WizzGift API

B2B Documentation

WizzGift B2B API Documentation

Complete guide to integrating with the WizzGift Business API for gift card management

Base URL: https://api.wizzgift.com/api/b2b

Introduction

Welcome to the WizzGift Business API documentation. This guide will help you integrate your applications with the WizzGift platform to programmatically create gift card orders and access other business features.

Authentication

WizzGift uses the OAuth 2.0 protocol for API authentication. This implementation is designed for secure server-to-server integrations. Before making API requests, you need to register a client application and implement the OAuth flow to obtain an access token.

Important: Our OAuth implementation is specifically designed for server-to-server communication. Your authentication credentials should never be exposed in client-side code or browser environments. All OAuth requests should be made from your secure backend servers.

Creating a Client

To create a new OAuth client, follow these steps in the WizzGift dashboard:

Log in to your WizzGift business account
Navigate to Developer Settings in your dashboard
Click Create New App
Fill in the required details:
- App Name: A name for your integration
- Redirect URI: Your server endpoint that will receive the authorization code
- Required Scopes: Select the permissions your app needs
Click Register Application
You'll be provided with a client_id and client_secret - store these securely on your server

Important: Your client secret will be shown only once after registration. Make sure to save it securely on your server as it won't be displayed again. Never include your client secret in client-side code.

Available Scopes

When creating your client, you'll need to select the scopes (permissions) your application requires. Available scopes:

Scope	Description
createOrder	Create and manage gift card orders
viewOrder	View your existing orders
viewProducts	Access product information
account	Access account-related information

Authorization Flow

WizzGift implements a server-to-server OAuth 2.0 flow optimized for secure backend integrations:

OAuth Flow - Simple Step-by-Step

Your application redirects user to WizzGift authorization URL

This starts the login and permission process

GET/oauth/authorize

User logs in to WizzGift B2B dashboard

B2B client authenticates with their WizzGift credentials

User approves the permission request

Grants your application access to their WizzGift account

WizzGift redirects user back to your application

With an authorization code in the URL if successful, or error parameters if there was a problem

Success example:

https://your-app.com/callback?code=AUTH_CODE_123456789abcdef&state=RANDOM_STATE

Error example:

https://your-app.com/callback?error=invalid_scope&error_description=Atleast%20one%20scope%20is%20required&state=RANDOM_STATE

Your server exchanges auth code for an access token

Server-to-server request with client credentials and the authorization code

POST/oauth/token

Your server uses access token for API calls

Now you can create orders and access other WizzGift APIs

GET/products

POST/order

GET/order

Authorization Endpoint

The authorization endpoint is the starting point of the OAuth 2.0 flow. Direct users to this URL to begin the authorization process.

GET/oauth/authorize

Authorization Request

Redirect users to this endpoint to begin the OAuth flow. The user will authenticate and approve the requested permissions.

Query Parameters

Parameter	Description	Required
client_id	Your client ID	Yes
redirect_uri	URL to redirect after authorization (must match one registered with your client)	Yes
response_type	Must be "code"	Yes
scope	Space-separated list of requested scopes	Yes
state	Random string to prevent CSRF attacks	Recommended

Successful Response

Upon successful authorization, the user will be redirected to your redirect_uri with:

text

https://myapp.example.com/callback?code=auth_code_123456789abcdef&state=random_state_1234

The authorization code is valid for 10 minutes and can only be used once.

Request

text

/oauth/authorize?client_id=client_123456789abcdef&redirect_uri=https://myapp.example.com/callback&response_type=code&scope=account%20createOrder&state=random_state_1234

Token Endpoints

Obtaining Access Tokens

After receiving an authorization code, exchange it for access and refresh tokens using the token endpoint.

POST/oauth/token

Token Exchange

Exchange an authorization code for access and refresh tokens. This request must be made from your server.

Request Parameters

Parameter	Description	Required
grant_type	Must be "authorization_code"	Yes
code	The authorization code received from the authorize endpoint	Yes
client_id	Your client ID	Yes
client_secret	Your client secret	Yes
redirect_uri	Must match the redirect URI used in the authorization request. This should be an endpoint on your server.	Yes

Security Note: This request contains your client secret and should ONLY be made from your backend server, never from a client-side application.

Request

json

{
  "grant_type": "authorization_code",
  "code": "auth_code_123456789abcdef",
  "client_id": "client_123456789abcdef",
  "client_secret": "cs_123456789abcdef123456789abcdef",
  "redirect_uri": "https://your-server.example.com/callback"
}

Response

json

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "account createOrder"
}

Refresh Token

Use a refresh token to obtain a new access token when the current one expires. WizzGift implements refresh token rotation, so a new refresh token is issued with each refresh operation.

Important: WizzGift uses refresh token rotation for security. Each time you refresh your access token, a new refresh token is generated and returned. The previous refresh token is invalidated immediately. Always store and use the most recently issued refresh token.

Request

json

{
  "grant_type": "refresh_token",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "client_id": "client_123456789abcdef",
  "client_secret": "cs_123456789abcdef123456789abcdef"
}

Response

json

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "NEW_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token_expires_in": 2592000,
  "scope": "account createOrder"
}

Creating Orders

Create new gift card orders through the order endpoint.

POST/order

Create Gift Card Order

Create a new gift card order for the authenticated business user.

Authentication

This endpoint requires authentication with a valid access token. Include the token in the Authorization header:

text

Authorization: Bearer YOUR_ACCESS_TOKEN

The access token must have the createOrder scope.

Request Parameters

Parameter	Type	Description	Required
amount	Number	The amount for the gift card (must be within the allowed range for the product)	Yes
referenceId	String	Your unique reference ID for this order	Yes
quantity	Number	Number of gift cards to purchase	Yes
productId	String	ID of the gift card product to purchase	Yes
requiredInfoFromUser	Array	Information required for the gift card. Each item has an 'id' field (which is a nanoid generated by the system) and a 'value' field provided by you. The 'id' values come from the product's requiredInfoFromUser array.	Yes
isTest	Boolean	Whether this is a test order (no actual charge)	No

Request

json

{
  "amount": 50,
  "referenceId": "order_12345",
  "quantity": 1,
  "productId": "product_123456",
  "requiredInfoFromUser": [
    { "id": "7FeXMgqYEgndkQVuG8n1", "value": "recipient@example.com" },
    { "id": "dN5TxW7Qez0IBkCc9Jnp", "value": "John Doe" },
    { "id": "kR9sP2mLxTyZaQvB5Wn3", "value": "Birthday" }
  ],
  "isTest": false
}

Response

json

{
  "success": true,
  "message": "Order created successfully",
  "data": {
    "id": "order_987654321",
    "referenceId": "order_12345"
  }
}

Get Order

Retrieve details of an existing order by either orderId or referenceId.

GET/order

Get Order Details

Retrieve details of an existing order by either our orderId or your referenceId.

Authentication

This endpoint requires authentication with a valid access token. Include the token in the Authorization header:

text

Authorization: Bearer YOUR_ACCESS_TOKEN

The access token must have the viewOrder scope.

Request Parameters

Parameter	Type	Description	Required
id	String	WizzGift's unique order ID	One of id or referenceId is required
referenceId	String	Your unique reference ID for the order	One of id or referenceId is required

Response Format

You'll get the following fields in the data object of response:

Field	Type	Description
id	String	WizzGift's unique identifier for this order
referenceId	String	Your reference ID that was provided when creating the order
status	String	The overall status of the order (completed, failed, or partial)
orderedQuantity	Number	The number of gift cards that were ordered
redeemInfos	Array	Array of objects containing information about each gift card in the order. Each object contains the following fields: link, rewardId, instruction, pin, code, serial, transactionId, expiryDate, status (can be "completed " or "failed ")

Order Status Information

Status	Description
completed	The order was successfully processed and completed
failed	The order failed to process
partial	Some items in the order were successfully processed while others failed

RedeemInfo Fields

The redeemInfos array contains objects with information about each gift card. Depending on the gift card provider, some fields may be present while others might be absent. Below are all possible fields that might be included:

Field	Description	Always Present
link	URL where the gift card can be redeemed	No
rewardId	Identifier for the specific reward	No
instruction	Instructions for redeeming the gift card	No
pin	PIN number for the gift card if applicable	No
code	Redemption code for the gift card	No
serial	Serial number of the gift card	No
transactionId	Reference transaction ID for the gift card	No
expiryDate	The date when the gift card expires (YYYY-MM-DD)	No
status	Status of this specific gift card (completed or failed)	Yes

Note: For security reasons, you should store all redemption data securely. Each gift card provider may include different fields in the redeemInfo object depending on their requirements. Always check all fields to properly handle the gift card data.

Request

text

/order?id=order_987654321
OR
/order?referenceId=order_12345

Response

json

{
  "success": true,
  "data": {
    "id": "order_987654321",
    "referenceId": "order_12345",
    "amount": 50,
    "quantity": 1,
    "productId": "product_123456",
    "status": "completed",
    "orderedQuantity": 1,
    "redeemInfos": [
      {
        "link": "https://redeem.example.com/giftcard123",
        "rewardId": "reward_789",
        "instruction": "Follow the link and enter the code to redeem your gift card",
        "pin": "1234",
        "code": "ABCD-EFGH-IJKL-MNOP",
        "serial": "GC123456789",
        "transactionId": "tx_987654321",
        "expiryDate": "2025-12-31",
        "status": "completed"
      }
    ]
  }
}

Products API

Get a list of all available gift card products that your business can purchase.

GET/products

List Available Products

Get a list of all available gift card products that your business can purchase.

Authentication

This endpoint requires authentication with a valid access token. Include the token in the Authorization header:

text

Authorization: Bearer YOUR_ACCESS_TOKEN

The access token must have the viewProducts scope.

Response

json

{
  "success": true,
  "data": [
    {
      "id": "paypal-usa",
      "description": "",
      "disclosure": "",
      "name": "PayPal USA Gift Card",
      "image": "https://wizzgiftt.s3.ap-south-1.amazonaws.com/dkb6VzOEVsMUdrR5pDH4r/normal.png",
      "skus": [
        {
          "min": 0.01,
          "max": 2000,
          "minCost": 0.0105,
          "changeStep": 0.1
        }
      ],
      "currencyCode": "USD",
      "costCurrency": "USD",
      "countries": ["US"],
      "category": ["payments"],
      "requiredInfoFromUser": []
    },
    {
      "id": "ntc-nepal",
      "name": "Nepal Telecom Refill",
      "description": " ",
      "image": "https://wizzgiftt.s3.ap-south-1.amazonaws.com/ntc-nepal/normal.png",
      "currencyCode": "NPR",
      "costCurrency": "NPR",
      "requiredInfoFromUser": [
        {
          "id": "7FeXMgqYEgndkQVuG8n1",
          "name": "mobile",
          "type": "input",
          "description": "phone",
          "required": true,
          "selectValues": []
        }
      ],
      "skus": [
        {
          "min": 10,
          "max": 3000,
          "minCost": 10.5,
          "description": "NTC Topup"
        }
      ],
      "category": ["topup"],
      "countries": ["NP"],
      "fee": 1
    }
  ]
}

Webhooks

WizzGift can send webhook notifications to your application when certain events occur, such as when an order is completed or fails.

Setting Up Webhooks

To configure webhooks for your application:

Log in to your WizzGift business account
Navigate to Developer Settings in your dashboard
Select the Webhooks tab
Click Add Webhook Endpoint
Enter your endpoint URL that will receive the webhook notifications
WizzGift will generate a webhook signing secret that you should store securely

Webhook Payload Structure

When an order is processed, WizzGift will send a webhook with the following fields:

Field	Type	Description
id	String	WizzGift's unique identifier for this order
referenceId	String	Your reference ID that was provided when creating the order
status	String	The overall status of the order (completed, failed, or partial)
orderedQuantity	Number	The number of gift cards that were ordered
redeemInfos	Array	Array of objects containing information about each gift card in the order. Each object contains the following fields: link, rewardId, instruction, pin, code, serial, transactionId, expiryDate, status (can be "completed" or "failed")

Order Status Information

Status	Description
completed	The order was successfully processed and completed
failed	The order failed to process
partial	Some items in the order were successfully processed while others failed

RedeemInfo Fields

Field	Description	Always Present
link	URL where the gift card can be redeemed	No
rewardId	Identifier for the specific reward	No
instruction	Instructions for redeeming the gift card	No
pin	PIN number for the gift card if applicable	No
code	Redemption code for the gift card	No
serial	Serial number of the gift card	No
transactionId	Reference transaction ID for the gift card	No
expiryDate	The date when the gift card expires (YYYY-MM-DD)	No
status	Status of this specific gift card (completed or failed)	Yes

Example Webhook Payload

json

{
  "id": "order_987654321",
  "referenceId": "order_12345",
  "status": "completed",
  "orderedQuantity": 2,
  "redeemInfos": [
    {
      "link": "https://example.com/redeem/123",
      "rewardId": "reward-12345",
      "instruction": "This is instruction",
      "pin": "12345",
      "code": "1234556",
      "serial": "123serial",
      "transactionId": "Ref123transaction",
      "expiryDate": "2025-02-06",
      "status": "completed"
    },
    {
      "link": "https://example.com/redeem/456",
      "rewardId": "reward-67890",
      "instruction": "This is another instruction",
      "pin": "67890",
      "code": "6789010",
      "serial": "456serial",
      "transactionId": "Ref456transaction",
      "expiryDate": "2025-03-10",
      "status": "completed"
    }
  ]
}

Verifying Webhook Signatures

To ensure the webhook request originated from WizzGift, you should verify the signature in the X-Signature header.

Here's how the signature verification process works:

Extract the X-Signature header from the incoming request
Take the JSON object from the request body and stringify it exactly (JSON.stringify(req.body))
Create an HMAC-SHA256 hash using your webhook secret key and the stringified JSON as input
Compare the calculated hash with the signature from the header
Only process the webhook if the signatures match

Note: Most web frameworks will automatically parse the JSON body, but for signature verification, you need to take that parsed object and stringify it again using JSON.stringify. The exact string representation is critical for correct signature verification.

Signature Verification Example (Node.js)

javascript

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const expectedSignature = hmac.update(payload).digest('hex');
  return expectedSignature === signature;
}

// In your webhook handler:
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-signature'];
  const payload = JSON.stringify(req.body);
  const isValid = verifyWebhookSignature(
    payload,
    signature,
    'YOUR_WEBHOOK_SECRET'
  );
  
  if (!isValid) {
    return res.status(400).send('Invalid signature');
  }
  
  // Process the webhook
  const webhookData = req.body;
  
  // Check the order status
  if (webhookData.status === 'completed') {
    // Handle completed order
    // Access gift card info from webhookData.redeemInfos
  } else if (webhookData.status === 'failed') {
    // Handle failed order
  } else if (webhookData.status === 'partial') {
    // Handle partial order (some completed, some failed)
    // Check webhookData.redeemInfos for successful redemptions
  }
  
  res.status(200).send('Webhook received');
});

Error Handling

The WizzGift API uses conventional HTTP response codes to indicate the success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error due to the information provided, and codes in the 5xx range indicate an error with WizzGift's servers.

Error Response Format

When an error occurs, the API will return a JSON response with an error object containing details about what went wrong.

Example Error Response

json

{
  "success": false,
  "message": "Message About the Error"
}

Common Error Codes

HTTP Status	Error Code	Description
400	invalid_request	The request was malformed or missing required parameters
401	unauthorized	Invalid or missing authentication credentials
403	forbidden	The authenticated user doesn't have permission to perform the requested operation
404	not_found	The requested resource doesn't exist
422	validation_error	The request data failed validation checks
429	rate_limited	Too many requests in a given amount of time
500	server_error	An unexpected error occurred on WizzGift's servers

Important: When encountering a server error (5xx), it's best to retry the request with exponential backoff. Please contact WizzGift support at support@wizzgift.com to help troubleshoot issues.