webhook signing ships (these will be added without a breaking change).