Transaction certificates

A transaction certificate is a formal PDF document Scan to Pay generates for a transaction — typically used as evidence in chargeback responses, regulatory audits, or merchant-to-customer dispute resolution. The certificate is signed by the platform and includes the transaction details, authentication evidence, and acquirer routing identifiers.

Two variants are available: minimal (the essentials) and complete (everything we know).

For broader dispute context, see Customer disputes.

Endpoints

Method	Path	Purpose	Allowed callers
POST	`/restful/minCertificate/{ref}`	Export the minimal certificate as base64 PDF	Any `ROLE_REMOTE` caller
POST	`/restful/completeCertificate/{ref}`	Export the complete certificate as base64 PDF	Any `ROLE_REMOTE` caller

The {ref} path variable is the transaction ID (a long). Ownership rules apply — you can only export certificates for transactions you have visibility into (your merchants, or your own merchant ID).

Minimal vs complete — what's the difference

	Minimal	Complete
Transaction ID, date, amount	✓	✓
Merchant name	✓	✓
Cardholder MSISDN	✓	✓
`authCode`, `retrievalReferenceNumber`	✓	✓
Authentication method (AMT / 3DS)	✓	✓
Acquirer details	—	✓
Bank response code with description	—	✓
Device data (where captured)	—	✓
3DS-specific evidence fields (CAVV, XID, ECI)	—	✓
Audit timestamps	—	✓

Use minimal when you're sharing the certificate with someone who shouldn't see acquirer-specific routing detail (e.g. the cardholder, in a customer-facing dispute response). Use complete for internal records, scheme-driven chargeback evidence, and regulator audits.

Minimal certificate

Request:

curl -X POST https://qa.scantopay.io/portal/restful/minCertificate/81234 \
  -u 'MERCHANT_25:yourMerchantApiPassword'

Response: a base64-encoded PDF, returned as a plain String body:

JVBERi0xLjcKCjEgMCBvYmoKPDwKL0NyZWF0b3IgKERvY3VtZW50KQovUHJvZHVjZXIgKE...

To save it as a file:

curl -X POST https://qa.scantopay.io/portal/restful/minCertificate/81234 \
  -u 'MERCHANT_25:yourMerchantApiPassword' \
  --output min-cert-81234.b64

# Decode to PDF
base64 -d min-cert-81234.b64 > min-cert-81234.pdf

The PDF is a few KB — significantly smaller than the complete certificate.

Complete certificate

Request:

curl -X POST https://qa.scantopay.io/portal/restful/completeCertificate/81234 \
  -u 'MERCHANT_25:yourMerchantApiPassword'

Response: same shape — base64-encoded PDF as a plain String body. Larger payload, more fields populated in the rendered document.

When to issue a certificate

Scenario	Variant
Cardholder asks for proof of payment	Minimal
Acquirer requests evidence for a chargeback	Complete
Regulatory audit / data subject access request	Complete
Internal reconciliation discrepancy	Complete
Sharing with a third party for support troubleshooting	Minimal

Common errors

HTTP	Body	Cause
`401`	(empty)	`ROLE_REMOTE` not granted, or caller doesn't have visibility into this transaction
`400` / `500`	(varies)	Transaction ID doesn't exist, or PDF generation failed (rare — usually a template / data issue, raise a support ticket)

The endpoints don't currently validate the merchant's state — you can pull certificates for transactions on suspended merchants. This is intentional, since certificate access for completed transactions should survive merchant lifecycle changes.

Handling the base64 PDF

Most languages can decode and write the PDF in a few lines:

Node.js:

const fs = require('fs');
const base64Pdf = await fetchCertificate(81234);
fs.writeFileSync('certificate.pdf', Buffer.from(base64Pdf, 'base64'));

Python:

import base64
with open('certificate.pdf', 'wb') as f:
    f.write(base64.b64decode(base64_pdf))

Java:

byte[] pdfBytes = Base64.getDecoder().decode(base64Pdf);
Files.write(Paths.get("certificate.pdf"), pdfBytes);

The decoded bytes are a complete, signed PDF — open it in any viewer.

What's next

Look up the transaction details → Transaction lookup
Cardholder disputes process → Customer disputes
Decode bank decline codes → ISO response codes
Cross-cutting rules → Business rules