Important information

The API reference is now available here.
The deprecated API reference is available here.



Learn how to keep your payments secure.


To make sure nobody can interfere with your payments (or find out about your private API key) always stick to the following rules.

Event name

icon warning
Don’t use the event name as an indicator of the state of a resource.

Since there is no guarantee an event has actually been sent by the Unzer API, you should always fetch the resource using the API. This way you make sure a hacker can not inject a false payment state into your shop.

In addition, there is no guarantee the events arrive in the same order they have been sent in. Fetching the resource to an event always gives you the latest state.

Event’s retrieveURL

icon warning
Don’t use the event’s retrieveUrl to fetch the event’s resource without making sure the domain is legit.

A hacker could send an event with a retrieveUrl which contains their domain, to spy out your private key or to return fake data to make you believe a payment is completed when it actually is not.

Always fetch the event by creating an API request for the affected resource with correct Unzer API domain.

Content Security Policy

icon info
Content security policy
To learn which URLs must be added to the allowlist for Unzer UI components in your content security policy, please refer to Content security policy section of the UI components page.