6. GNU Taler Merchant API Tutorial

6.1. Introduction

6.1.1. About GNU Taler

GNU Taler is an open protocol for an electronic payment system with a free software reference implementation. GNU Taler offers secure, fast and easy payment processing using well understood cryptographic techniques. GNU Taler allows customers to remain anonymous, while ensuring that merchants can be held accountable by governments. Hence, GNU Taler is compatible with anti-money-laundering (AML) and know-your-customer (KYC) regulation, as well as data protection regulation (such as GDPR).

6.1.2. About this tutorial

This tutorial addresses how to process payments using the GNU Taler merchant Backend. This chapter explains some basic concepts. In the second chapter, you will learn how to do basic payments.

This version of the tutorial has examples for Python3. It uses the requests library for HTTP requests. Versions for other languages/environments are available as well.

If you want to look at some simple, running examples, check out these:

  • The essay merchant that sells single chapters of a book.
  • The donation page that accepts donations for software projects and gives donation receipts.
  • The survey that gives users who answer a question a small reward.

6.1.3. Architecture overview

The Taler software stack for a merchant consists of the following main components:

  • frontend A frontend which interacts with the customer’s browser. The frontend enables the customer to build a shopping cart and place an order. Upon payment, it triggers the respective business logic to satisfy the order. This component is not included with Taler, but rather assumed to exist at the merchant. This tutorial describes how to develop a Taler frontend.
  • backend A Taler-specific payment backend which makes it easy for the frontend to process financial transactions with Taler. For this tutorial, you will use a public sandbox backend. For production use, you must either set up your own backend or ask another person to do so for you.

The following image illustrates the various interactions of these key components:


The backend provides the cryptographic protocol support, stores Taler-specific financial information and communicates with the GNU Taler exchange over the Internet. The frontend accesses the backend via a RESTful API. As a result, the frontend never has to directly communicate with the exchange, and also does not deal with sensitive data. In particular, the merchant’s signing keys and bank account information are encapsulated within the Taler backend.

Some functionality of the backend (the “public interface“) is also exposed to the customer’s browser directly. In the HTTP API, all public endpoints are prefixed with /public/.

6.1.4. Public Sandbox Backend and Authentication

sandbox authorization How the frontend authenticates to the Taler backend depends on the configuration. See Taler Merchant Operating Manual.

The public sandbox backend https://backend.demo.taler.net/ uses an API key in the Authorization header. The value of this header must be ApiKey sandbox for the public sandbox backend.

>>> import requests
>>> requests.get("https://backend.demo.taler.net",
...              headers={"Authorization": "ApiKey sandbox"})
<Response [200]>

If an HTTP status code other than 200 is returned, something went wrong. You should figure out what the problem is before continuing with this tutorial.

The sandbox backend https://backend.demo.taler.net/ uses KUDOS as an imaginary currency. Coins denominated in KUDOS can be withdrawn from https://bank.demo.taler.net/.

6.1.5. Merchant Instances

instance The same Taler merchant backend server can be used by multiple separate merchants that are separate business entities. Each of these separate business entities is called a merchant instance, and is identified by an alphanumeric instance id. If the instance is omitted, the instance id default is assumed.

The following merchant instances are configured on https://backend.demo.taler.net/:

  • GNUnet (The GNUnet project)
  • FSF (The Free Software Foundation)
  • Tor (The Tor Project)
  • default (Kudos Inc.)

Note that these are fictional merchants used for our demonstrators and not affiliated with or officially approved by the respective projects.

6.2. Accepting a Simple Payment

6.2.1. Creating an Order for a Payment

order Payments in Taler revolve around an order, which is a machine-readable description of the business transaction for which the payment is to be made. Before accepting a Taler payment as a merchant you must create such an order.

This is done by posting a JSON object to the backend’s /order API endpoint. At least the following fields must be given:

  • amount: The amount to be paid, as a string in the format CURRENCY:DECIMAL_VALUE, for example EUR:10 for 10 Euros or KUDOS:1.5 for 1.5 KUDOS.
  • summary: A human-readable summary for what the payment is about. The summary should be short enough to fit into titles, though no hard limit is enforced.
  • fulfillment_url: A URL that will be displayed once the payment is completed. For digital goods, this should be a page that displays the product that was purchased. On successful payment, the wallet automatically appends the order_id as a query parameter, as well as the session_sig for session-bound payments (discussed later).

Orders can have many more fields, see The Taler Order Format.

After successfully POSTing to /order, an order_id will be returned. Together with the merchant instance, the order id uniquely identifies the order within a merchant backend.

>>> import requests
>>> order = dict(order=dict(amount="KUDOS:10",
...                         summary="Donation",
...                         fulfillment_url="https://example.com/thanks.html"))
>>> order_resp = requests.post("https://backend.demo.taler.net/order", json=order,
...               headers={"Authorization": "ApiKey sandbox"})
<Response [200]>

The backend will fill in some details missing in the order, such as the address of the merchant instance. The full details are called the contract terms. contract terms

6.2.2. Checking Payment Status and Prompting for Payment

The status of a payment can be checked with the /check-payment endpoint. If the payment is yet to be completed by the customer, /check-payment will give the frontend a URL (the payment_redirect_url) that will trigger the customer’s wallet to execute the payment.

Note that the only way to obtain the payment_redirect_url is to check the status of the payment, even if you know that the user did not pay yet.

>>> import requests
>>> r = requests.get("https://backend.demo.taler.net/check-payment",
...                  params=dict(order_id=order_resp.json()["order_id"]),
...                  headers={"Authorization": "ApiKey sandbox"})
>>> print(r.json())

If the paid field in the response is true, the other fields in the response will be different. Once the payment was completed by the user, the response will contain the following fields:

  • paid: Set to true.
  • contract_terms: The full contract terms of the order.
  • refunded: true if a (possibly partial) refund was granted for this purchase.
  • refunded_amount: Amount that was refunded
  • last_session_id: Last session ID used by the customer’s wallet. See Session-Bound Payments.

Once the frontend has confirmed that the payment was successful, it usually needs to trigger the business logic for the merchant to fulfill the merchant’s obligations under the contract.

6.3. Giving Refunds

refunds A refund in GNU Taler is a way to “undo” a payment. It needs to be authorized by the merchant. Refunds can be for any fraction of the original amount paid, but they cannot exceed the original payment. Refunds are time-limited and can only happen while the exchange holds funds for a particular payment in escrow. The time during which a refund is possible can be controlled by setting the refund_deadline in an order. The default value for this refund deadline is specified in the configuration of the merchant’s backend.

The frontend can instruct the merchant backend to authorize a refund by POSTing to the /refund endpoint.

The refund request JSON object has the following fields:

  • order_id: Identifies for which order a customer should be refunded.
  • instance: Merchant instance to use.
  • refund: Amount to be refunded. If a previous refund was authorized for the same order, the new amount must be higher, otherwise the operation has no effect. The value indicates the total amount to be refunded, not an increase in the refund.
  • reason: Human-readable justification for the refund. The reason is only used by the Back Office and is not exposed to the customer.

If the request is successful (indicated by HTTP status code 200), the response includes a refund_redirect_url. The frontend must redirect the customer’s browser to that URL to allow the refund to be processed by the wallet.

This code snipped illustrates giving a refund:

>>> import requests
>>> refund_req = dict(order_id="2018.",
...                   refund="KUDOS:10",
...                   instance="default",
...                   reason="Customer did not like the product")
>>> requests.post("https://backend.demo.taler.net/refund", json=refund_req,
...              headers={"Authorization": "ApiKey sandbox"})
<Response [200]>

6.4. Giving Customers Tips

tips GNU Taler allows Web sites to grant small amounts directly to the visitor. The idea is that some sites may want incentivize actions such as filling out a survey or trying a new feature. It is important to note that tips are not enforceable for the visitor, as there is no contract. It is simply a voluntary gesture of appreciation of the site to its visitor. However, once a tip has been granted, the visitor obtains full control over the funds provided by the site.

The “merchant” backend of the site must be properly configured for tipping, and sufficient funds must be made available for tipping See Taler Merchant Operating Manual.

To check if tipping is configured properly and if there are sufficient funds available for tipping, query the /tip-query endpoint:

>>> import requests
>>> requests.get("https://backend.demo.taler.net/tip-query?instance=default",
...              headers={"Authorization": "ApiKey sandbox"})
<Response [200]>

authorize tip To authorize a tip, POST to /tip-authorize. The following fields are recognized in the JSON request object:

  • amount: Amount that should be given to the visitor as a tip.
  • instance: Merchant instance that grants the tip (each instance may have its own independend tipping funds configured).
  • justification: Description of why the tip was granted. Human-readable text not exposed to the customer, but used by the Back Office.
  • next_url: The URL that the user’s browser should be redirected to by the wallet, once the tip has been processed.

The response from the backend contains a tip_redirect_url. The customer’s browser must be redirected to this URL for the wallet to pick up the tip. pick up tip

This code snipped illustrates giving a tip:

>>> import requests
>>> tip_req = dict(amount="KUDOS:0.5",
...                instance="default",
...                justification="User filled out survey",
...                next_url="https://merchant.com/thanks.html")
>>> requests.post("https://backend.demo.taler.net/tip-authorize", json=tip_req,
...              headers={"Authorization": "ApiKey sandbox"})
<Response [200]>

6.5. Advanced topics

6.5.1. Detecting the Presence of the Taler Wallet

Taler offers ways to detect whether a user has the wallet installed in their browser. This allows Web sites to adapt accordingly. Note that not all platforms can do presence detection reliably. Some platforms might have a Taler wallet installed as a separate App instead of using a Web extension. In these cases, presence detection will fail. Thus, sites may want to allow users to request Taler payments even if a wallet could not be detected, especially for visitors using mobiles.

Presence detection without JavaScript

Presence detection without JavaScript is based on CSS classes. You can hide or show elements selectively depending on whether the wallet is detected or not.

In order to work correctly, a special fallback stylesheet must be included that will be used when the wallet is not present. The stylesheet can be put into any file, but must be included via a link tag with the id attribute set to taler-presence-stylesheet. If a wallet is present, it will “hijack” this stylesheet to change how elements with the following classes are rendered:

The following CSS classes can be used:

A CSS rule will set the display property for this class to none once the Taler wallet is installed and enabled. If the wallet is not installed, display will be inherit.
A CSS rule will set the display property for this class to inherit once the Taler wallet is installed and enabled. If the wallet is not installed, display will be none.

The following is a complete example:

<!DOCTYPE html>
<html data-taler-nojs="true">
    <link rel="stylesheet"
          id="taler-presence-stylesheet" />
    <p class="taler-installed-hide">
      No wallet found.
    <p class="taler-installed-show">
      Wallet found!

The taler-fallback.css is part of the Taler’s web-common repository, available at https://git.taler.net/web-common.git/tree/taler-fallback.css. You may have to adjust the href attribute in the HTML code above to point to the correct location of the taler-fallback.css file on your Web site.

Detection with JavaScript

The following functions are defined in the taler namespace of the taler-wallet-lib helper library available at https://git.taler.net/web-common.git/tree/taler-wallet-lib.js.

onPresent(callback: () => void)
Adds a callback to be called when support for Taler payments is detected.
onAbsent(callback: () => void)
Adds a callback to be called when support for Taler payments is disabled.

Note that the registered callbacks may be called more than once. This may happen if a user disables or enables the wallet in the browser’s extension settings while a shop’s frontend page is open.

6.5.2. Integration with the Back Office

Taler ships a Back Office application as a stand-alone Web application. The Back Office has its own documentation at https://docs.taler.net/backoffice/html/manual.html.

Developers wishing to tightly integrate back office support for Taler-based payments into an existing back office application should focus on the wire transfer tracking and transaction history sections of the Taler Backend API specification at https://docs.taler.net/api/api-merchant.html

6.5.3. Session-Bound Payments

session Sometimes checking if an order has been paid for is not enough. For example, when selling access to online media, the publisher may want to be paid for exactly the same product by each customer. Taler supports this model by allowing the mechant to check whether the “payment receipt” is available on the user’s current device. This prevents users from easily sharing media access by transmitting a link to the fulfillment page. Of course sophisticated users could share payment receipts as well, but this is not as easy as sharing a link, and in this case they are more likely to just share the media directly.

To use this feature, the merchant must first assign the user’s current browser an ephemeral session_id, usually via a session cookie. When executing or re-playing a payment, the wallet will receive an additional signature (session_sig). This signature certifies that the wallet showed a payment receipt for the respective order in the current session. cookie

Session-bound payments are triggerd by passing the session_id parameter to the /check-payment endpoint. The wallet will then redirect to the fulfillment page, but include an additional session_sig parameter. The frontend can query /check-payment with both the session_id and the session_sig to verify that the signature is correct.

The last session ID that was successfuly used to prove that the payment receipt is in the user’s wallet is also available as last_session_id in the response to /check-payment.

6.5.4. Product Identification

resource url In some situations the user may have paid for some digital good, but the frontend does not know the exact order ID, and thus cannot instruct the wallet to reveil the existing payment receipt. This is common for simple shops without a login system. In this case, the user would be prompted for payment again, even though they already purchased the product.

To allow the wallet to instead find the existing payment receipt, the shop must use a unique fulfillment URL for each product. Then, the frontend must provide an additional resource_url parameter to to /check-payment. It should identify this unique fulfillment URL for the product. The wallet will then check whether it has paid for a contract with the same resource_url before, and if so replay the previous payment.

6.5.5. The Taler Order Format

A Taler order can specify many details about the payment. This section describes each of the fields in depth.

Financial amounts are always specified as a string in the format "CURRENCY:DECIMAL_VALUE".

amount Specifies the total amount to be paid to the merchant by the customer.
fees maximum deposit fee This is the maximum total amount of deposit fees that the merchant is willing to pay. If the deposit fees for the coins exceed this amount, the customer has to include it in the payment total. The fee is specified using the same triplet used for amount.
fees maximum wire fee Maximum wire fee accepted by the merchant (customer share to be divided by the ’wire_fee_amortization’ factor, and further reduced if deposit fees are below ’max_fee’). Default if missing is zero.
fees maximum fee amortization Over how many customer transactions does the merchant expect to amortize wire fees on average? If the exchange’s wire fee is above ’max_wire_fee’, the difference is divided by this number to compute the expected customer’s contribution to the wire fee. The customer’s contribution may further be reduced by the difference between the ’max_fee’ and the sum of the actual deposit fees. Optional, default value if missing is 1. 0 and negative values are invalid and also interpreted as 1.
pay_url Which URL accepts payments. This is the URL where the wallet will POST coins.
fulfillment URL Which URL should the wallet go to for obtaining the fulfillment, for example the HTML or PDF of an article that was bought, or an order tracking system for shipments, or a simple human-readable Web page indicating the status of the contract.
order ID Alphanumeric identifier, freely definable by the merchant. Used by the merchant to uniquely identify the transaction.
summary Short, human-readable summary of the contract. To be used when displaying the contract in just one line, for example in the transaction history of the customer.
Time at which the offer was generated.
payment deadline Timestamp of the time by which the merchant wants the exchange to definitively wire the money due from this contract. Once this deadline expires, the exchange will aggregate all deposits where the contracts are past the refund_deadline and execute one large wire payment for them. Amounts will be rounded down to the wire transfer unit; if the total amount is still below the wire transfer unit, it will not be disbursed.
refund deadline Timestamp until which the merchant willing (and able) to give refunds for the contract using Taler. Note that the Taler exchange will hold the payment in escrow at least until this deadline. Until this time, the merchant will be able to sign a message to trigger a refund to the customer. After this time, it will no longer be possible to refund the customer. Must be smaller than the pay_deadline.

product description Array of products that are being sold to the customer. Each entry contains a tuple with the following values:

Description of the product.
Quantity of the items to be shipped. May specify a unit (1 kg) or just the count.
Price for quantity units of this product shipped to the given delivery_location. Note that usually the sum of all of the prices should add up to the total amount of the contract, but it may be different due to discounts or because individual prices are unavailable.
Unique ID of the product in the merchant’s catalog. Can generally be chosen freely as it only has meaning for the merchant, but should be a number in the range [0,2^{51}).
Map of applicable taxes to be paid by the merchant. The label is the name of the tax, i.e. VAT, sales tax or income tax, and the value is the applicable tax amount. Note that arbitrary labels are permitted, as long as they are used to identify the applicable tax regime. Details may be specified by the regulator. This is used to declare to the customer which taxes the merchant intends to pay, and can be used by the customer as a receipt. The information is also likely to be used by tax audits of the merchant.
Time by which the product is to be delivered to the delivery_location.
This should give a label in the locations map, specifying where the item is to be delivered.

Values can be omitted if they are not applicable. For example, if a purchase is about a bundle of products that have no individual prices or product IDs, the product_id or price may not be specified in the contract. Similarly, for virtual products delivered directly via the fulfillment URI, there is no delivery location.

This should give a label in the locations map, specifying where the merchant is located.
This should give a human-readable name for the merchant’s business.
This should give a label in the locations map, specifying the jurisdiction under which this contract is to be arbitrated.

location Associative map of locations used in the contract. Labels for locations in this map can be freely chosen and used whenever a location is required in other parts of the contract. This way, if the same location is required many times (such as the business address of the customer or the merchant), it only needs to be listed (and transmitted) once, and can otherwise be referred to via the label. A non-exhaustive list of location attributes is the following:

Name of the country for delivery, as found on a postal package, i.e. “France”.
Name of the state for delivery, as found on a postal package, i.e. “NY”.
Name of the region for delivery, as found on a postal package.
Name of the province for delivery, as found on a postal package.
Name of the city for delivery, as found on a postal package.
ZIP code
ZIP code for delivery, as found on a postal package.
Street name for delivery, as found on a postal package.
street number
Street number (number of the house) for delivery, as found on a postal package.

name receiver name for delivery, either business or person name.

Note that locations are not required to specify all of these fields, and they is also allowed to have additional fields. Contract renderers must render at least the fields listed above, and should render fields that they do not understand as a key-value list.