Interaction format

Forming a request

To active the Yandex.Money service and send requests, you need a special certificate (for more information, see the certificate exchange procedure).

The Counterparty's system and the Yandex.Money server interact over the HTTPS protocol. For each operation, the Counterparty sends a separate HTTP request containing a PKCS#7 cryptographic message. Yandex.Money responds to each request for deposit with a message about the result of the operation included in the PKCS#7 cryptographic message.

The communication channel is also cryptographically secured using the SSL (HTTPS) protocol with client certificate authentication. In addition, there is a restricted list of IP addresses that can send requests to the Yandex.Money server.

Forming a request to the server includes several steps.

Step 1. Request to execute an operation

The request is formed as an XML 1.0 (Fifth Edition) document in UTF-8 encoding in conformance with the standard.

Server address for calling operations

Test server: https://bo-demo02.yamoney.ru:9094/

Real server: https://calypso.yamoney.ru:9094/

Step 2. Making the cryptographic message

The prepared document is placed in a PKCS#7 cryptographic message container according to the CMS standard. The cryptographic message container must contain a digital signature (equivalent to a handwritten signature). The cryptographic message container must not contain certificate authority chains. Data compression is not used. Encryption is not used. The cryptographic message must be encoded in PEM format (OpenSSL). The certificate of the Counterparty that is used for preparing the cryptographic message must conform to the X.509 Version 3 standard.

Step 3. Sending the request to the Yandex.Money server

The Counterparty's system makes a POST request over the HTTP/1.1 protocol (see HTTP/1.1, HTTP Over TLS, TLS). The cryptographic message can be passed in one of two ways:

  • The cryptographic message is placed in the body of a POST request with the MIME type application/pkcs7-mime.
  • The cryptographic message is passed as a multipart/form-data attachment. MIME type: application/pkcs7-mime. The POST request must have just one "part" and the cryptographic message must be attached as a file. Such a request can be sent from a standard HTML form for sending a file to the server (file upload, see multipart/form-data).

To authorize requests to the server, Yandex.Money verifies the digital signature on the cryptographic message.

Note. 

To avoid repeating deposits accidentally, each operation is assigned a unique number (clientOrderId).

Example of a formed request
POST /webservice/deposition/api/makeDeposition HTTP/1.1
Content-Type: application/pkcs7-mime
Content-Length: 572
 
-----BEGIN PKCS7-----
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCA
JIAEDEhlbGxvIFdvcmxkIQAAAAAAADGCAS8wggErAgEBMCowJTEWMBQGA1UECgwN
Qm91bmN5IENhc3RsZTELMAkGA1UEBhMCQVUCAQIwCQYFKw4DAhoFAKBdMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDgwNjE1MzE0
M1owIwYJKoZIhvcNAQkEMRYEFC73veYIzlQE6X1fBC+V+J8cIyhxMA0GCSqGSIb3
DQEBAQUABIGAEgIfi0XDEZwbdC8i0I5EPUnFe1PUnBMiRs3heYxdK+oXaG6v3axO
Zr+VNG3tnW1W8M2xWtOcM4PdSTwx98WR1mWN8XDb2Wl9HiG6CGbmE7k4TgcDKhcg
iZmLV+7anBv302qTprTbKY9vChaaVwclSdQBkjPvxhlPnpBM0C9YdYQAAAAAAAA=
-----END PKCS7-----

Receiving the response

The result of request execution is returned by Yandex.Money in the response to the HTTP request. MIME type: application/pkcs7-mime. Data is placed in a PKCS#7 cryptographic message container. The cryptographic message container contains a digital signature (equivalent to a handwritten signature). The cryptographic message container does not contain certificate authority chains. Data compression is not used. Encryption is not used. The cryptographic message is encoded in PEM format (OpenSSL). The cryptographic message container contains an XML document with the result of request processing.

When receiving the server response, the Counterparty's system checks the signature on the response to verify that the response was sent by the Yandex.Money server and its content was not altered by a third party. Note that the response may include additional fields not described in this protocol that do not interfere with compatibility.

See also

HTTP response codes