Authorize and capture with Trustly Pay
Trustly Pay is a deferred payment workflow designed for high-frequency merchants, such as iGaming operators, digital wallets, and trading platforms.
Unlike standard one-time payments, Trustly Pay establishes a long-running bank authorization. This allows you to generate a secure token once and use it for multiple future transactions. For example, pulling funds or pushing winnings without requiring the user to log in again.
Compare Trustly Pay and Instant Payments
| Use Trustly Pay if... | Use Instant Payments if... |
|---|---|
| You need recurring deposits or withdrawals. | You need a one-time checkout experience. |
| You want a one-click experience for returning users. | You do not need to store an authorization for future use. |
| You operate a wallet, trading account, or gaming balance. | You sell a single good or service, such as e-commerce. |
Core capabilities
The Trustly Pay workflow supports the following primary operations:
- Pay-ins (Capture): Pull funds from the user's bank account to your platform.
- Payouts (Deposit): Push winnings or withdrawals back to the user's bank account. In Trustly API terminology, a Deposit transaction sends money to the user.
In addition, Trustly offers the following APIs to manage the transaction lifecycle:
- Refund transaction: Use to refund a previously completed Capture transaction.
- Reclaim transaction: Use to refund a previously completed Payout (Deposit) transaction.
- Cancel transaction: Use to cancel a previously authorized Authorization or unsettled Capture transaction.
Payment workflow
The following diagram illustrates the two-phase lifecycle of a Trustly Pay transaction, starting with the initial user authorization and followed by the server-side funds capture.
sequenceDiagram participant User participant Client as Merchant Frontend participant Server as Merchant Backend participant Trustly Note over User, Trustly: Phase 1: Bank Authorization User->>Client: A Client->>Trustly: B Trustly-->>User: C User->>Trustly: D Trustly-->>Client: E Client->>Server: F Note over User, Trustly: Phase 2: Capture Funds Server->>Trustly: G Trustly-->>Server: H Trustly-)Server: I
The following table describes each step in the workflow, corresponding to the lettered annotations in the diagram.
| Workflow Step | Action | Description |
|---|---|---|
| A | User initiates payment | The user clicks a button, such as Deposit, on your frontend application. |
| B | Client calls establish | Your frontend calls Trustly.establish with paymentType="Deferred". |
| C | Trustly launches UI | Trustly presents the Trustly Lightbox to the user. |
| D | User authorizes | The user logs into their bank through the Trustly Lightbox and confirms the authorization. |
| E | Redirect to returnUrl | Trustly redirects the user back to the returnUrl specified in your establish data. |
| F | Client sends ID to server | Your frontend extracts the transactionId from the redirect URL and securely passes it to your backend server. |
| G | Server requests capture | Your backend makes a server-to-server API call (POST /transactions/{id}/capture) using the stored transactionId. |
| H | Trustly acknowledges | Trustly returns an HTTP 200 OK response with a status of PENDING. The transaction is accepted and processing. |
| I | Final confirmation webhook | Trustly sends an asynchronous webhook notification to your backend confirming the final status (usually CAPTURED or SETTLED). |
Prerequisites
- Client-side SDK: You must integrate the JavaScript SDK (Web) or Mobile SDK to launch the Trustly UI. See Integrate the Client-Side SDK.
- Sandbox credentials: You need your
accessIdandaccessKey. Contact Trustly Support if you do not have them. - Legal agreement: Ensure your non-disclosure agreement (NDA) and commercial agreements are signed.
Create a bank authorization
The foundation of Trustly Pay is the Establish call. This launches the Lightbox and generates a transactionId that represents the authorized user.
Configure the transaction
Create an establishData object to define the transaction parameters. To create a deferred authorization, you must set the paymentType to Deferred. For example:
var establishData = {
accessId: 'YOUR_ACCESS_ID',
merchantId: 'YOUR_MERCHANT_ID',
merchantReference: 'user_session_8829',
description: 'Wallet funding',
currency: 'USD',
amount: '0.00',
paymentType: 'Deferred', // Critical for Trustly Pay
requestSignature: 'GENERATED_SIGNATURE', // Critical for security
customer: {
name: 'Jane Doe',
address: {
country: 'US'
}
},
returnUrl: '[https://merchant.com/return](https://merchant.com/return)',
cancelUrl: '[https://merchant.com/cancel](https://merchant.com/cancel)'
};Electronic Gaming clients are required to pass verifyCustomer as true and include the customer object for verification. Do not pass customer PII (name, email address, etc.) in the description field; instead pass any customer PII in the customer object.
Set amount to 0.00 for an open-ended authorization, or enter a value to define a limit. Use displayAmount to show the final transaction total to the user.
Launch the Lightbox
Call Trustly.establish() passing both your transaction data and your options object (if configured). For example:
Trustly.establish(establishData, TrustlyOptions);To configure TrustlyOptions, see Integrate the Client-Side SDK.
Handle the redirect
Once the user successfully authorizes the request, Trustly redirects them to your returnUrl. If the user cancels, Trustly redirects them to your cancelUrl.
Example Return URL: https://merchant.com/return?transactionId=1002633191&status=2
You must capture and store the transactionId from the URL parameters. This ID is the unique key you'll use to execute all subsequent API requests. You should also confirm that the status parameter is 2 (Authorized). For a complete list of transaction statuses, see Status codes.
Enable Trustly Remember Me (optional)
Trustly Remember Me significantly reduces friction for returning users and increases conversion rates by enabling a seamless, one-click payment experience.
When the user completes the authorization, Trustly generates a secure splitToken. You can use this token to recognize the returning user and allow them to pay in the future with a single click, bypassing the bank login process entirely.
To enable this functionality, ensure you provide the user's email, phone, and externalId in the customer object of your establishData.
For implementation details, see Enable Trustly Remember Me.
Capture funds
Once you have a valid bank authorization (transactionId), you can pull funds from the user's account into your merchant account using the Capture API.
Endpoint: POST /transactions/{transactionId}/capture
Replace {transactionId} with the ID from the original bank authorization.
Request parameters
| Parameter | Description |
|---|---|
amount | The amount to debit from the user. |
merchantReference | Your unique identifier for this order. For example, the order ID. |
Example request
curl -X POST https://sandbox.trustly.one/api/v1/transactions/{transactionId}/capture \
-u "YOUR_ACCESS_ID:YOUR_ACCESS_KEY" \
-H "Content-Type: application/json" \
-d '{
"amount": "10.00",
"merchantReference": "order_12345"
}'Response handling
The Capture API is asynchronous. The immediate response is typically Pending. You must wait for a webhook to confirm the final status.
| Status | Description | Action |
|---|---|---|
PENDING | Transaction accepted and processing. | Record the transaction. Wait for the final confirmation webhook. For example, CAPTURED or SETTLED. |
DECLINED | Transaction rejected. For example, non-sufficient funds or risk. | Ask the user for a different payment method. |
Send funds (payouts)
To send winnings or withdrawals back to the user's bank account, use the Deposit API. See Send payouts.
Event notifications
Trustly Pay relies on the ACH network, so transaction statuses are asynchronous. You must configure a webhook listener to track when funds actually settle.
Key events for the Trustly Pay workflow include:
debit: Confirms a successful Pay-in (Capture).credit: Confirms a successful Payout (Deposit).
See Handle webhooks.
Refresh bank authorization
Bank authorizations may expire or require refreshing. For example, if a user changes their bank password. See Refresh bank authorization
Error codes
The following table lists the error codes you may encounter during pay-in or payout requests.
For detailed user messaging recommendations for each error code, see Status codes and type definitions.
| Transaction Status | Error Code | Description | Action |
|---|---|---|---|
| Failed | SW057 / 326 | Expired split token | See Maintain authorizations. |
| Failed | SW051 / 380 | Invalid / corrupt split token | See Maintain authorizations. |
| Failed | SW056 / 330 | Invalid account | Remove the bank account from the user's profile. Prompt the user to add a new payment method. |
| Failed | SW054 / 390 | Fraud analysis | Prompt the user to use a different payment method. If a thirdPartyDeclineCode is provided, direct the user to the supplier. |
| Failed | SW055 / 390 | Fraud analysis (Negative Data) | Remove the bank account from the user's profile. Prompt the user to add a new payment method. |
| Failed | SW052 / 378 | Internal error or bank request error | Show a generic error message and allow the user to try again. |
| Denied | SW021 / 331 | Not enough balance | Prompt the user to check their balance or use another payment method. |
Updated about 2 hours ago