No-KYC WooCommerce Payment Plugin – Accept Cards, PayPal & More Instantly

Quickstart (5 minutes)

Create an account and open Merchant Dashboard.
Add your shop domain in Settings → Shops/Domains (required for API-created sessions).
Set your payout wallet in Settings (required).
Set webhook URL + secret in Settings → Webhooks (recommended).
Call POST /gateway/session.php from your backend → get checkout_url → redirect your customer.
Mark orders paid when you receive a valid signed webhook where status = "paid".

Golden rule

Do not rely on the customer returning to your site. Always confirm payment via webhook (recommended) or by polling session status.

Base URL & Authentication

Base URL (Merchant Gateway)

https://pay.ecomtrade24.com

Use https://pay.ecomtrade24.com for all merchant API calls (/gateway/*). The Cloudflare Workers domains are used internally for routing and hosted provider redirects.

Auth Header (recommended)

Authorization: Bearer YOUR_API_KEY

Alternative

X-API-Key: YOUR_API_KEY

Your API key is available in Merchant Dashboard → Settings.

1) Create a Checkout Session

Server-to-server

POST /gateway/session.php

Request JSON

{
  "domain": "yourshop.com",
  "merchant_ref": "ORDER_123",
  "amount": "79.00",
  "currency": "EUR",
  "return_url": "https://yourshop.com/thank-you",
  "cancel_url": "https://yourshop.com/checkout",
  "customer_email": "[email protected]",
  "provider": "card",

  "meta": {
    "customer_id": "CUST_9",
    "cart_id": "CART_55",
    "notes": "Any extra data you want to store"
  }
}

Required: amount, currency, domain (must be allowlisted in your dashboard).
Recommended: merchant_ref (your order id), customer_email, return_url.

Response JSON

{
  "ok": true,
  "session_id": 12345,
  "checkout_url": "https://pay.ecomtrade24.com/pay.php?session=12345",
  "direct_url": null,
  "selected_provider": null,
  "smart_route": true,
  "expires_at": "2026-02-25 12:34:56"
}

Redirect your customer to checkout_url. If you use Smart Routing + provider selection, you may also receive direct_url (see Smart Routing section).

Notes

domain accepts host only (recommended) or full URL. We normalize it (remove www., ports).
return_url / cancel_url must be full https:// URLs (otherwise ignored).
Optional routing fields: provider, method, payment_provider, payment_method (same meaning).
Provider can be a method alias (card, paypal, …) or a direct slug from EPv1 / EPv2 (for example wert, moonpay, epv2).
Sessions expire (default 15 minutes). Late confirmations may still be accepted within a grace window.

2) Redirect the Customer

Hosted checkout

https://pay.ecomtrade24.com/pay.php?session=12345

This is the default flow and works for all merchants.

Force a method (Smart Routing)

https://pay.ecomtrade24.com/pay.php?session=12345&method=card

Methods: card, paypal, revolut, bank, ideal, other
iDEAL is shown only for customers from NL (country is detected automatically).

Force a provider (advanced/testing)

https://pay.ecomtrade24.com/pay.php?session=12345&method=other&provider=epv2

Provider override is validated against allow/block configuration on your merchant account and admin routing rules.

3) Get Merchant Capabilities

GET /gateway/me.php

Use this endpoint to detect package, checkout mode, and which Smart Routing methods are currently configured and available. (WooCommerce plugins and custom integrations use this to adapt the UI.)

{
  "ok": true,
  "merchant_id": 88,
  "email": "[email protected]",
  "package": "pro",
  "checkout_mode": "smart_router",
  "country": "NL",
  "smart_router": {
    "enabled_global": true,
    "allowed_for_package": true,
    "effective": true,
    "methods": {
      "card":   { "enabled": true, "configured": true, "available": true },
      "paypal": { "enabled": true, "configured": true, "available": true },
      "ideal":  { "enabled": true, "configured": true, "available": true }
    }
  }
}

4) Get Session Status (Polling)

GET /gateway/session_status.php?session_id=12345

Alternative lookups

GET /gateway/session_status.php?order_id=ORDER_123
GET /gateway/session_status.php?number=session_12345

Response JSON

{
  "ok": true,
  "session": {
    "id": 12345,
    "order_id": "ORDER_123",
    "status": "paid",
    "amount": "79.00",
    "currency": "EUR",
    "shop_domain": "yourshop.com",
    "created_at": "2026-02-25 12:00:00",
    "expires_at": "2026-02-25 12:15:00",
    "payment_url": "https://pay.ecomtrade24.com/pay.php?session=12345",
    "txid": "...",
    "txid_in": "...",
    "txid_out": "...",
    "paid_value_coin": "79.00",
    "paid_coin": "USDC",
    "last_error": null
  }
}

Only treat status = "paid" as a successful final state. For best reliability use webhooks.

5) Webhooks (Recommended)

What you receive

When a session is paid, we send a POST request to your webhook URL. The payload is JSON and includes your order id, session id, and payment metadata.

Configure: Merchant Dashboard → Settings → Webhooks (Webhook URL + Webhook Secret)

Headers

Content-Type: application/json
X-Signature: <hex hmac sha256>

Signature is calculated as: HMAC_SHA256(raw_request_body, webhook_secret) (hex output).

Example payload

{
  "event": "payment.session",
  "session_id": 12345,
  "order_id": "ORDER_123",
  "status": "paid",
  "amount": "79.00",
  "currency": "EUR",
  "shop_domain": "yourshop.com",
  "email": "[email protected]",
  "txid": "…",
  "txid_in": "…",
  "txid_out": "…",
  "paid_value_coin": "79.00",
  "paid_coin": "USDC",
  "polygon_address_in": "…",
  "created_at": "2026-02-25 12:00:00",
  "expires_at": "2026-02-25 12:15:00",
  "sent_at": "2026-02-25T04:15:30Z"
}

Verify (PHP)

<?php
$secret = 'YOUR_WEBHOOK_SECRET';
$raw = file_get_contents('php://input');
$sig = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
$calc = hash_hmac('sha256', $raw, $secret);

if (!hash_equals($calc, $sig)) {
  http_response_code(401);
  exit('invalid signature');
}

$data = json_decode($raw, true);
if (($data['status'] ?? '') === 'paid') {
  // mark your order paid using $data['order_id']
}
http_response_code(200);
echo 'ok';

Verify (Node.js)

// express raw body required
import crypto from "crypto";

const secret = process.env.WEBHOOK_SECRET;

app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => {
  const sig = req.header("X-Signature") || "";
  const calc = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!crypto.timingSafeEqual(Buffer.from(calc), Buffer.from(sig))) {
    return res.status(401).send("invalid signature");
  }
  const data = JSON.parse(req.body.toString("utf8"));
  if (data.status === "paid") {
    // mark order paid
  }
  res.status(200).send("ok");
});

Verify (Go)

package main

import (
  "crypto/hmac"
  "crypto/sha256"
  "encoding/hex"
  "io"
  "net/http"
)

func webhook(w http.ResponseWriter, r *http.Request) {
  secret := []byte("YOUR_WEBHOOK_SECRET")
  sig := r.Header.Get("X-Signature")

  raw, _ := io.ReadAll(r.Body)
  mac := hmac.New(sha256.New, secret)
  mac.Write(raw)
  calc := hex.EncodeToString(mac.Sum(nil))

  if !hmac.Equal([]byte(calc), []byte(sig)) {
    w.WriteHeader(401)
    w.Write([]byte("invalid signature"))
    return
  }

  // parse JSON, mark paid
  w.WriteHeader(200)
  w.Write([]byte("ok"))
}

Webhook rules

Return HTTP 200 after successful processing.
Verify signature before updating any order.
Webhook payload is built from our database (stable fields), not from provider query parameters.

6) Smart Routing (Pro / Unlimited)

Smart Routing supports three provider layers: EPv1 (fiat provider network), EPv2 (provider list via method=other), and EPv3 (crypto checkout layer). For card/paypal/bank routing use EPv1. EPv2 is dedicated to the "other" provider list flow.

Activation requirements

Merchant package: Pro or Unlimited.
Merchant checkout_mode = smart_router.
Admin routing configured for methods: card, paypal, revolut, bank, ideal, other.
For EPv2: admin EPv2 configuration must be active.
When partner split is active, the gateway first uses reseller checkout (v3 with partner_* params). If unavailable, it falls back to v2 provider-list create.
EPv2 is only used when method=other (or provider=epv2).

A) URL-based selection

https://pay.ecomtrade24.com/pay.php?session=12345&method=other
https://pay.ecomtrade24.com/pay.php?session=12345&provider=epv2

Use method for route family selection, or provider for a direct provider slug.

B) API-driven direct redirect

In POST /gateway/session.php, send a routing hint. If available, the API returns direct_url.

{
  "domain": "yourshop.com",
  "merchant_ref": "ORDER_123",
  "amount": "106.00",
  "currency": "EUR",
  "customer_email": "[email protected]",
  "provider": "epv2"
}

EPv1 routes typically point to the checkout worker direct provider flow.
EPv2 routes point to /pay.php?session=...&provider=epv2 and open the provider list.

Accepted routing fields (same meaning)

"provider": "card"
"method": "other"
"payment_provider": "epv2"
"payment_method": "other"

Use one of these fields; backend normalizes aliases automatically.

Provider variants

EPv1 direct provider slugs (examples)

"provider": "wert"
"provider": "moonpay"
"provider": "transak"
"provider": "rampnetwork"
"provider": "robinhood"
"provider": "revolut"
"provider": "ideal"
"provider": "banktransfer"

EPv2 direct provider slug

"provider": "epv2"

Current production policy: only epv2 is used for provider-list flow, and only with method=other.

Recommended flow

Create session with routing hint (provider or method).
If direct_url exists, redirect there.
Otherwise redirect to checkout_url.
Finalize orders only from webhook/session status.

7) Crypto Checkout (EPv3)

If Crypto Checkout is enabled for your merchant account, customers can pay with supported coins/networks. Your payout wallet must be configured in Merchant Settings.

Normal flow

Create session via POST /gateway/session.php.
Redirect to /pay.php?session=….
Customer selects Pay with Crypto (if enabled).
You receive the same webhook when paid.

Direct crypto screen (optional)

GET /crypto.php?session=12345

Use this if you want “Crypto always goes straight to crypto screen”. (Your shop can decide when to use it.)

Important

Crypto payments also end in the same session status flow: you’ll receive status="paid" via webhook.
Enable Crypto + set payout wallet in Merchant Dashboard → Settings.

8) Payment Links & Product Landing Pages (No-Code)

If you don’t want to build an API integration, you can still accept payments using hosted pages:

Payment Links

Create a payment link in Merchant Dashboard → Payment Links.
Share it with a customer (invoice, email, WhatsApp, etc.).
When paid, you still receive your webhook (if configured).

Product Landing Pages

Create products in Merchant Dashboard → Products.
Customers open your hosted product page and checkout.
Built for conversion (landing page → checkout).

Developer note

Payment Links / Product checkouts are platform-hosted and may create sessions under the platform domain automatically. If you integrate via API for your own shop, make sure your domain is allowlisted in your dashboard.

Errors & Troubleshooting

Common error responses

{
  "ok": false,
  "error": "domain_not_allowed",
  "domain": "yourshop.com"
}

Common error values:

missing_api_key / invalid_api_key
merchant_disabled
invalid_json
invalid_domain, domain_not_allowed
invalid_amount, invalid_currency, invalid_email
missing_merchant_payout_wallet / invalid_merchant_payout_wallet
rate_limited
wallet_create_failed (temporary upstream issue)

If you get domain_not_allowed

Add your shop domain in Merchant Dashboard → Settings → Shops/Domains.
Send domain as host (e.g. myshop.com) not a path.

Integration Checklist

Add your domain (allowlist)
Set payout wallet
Configure webhook URL + secret
Create session server-to-server
Redirect customer to checkout_url
Mark order paid on signed webhook (or poll status)
(Optional) Enable Smart Routing + method/provider selection
(Optional) Enable Crypto Checkout

Integration Docs (API + Webhooks + Smart Routing + Crypto + Payment Links)