Overview

Creating a purchase allows your system to request a payment authorization through Bamboo’s API. The same endpoint supports multiple payment methods (from card transactions to cash and bank transfers) across all countries where Bamboo operates.

Depending on your PCI certification level, purchases can be created using:

CardData – for PCI-certified merchants who handle card details directly.
TrxToken – for merchants who use tokenized cards.
PaymentMethod – for alternative payments such as cash or bank transfers.

Each flow shares the same structure for amount, currency, customer, and country fields.

Choose your flow

Each merchant can create purchases differently depending on their PCI compliance level and the payment method selected. Use the option that matches your integration:

PCI-Certified Merchant

Use the CardData object to send full card details (PAN, CVV, Expiration).

Non-PCI Merchant

Use the TrxToken obtained during tokenization instead of sending card details.

Alternative Payment Methods

Use PaymentMethod to process payments via cash or bank transfer.

⚠️
Only one of these fields should be included in your request: CardData, TrxToken, or PaymentMethod.

Choose your environment

Bamboo provides two environments. Depending on how you handle card data, the endpoint you should use varies:

Staging for simulations and homologation (recommended first).
Production for live payments after certification.

PCI-Certified Merchants (raw card data)

Use these endpoints when sending card data directly (PAN, CVV, Expiration). Available only for merchants certified under PCI DSS.

Environment	Endpoint
Staging	`https://secure-api.stage.bamboopayment.com/v3/api/Purchase`
Production	`https://secure-api.bamboopayment.com/v3/api/Purchase`

⚠️
Only PCI-certified merchants can access the secure /secure-api/ endpoints.

Non-PCI Merchants

Use these endpoints when validating cards through Bamboo’s Tokenization Form, which handles card data securely and returns a token for later use.

Environment	Endpoint
Staging	`https://api.stage.bamboopayment.com/v3/api/Purchase`
Production	`https://api.bamboopayment.com/v3/api/Purchase`

💡
Non-PCI merchants must use these endpoints together with the Tokenization Form, which captures and encrypts card data outside the merchant’s environment.

Building the request

Some fields are mandatory in every purchase, no matter which flow you choose. Others are highly recommended or recommended for optimal fraud detection and risk evaluation.

Request parameters

Parameter	Type	Mandatory?	Description
`TrxToken`	`string`	No¹	Card token previously generated through the tokenization flow.
`NetworkToken`	`object`	No¹	Network token information used in the transaction.
`PaymentMethod`	`string`	No¹	Payment method identifier (alternative methods such as cash or bank transfer).
`UniqueID`	`string`	No	Unique identifier of the purchase to avoid duplicates.
`Capture`	`boolean`	No	`true` for one-step purchase; `false` to authorize and capture later.
`TargetCountryISO`	`string`	Yes	Country where the payment will be processed (ISO-3166-1).
`Currency`	`string`	Yes	ISO-4217 currency.
`Amount`	`integer (64bit)`	Yes	Amount with two decimals, no separators (`12.25` → `1225`).
`Tip`	`integer (64bit)`	No	Tip amount (two-decimal format).
`TaxableAmount`	`integer (64bit)`	No	Taxable amount (two-decimal format).
`Installments`	`integer`	No	Number of installments.
`Order`	`string`	Yes	Merchant order number.
`InvoiceNumber`	`string`	No	Invoice number.
`Description`	`string`	No⁴	Optional description (may be required by specific acquirers/countries).
`AdditionalData`	`string`	No	Free-form additional data.
`MetadataIn`	`object`	No	Arbitrary key–value metadata.
`Customer`	`object`	Yes³	Customer details.
`SoftDescriptor`	`string`	No	Text shown on cardholder’s statement (availability varies by country).
`ClientIp`	`string`	Highly Recommended	IP address of the payer’s device. Enables device and geolocation analysis for anti-fraud evaluation. Validated when present.

CardData object (PCI merchants only)

Parameter	Type	Mandatory?	Description
`CardHolderName`	`string`	Yes	Name as printed on the card.
`Pan`	`string`	Yes	Card number (PAN).
`CVV`	`string`	Yes	Card security code.
`Expiration`	`string`	Yes	`MM/YY`.
`Email`	`string`	Recommended	Cardholder email, used for identity correlation and antifraud scoring.
`Document`	`string`	Highly Recommended	Cardholder document number, used for identity verification.

💡
For non-PCI merchants, card payments must be processed using the tokenization form provided by Bamboo.

Customer object

Parameter	Type	Mandatory?	Description
`Customer` → `FirstName`	`string`	No	Customer first name.
`Customer` → `LastName`	`string`	No	Customer last name.
`Customer` → `ReferenceCode`	`string`	No	Merchant reference for the customer.
`Customer` → `PhoneNumber`	`string`	Highly Recommended	Payer’s phone number, used for behavioral and contact validation.
`Customer` → `DocumentNumber`	`string`	Highly Recommended	Document number used for identity verification. Validated when present.
`Customer` → `DocumentType`	`string`	Highly Recommended	Type of identification document used by the payer. Validated when present.
`Customer` → `Email`	`string`	Yes	Payer’s email address.
`Customer` → `Address`	`object`	Recommended	Billing or shipping address of the payer. Provides additional context for anti-fraud analysis.

Address object

Parameter	Type	Mandatory?	Description
`Address` → `Country`	`string`	Recommended	Country of residence or billing. Required if`Customer.Address` is included.
`Address` → `City`	`string`	Recommended	City of residence. Required if `Customer.Address` is included.
`Address` → `State`	`string`	Recommended	State or region. Required if `Customer.Address` is included.
`Address` → `PostalCode`	`string`	Recommended	Postal or ZIP code.
`Address` → `AddressDetail`	`string`	Recommended	Street, number, and unit or apartment. Required if `Customer.Address` is included.

AntifraudData object

Use the AntifraudData object to send additional information used by Bamboo’s antifraud engine. Although optional, including this object improves the accuracy of risk evaluation.

Property	Type	Description
`AntifraudData` → `AntifraudFingerprintId`	`string`	Session identifier generated by Bamboo’s JavaScript fingerprint library. Links the payer’s device and browser session to the transaction.
`AntifraudData` → `AntifraudMetadataIn`	`object`	Optional dictionary of custom key–value pairs that can include contextual variables (e.g., channel, device type, or customer segment).

ℹ️
For details about how these fields are validated and used in risk evaluation, refer to the Anti-fraud section.

¹ One of TrxToken, NetworkToken, or PaymentMethod is required depending on the selected flow.

³ Not required if you create the purchase using CommerceToken.

⁴ Some acquirers (e.g., Brazil card) may require a specific Description format.

💳
For detailed information about 3D Secure (3DS) and Network Token objects, see their dedicated sections. PaymentMethod is mandatory when sending a Network Token.

Example with Token

To test this endpoint, use the API Reference or the Postman Collection

{
    "TrxToken": "OT__6dHAgJo6qeg62qIroA7H7_f_NWZZ6IEx4jiYpVJ8SzQ_",
    "UniqueID": "paymentID3022",
    "Capture": true,
    "TargetCountryISO": "BR",
    "Currency": "BRL",
    "Amount": 25000,
    "Installments": 2,
    "Order": "CH2023-001",
    "Description": "Compra de teste",
    "Customer": {
        "FirstName": "João",
        "LastName": "Silva",
        "ReferenceCode": "JS-001",
        "PhoneNumber": "11987654321",
        "DocumentNumber": "12345678901",
        "DocumentType": "CPF.BR",
        "Email": "[email protected]",
        "Address": {
            "Country": "BR",
            "City": "São Paulo",
            "State": "SP",
            "PostalCode": "01310-200",
            "AddressDetail": "Avenida Paulista 1000"
        }
    },
  "CustomerIP": "190.10.224.231",
  "AntifraudData": {
    "AntifraudFingerprintId": "0046f17b-197a-4d63-8b6b-6082cdd557ff"
  }
}

Example with Card Data

To test this endpoint, use the API Reference or the Postman Collection

{
    "CardData": {
        "CardHolderName": "João Silva",
        "Pan": "4507990000004905",
        "CVV": "123",
        "Expiration": "08/30",
        "Email": "[email protected]",
        "Document": "12345678901"
    },
    "UniqueID": "paymentID3022",
    "Capture": true,
    "TargetCountryISO": "BR",
    "Currency": "BRL",
    "Amount": 25000,
    "Installments": 2,
    "Order": "CH2023-001",
    "Description": "Compra de teste",
    "Customer": {
        "FirstName": "João",
        "LastName": "Silva",
        "ReferenceCode": "JS-001",
        "PhoneNumber": "11987654321",
        "DocumentNumber": "12345678901",
        "DocumentType": "CPF.BR",
        "Email": "[email protected]",
        "Address": {
            "Country": "BR",
            "City": "São Paulo",
            "State": "SP",
            "PostalCode": "01310-200",
            "AddressDetail": "Avenida Paulista 1000"
        }
    },
  "CustomerIP": "190.10.224.231",
  "AntifraudData": {
    "AntifraudFingerprintId": "0046f17b-197a-4d63-8b6b-6082cdd557ff"
  }
}

Example for an Alternative Payment Method

To test this endpoint, use the API Reference or the Postman Collection

{
  "PaymentMethod": "PFC",
  "Order": "AR-2025-0001",
  "Amount": 100000,
  "Currency": "ARS",
  "Description": "Compra de prueba",
  "TargetCountryISO": "AR",
  "Customer": {
    "FirstName": "Juan",
    "LastName": "Pérez",
    "Email": "[email protected]",
    "DocumentType": "DNI.AR",
    "DocumentNumber": "12345678",
    "ReferenceCode": "CLI-45821"
  }
}

Response

The response structure for Direct Purchase (PCI merchants) is the same as the standard Purchase response.

Parameter	Type	Description
`TransactionId`	`string`	Unique transaction identifier (19-digit numeric as string).
`Result`	`string`	`COMPLETED` or `ACTION_REQUIRED`.
`Status`	`string`	Approved, Rejected, Pending, etc.
`ErrorCode`	`string`	Error code if rejected.
`ErrorDescription`	`string`	Error description if rejected.
`Created`	`string`	ISO 8601 timestamp when created.
`AuthorizationDate`	`string`	ISO 8601 timestamp when authorized.
`AuthorizationCode`	`string`	Issuer authorization code.
`Amount`	`integer`	Total amount.
`Currency`	`string`	Currency used.
`Installments`	`integer`	Number of installments.
`TaxableAmount`	`integer`	Taxable amount.
`Tip`	`integer`	Tip amount.
`Url`	`string`	URL with additional details.
`MetadataOut`	`object`	Metadata returned by Bamboo.
`Action`	`object`	Present when `Result = ACTION_REQUIRED`.
`PaymentMethod`	`object`	Method details used in the transaction.

Action object

Field	Type	Description
`SessionId`	`string`	Session identifier related to the action.
`Reason`	`string`	e.g., `VERIFICATION_CODE_NEEDED`, `REDIRECTION_NEEDED_EXTERNAL_SERVICE`.
`URL`	`string`	Redirection URL to complete the step (e.g., CVV capture page, 3DS challenge).

PaymentMethod object

Field	Type	Description
`Brand`	`string`	e.g., Visa, MasterCard.
`CardOwner`	`string`	Cardholder name.
`Bin`	`string`	First 6 digits of the PAN.
`IssuerBank`	`string`	Issuing bank.
`Type`	`string`	e.g., CreditCard, DebitCard.
`Expiration`	`string`	yyyymm.
`Last4`	`string`	Last 4 digits of the card.

Response Examples

Result : COMPLETED, Status:APPROVED

{
    "TransactionId": "79632697147789184",
    "Result": "COMPLETED",
    "Status": "APPROVED",
    "ErrorCode": null,
    "ErrorDescription": null,
    "Created": "2024-08-07T17:51:54.620",
    "AuthorizationDate": "2024-08-07T17:51:56.879",
    "AuthorizationCode": "839936",
    "Amount": 25000,
    "Currency": "BRL",
    "Installments": 1,
    "TaxableAmount": null,
    "Tip": null,
    "Url": "https://api.stage.bamboopayment.com/Purchase/79632697147789184",
    "MetadataOut": null,
    "Action": null,
    "PaymentMethod": {
        "Brand": "Visa",
        "CardOwner": "Joao Silva",
        "Bin": "450799",
        "IssuerBank": "Santander",
        "Type": "CreditCard",
        "Expiration": "203008",
        "Last4": "4905"
    }
}

{
   "ErrorCode": "PR001",
   "ErrorDescription": "The token sent is invalid, expired, or does not belong to the merchant."
}

Test the API

Once you’re familiar with how to create a purchase, test your integration in the API Reference:

Country Requirements

Check what each country requires (documents, bank formats, supported currencies).

API Reference

Explore full request and response examples: Create Purchase endpoint.

Error Codes

Understand possible error responses and how to resolve them.