Take advantage of these resources to help you test your integration across various scenarios.
Testing Credentials
Consult your Account Manager to initiate the onboarding process.
Once this process is finished, you will receive your testing credentials, including:
- Terminal Code
- Bearer Token
- Client ID
When you have your credentials, you are ready to start the integration process.
Within your testing environment, you gain the ability to:
- Digitally onboard your merchants, in case you are a Payment Facilitator
- Initiate your integration process
- Explore the features and tools at your disposal
- Conduct test payments
Keep in mind that a test account allows you to explore SIBS integrations but does not guarantee live payment processing.
Testing Cards
Prior to implementing live payment processing, you have the option to use the provided card details from this page for testing purposes.
Please note that these details are exclusively applicable on our testing platform and do not involve actual transactions or the transfer of any funds.
Here are some testing cards you can use:
| Brand | Card number | Expiry date | CVC/CVV | 3DS | 3DS Authentication password |
|---|---|---|---|---|---|
| Visa | 4176660000000100 | 12/25 | 597 | Yes (Challenge) | 123456 |
| Visa | 4761340000000035 | 12/25 | 536 | No | – |
| Mastercard | 5185520050000010 | 12/25 | 001 | Yes (Challenge) | 123456 |
| Mastercard | 5204740000001002 | 12/25 | 100 | Yes (Frictionless) | – |
| Mastercard | 5206361000001351 | 12/25 | 536 | No | – |
| Cartes Bancaires Visa | 4970 4178 0960 9823 | 03/23 | 914 | Yes (Frictionless) | – |
| Cartes Bancaires MasterCard | 5134 1486 5519 7817 | 04/24 | 419 | Yes (Challenge) | 123456 |
| Cartes Bancaires Visa | 4010 0562 0000 0018 | 01/25 | 123 | Yes (Frictionless) | |
| Cartes Bancaires MasterCard | 5137 2100 0000 0018 | 01/25 | 123 | Yes (Challenge) | 123456 |
Handling responses
Response codes provide valuable insights into the outcome of an API request. This page provides a comprehensive description of the potential response codes you may encounter.
HTTP Status Codes
HTTP defines a set of forty standard status codes that communicate the results of a client’s request. These status codes are categorized into the following five groups:
| Category | Description | Details |
|---|---|---|
| 1xx | Informational | Communicates transfer protocol-level information. |
| 2xx | Success | Indicates that the client’s request was accepted successfully. |
| 3xx | Redirection | Indicates that the client must take some additional action in order to complete their request. |
| 4xx | Client Error | This category of error status codes points the finger at clients. |
| 5xx | Server Error | The server takes responsibility for these error status codes. |
| Code | Description | Detail and Action |
|---|---|---|
| 200 | OK | It indicates that the REST API successfully carried out whatever action the client requested and that no more specific code in the 2xx series is appropriate. Unlike the 204 status code, a 200 response should include a response body.The information returned with the response is dependent on the method used in the request, for example: GET an entity corresponding to the requested resource is sent in the response; HEAD the entity-header fields corresponding to the requested resource are sent in the response without any message-body; POST an entity describing or containing the result of the action; TRACE an entity containing the request message as received by the end server. |
| 201 | Created | A REST API responds with the 201 status code whenever a resource is created inside a collection. There may also be times when a new resource is created as a result of some controller action, in which case 201 would also be an appropriate response. The newly created resource can be referenced by the URI(s) returned in the entity of the response, with the most specific URI for the resource given by a Location header field. The origin server MUST create the resource before returning the 201 status code. If the action cannot be carried out immediately, the server SHOULD respond with a 202 (Accepted) response instead. |
| 202 | Accepted | A 202 response is typically used for actions that take a long while to process. It indicates that the request has been accepted for processing, but the processing has not been completed. The request might or might not be eventually acted upon, or even maybe disallowed when processing occurs. Its purpose is to allow a server to accept a request for some other process (perhaps a batch-oriented process that is only run once per day) without requiring that the user agent’s connection to the server persist until the process is completed. The entity returned with this response SHOULD include an indication of the request’s current status and either a pointer to a status monitor (job queue location) or some estimate of when the user can expect the request to be fulfilled. |
| 204 | No Content | The 204 status code is usually sent out in response to a PUT, POST, or DELETE request when the REST API declines to send back any status message or representation in the response message’s body. An API may also send 204 in conjunction with a GET request to indicate that the requested resource exists, but has no state representation to include in the body. If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent’s active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent’s active view. The 204 response MUST NOT include a message-body and thus is always terminated by the first empty line after the header fields |
| 205 | Reset Content | The server successfully processed the request, asks that the requester reset its document view, and is not returning any content. |
| 206 | Partial Content | The server is delivering only part of the resource (byte serving) due to a range header sent by the client. The range header is used by HTTP clients to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams. |
| 300 | Multiple Choices | Indicates multiple options for the resource from which the client may choose (via agent-driven content negotiation). For example, this code could be used to present multiple video format options, to list files with different filename extensions, or to suggest word-sense disambiguation. |
| 301 | Moved Permanently | The 301 status code indicates that the REST API’s resource model has been significantly redesigned, and a new permanent URI has been assigned to the client’s requested resource. The REST API should specify the new URI in the response’s Location header, and all future requests should be directed to the given URI. You will hardly use this response code in your API as you can always use the API versioning for new API while retaining the old one. |
| 302 | Found | The HTTP response status code 302 Found is a common way of performing URL redirection. An HTTP response with this status code will additionally provide a URL in the Location header field. The user agent (e.g., a web browser) is invited by a response with this code to make a second. Otherwise identical, request to the new URL specified in the location field. Many web browsers implemented this code in a manner that violated this standard, changing the request type of the new request to GET, regardless of the type employed in the original request (e.g., POST). RFC 1945 and RFC 2068 specify that the client is not allowed to change the method on the redirected request. The status codes 303 and 307 have been added for servers that wish to make unambiguously clear which kind of reaction is expected of the client. |
| 303 | See Other | A 303 response indicates that a controller resource has finished its work, but instead of sending a potentially unwanted response body, it sends the client the URI of a response resource. The response can be the URI of the temporary status message, or the URI to some already existing, more permanent, resource. Generally speaking, the 303 status code allows a REST API to send a reference to a resource without forcing the client to download its state. Instead, the client may send a GET request to the value of the Location header. The 303 response MUST NOT be cached, but the response to the second (redirected) request might be cacheable. |
| 304 | Not Modified | This status code is similar to 204 (“No Content”) in that the response body must be empty. The critical distinction is that 204 is used when there is nothing to send in the body, whereas 304 is used when the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match. In such a case, there is no need to retransmit the resource since the client still has a previously-downloaded copy. Using this saves bandwidth and reprocessing on both the server and client, as only the header data must be sent and received in comparison to the entirety of the page being re-processed by the server, then sent again using more bandwidth of the server and client. |
| 307 | Temporary Redirect | A 307 response indicates that the REST API is not going to process the client’s request. Instead, the client should resubmit the request to the URI specified by the response message’s Location header. However, future requests should still use the original URI. A REST API can use this status code to assign a temporary URI to the client’s requested resource. For example, a 307 response can be used to shift a client request over to another host. The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s). If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. |
| 400 | Bad Request | 400 is the generic client-side error status, used when no other 4xx error code is appropriate. Errors can be like malformed request syntax, invalid request message parameters, or deceptive request routing etc. The client SHOULD NOT repeat the request without modifications. |
| 401 | Unauthorized | A 401 error response indicates that the client tried to operate on a protected resource without providing the proper authorization. It may have provided the wrong credentials or none at all. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. |
| 402 | Payment Required | Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, as proposed, and this code is not widely used. |
| 403 | Forbidden | A 403 error response indicates that the client’s request is formed correctly, but the REST API refuses to honor it, i.e. the user does not have the necessary permissions for the resource. A 403 response is not a case of insufficient client credentials; that would be 401 (“Unauthorized”). Authentication will not help, and the request SHOULD NOT be repeated. Unlike a 401 Unauthorized response, authenticating will make no difference. |
| 404 | Not Found | The 404 error status code indicates that the REST API can’t map the client’s URI to a resource but may be available in the future. Subsequent requests by the client are permissible. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable. |
| 405 | Method Not Allowed | The API responds with a 405 error to indicate that the client tried to use an HTTP method that the resource does not allow. For instance, a read-only resource could support only GET and HEAD, while a controller resource might allow GET and POST, but not PUT or DELETE. |
| 406 | Not Acceptable | The 406 error response indicates that the API is not able to generate any of the client’s preferred media types, as indicated by the Accept request header. For example, a client request for data formatted as application/xml will receive a 406 response if the API is only willing to format data as application/json. If the response could be unacceptable, a user agent SHOULD temporarily stop receipt of more data and query the user for a decision on further actions. |
| 407 | Proxy Authentication Required | The client must first authenticate itself with the proxy. |
| 408 | Request Timeout | The server timed out waiting for the request. According to HTTP specifications: “The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time. |
| 409 | Conflict | Indicates that the request could not be processed because of conflict in the current state of the resource, such as an edit conflict between multiple simultaneous updates. |
| 410 | Gone | Indicates that the resource requested is no longer available and will not be available again. This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a “404 Not Found” may be used instead. |
| 411 | Length Required | The request did not specify the length of its content, which is required by the requested resource |
| 412 | Precondition Failed | The 412 error response indicates that the client specified one or more preconditions in its request headers, effectively telling the REST API to carry out its request only if certain conditions were met. A 412 response indicates that those conditions were not met, so instead of carrying out the request, the API sends this status code. |
| 413 | Payload Too Large | The request is larger than the server is willing or able to process. Previously called “Request Entity Too Large” |
| 414 | URI Too Long | The URI provided was too long for the server to process. Often the result of too much data being encoded as a query-string of a GET request, in which case it should be converted to a POST request. Called “Request-URI Too Long” previously |
| 415 | Unsupported Media Type | The 415 error response indicates that the API is not able to process the client’s supplied media type, as indicated by the Content-Type request header. For example, a client request including data formatted as application/xml will receive a 415 response if the API is only willing to process data formatted as application/json. For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format. |
| 416 | Range Not Satisfiable | The client has asked for a portion of the file (byte serving), but the server cannot supply that portion. For example, if the client asked for a part of the file that lies beyond the end of the file. Called “Requested Range Not Satisfiable” previously. |
| 417 | Expectation Failed | The server cannot meet the requirements of the Expect request-header field. |
| 421 | Misdirected Request | The server cannot meet the requirements of the Expect request-header field. |
| 422 | Unprocessable Entity | The request was well-formed but was unable to be followed due to semantic errors. |
| 423 | Locked | The resource that is being accessed is locked. |
| 424 | Failed Dependency | The request failed because it depended on another request and that request failed (e.g., a PROPPATCH). |
| 425 | Too Early | Indicates that the server is unwilling to risk processing a request that might be replayed. |
| 426 | Upgrade Required | The client should switch to a different protocol such as TLS/1.0, given in the Upgrade header field. |
| 428 | Precondition Required | The origin server requires the request to be conditional. Intended to prevent the ‘lost update’ problem, where a client GETs a resource’s state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict. |
| 429 | Too Many Requests | The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes. |
| 431 | Request Header Fields Too Large | The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large. |
| 451 | Unavailable For Legal Reasons | A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource. |
| 500 | Internal Server Error | 500 is the generic REST API error response. Most web frameworks automatically respond with this response status code whenever they execute some request handler code that raises an exception. A 500 error is never the client’s fault, and therefore, it is reasonable for the client to retry the same request that triggered this response and hope to get a different response. API response is the generic error message, given when an unexpected condition was encountered and no more specific message is suitable. |
| 501 | Not Implemented | The server either does not recognize the request method, or it lacks the ability to fulfill the request. Usually, this implies future availability (e.g., a new feature of a web-service API). |
| 502 | Bad Gateway | The server was acting as a gateway or proxy and received an invalid response from the upstream server. |
| 503 | Service Unavailable | The server cannot handle the request (because it is overloaded or down for maintenance). Generally, this is a temporary state. |
| 504 | Gateway Timeout | The server was acting as a gateway or proxy and did not receive a timely response from the upstream server. |
| 505 | HTTP Version Not Supported | The server does not support the HTTP protocol version used in the request. |
| 506 | 506 Variant Also Negotiates | Transparent content negotiation for the request results in a circular reference. |
| 507 | Insufficient Storage | The server is unable to store the representation needed to complete the request. |
| 508 | Loop Detected | The server detected an infinite loop while processing the request (sent instead of 208 Already Reported). |
| 510 | Not Extended | Further extensions to the request are required for the server to fulfil it. |
| 511 | Network Authentication Required | The client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g., “captive portals” used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot). |
Decline Codes
An unsuccessful response comprises both different HTTP status (400,401. 403, 405, 429, 500 and 503) a returnStatus.statusCode other than “000” and a returnStatus.StatusDescription associated with different error descriptions.
SIBS Stargate APIs uses a predefined status codes which addresses the potential reasons why an unsuccessful response occurred. The table below presents the different decline codes (statusCode), a description (StatusDescription) and the potential decline reason.
The table below contains the different status codes, corresponding descriptions, and suggested actions to resolve the errors.
| statusCode | StatusDescription | Decline Reason | Suggested action |
|---|---|---|---|
| E0101 | Invalid request, data is missing or is invalid | The data inserted for the transaction is not correct so the transaction could not be initiated or successfully concluded | Check that the data entered for the transaction is valid and accurate. Ensure that details such as card information, customer information, and SEPA DD mandate data are correct. |
| E0102 | Invalid or missing data for the payment type | The payment type and data could not be validated | Check if payment data is correct (applicable for Blik and Cards). |
| E0103 | 3D Secure Authentication failed | 3DS authentication process was not successfully completed by the buyer | The terminal should have 3DS active and card used during the transaction should also support 3DS. |
| E0104 | Amount limit exceeded | The transaction amount (including SEPA DD mandate) does not meet the acceptance network limits | For SEPA DD: Verify the transaction limits imposed by the bank. Ensure that SEPA Direct Debit is correctly setup. For BLIK: Buyer’s to check BLIK account limits and balance. For Cards: Verify the transaction limits for the transaction. |
| E0105 | Authorized Payment – Invalid Payment method | The merchant either lacks the available payment method or has not configured it correctly to process transactions. | Verify through SIBS Backoffice that there is an available agreement for the selected payment method to ensure the transaction is successful. |
| E0106 | Invalid terminal | The requested transaction is not supported by the terminal | Review, via SIBS Backoffice, the settings of the terminal which was used to perform the transaction. |
| E0107 | Authorized Payment Unknown | The payment authorization was unsuccessful, or its status is undetermined | Refer to SIBS Backoffice to check the transaction status. |
| E0108 | Invalid webhook configuration | The webhook settings were configured incorrectly | Please check on SIBS Backoffice Webhook menu if the webhook settings are properly defined. |
| E0201 | Declined, recurring payment is deactivated | Recurring payment could be declined, deactivated, or not supported by the merchant | Please review the checkout details to verify the payment information. Ensure all necessary payment fields are accurately completed, including card number, expiration date, CVV, billing address, and any other required information. |
| E0202 | Declined operation | Payment is not accepted/declined, or fraud management system did not approve the transaction. | Please contact SIBS to understand why the transaction was declined by the fraud detection system (applicable for Cards and BLIK). |
| E0301 | Merchant credentials error | Fail getting the app credentials for the merchant | Ensure the supplied credentials for the API calls are valid and if the issue persists communicate to SIBS support. |
| E0302 | No agreement found | Invalid agreement for a particular financial product | Verify in the SIBS Backoffice menu that the financial agreements are correctly defined. |
| E0303 | Operation not supported | Failed to generate a transaction in a specific service (example: Link to Pay, Split Payout) | Provide Transaction ID to SIBS support team to understand why the transaction is failing. |
| E0304 | Transaction already finalized | The current transaction flow is already completed, a similar transaction could already be recently submitted | Confirm on SIBS Backoffice the status of the transaction with a given transaction ID. |
| E0305 | Transaction not found | Failing to get the transaction information, the transaction ID should be checked. | Confirm on SIBS Backoffice the status of the transaction. |
| E0306 | Wrong parameterization for the payment method | Wrong parameterization in payment method (amount, expiration date, token, merchant code or terminal code) | Check if there is any incorrect parameterization in the payment method, ensuring accuracy in fields such as amount, expiration date, token, merchant code, or terminal code. |
| E0307 | Wrong parameterization for the payment type | Wrong parameterization in payment type (valid for Authorization, Purchase, Capture or Refund). | Update the payment type parameterization to ensure it accurately corresponds to the intended function, whether it be Authorization, Purchase, Capture, or Refund. |
| E0900 | Invalid authentication or authorization Data | Token creation failed due to invalid data | Confirm Token information data. |
| E0901 | Invalid acceptor, creditor, account, or mandate details | SEPA DD Mandate was not properly configured | Confirm SEPA DD mandate settings. |
| E0902 | Invalid Amount | The payment amount is invalid, or exceeds the amount that’s allowed | Check SEPA DD token details. |
| E0903 | Invalid Currency | The terminal does not support or accepts the transaction currency | Check SEPA DD token details. |
| E0904 | Invalid link to pay | Incorrect settings on Link to Pay (expired, duplicated or not active) | Check on SIBS Backoffice, on Link to Pay menu, if the link settings are properly defined. |
| E0905 | Invalid Mandate date | The due date for the SEPA Direct Debit Mandate exceeds 15 days, surpassing the time limit. | Confirm SEPA DD mandate settings (date). |
| E0906 | Invalid merchant or terminal code | Data for the amount, expiration date, token, merchant code or terminal code are not properly defined | Check on SIBS Backoffice if the merchant, store and terminal data are properly defined. |
| E0908 | Invalid settlement points | Settlement points are either improperly defined or cannot be located | Check on both SIBS Backoffice and Checkout API if the settlement points setting are properly defined. |
| T999 | SIBS temporary error | An internal error has occurred with the SIBS Gateway. Please reach out to support for assistance. | Contact SIBS Support. |
| E999 | SIBS Internal Error | An internal error has occurred with the SIBS Gateway. Please reach out to support for assistance. | Contact SIBS Support. |
Code references
Codes serve as crucial identifiers in various domains, including the realm of payments.
Below you can find the ISO Codes used for:
Country
For the onboarding API you should use the ISO 3166 Numeric Code.