Skip to main content
POST
Create Session
user_id and user_email are required for merchant (secret-key) requests: they identify the customer this session belongs to. Only one purchase_context entry is supported per session (multi-merchant is not yet available).

Notes

  • Sessions are short-lived and single-use, tied to a specific merchant, customer, and order.
  • effective_until_minutes in purchase_context controls how long the mandate (the spending permission created when the cardholder approves) is valid (default: 15).
  • session_token and iframe_url are used on the frontend: embedded via the SDK, or opened directly for hosted checkout.
  • Set integration_type: "embedding" for the SDK flow; omit it (or use "full_checkout") for hosted, and provide a callback_url.
  • Sessions can be revoked via POST /v1/sessions/:id/revoke.

Error responses

Authorizations

Authorization
string
header
required

Your secret key: sk_test_* (sandbox) or sk_live_* (production).

Body

application/json
user_id
string
required

Unique identifier for the customer in your system

Maximum string length: 255
user_email
string<email>
required

Customer's email address

total_amount
string
required

Total order amount in decimal format (e.g. "49.99")

currency
string
required

ISO 4217 currency code — exactly 3 uppercase letters (e.g. "USD")

purchase_context
object[]
required

Exactly one purchase context object. Multi-merchant sessions are not currently supported.

Required array length: 1 element
user_phone
string

Customer's phone number

user_country_code_iso2
string

Customer's country — 2 uppercase ISO 3166-1 letters

external_order_ref
string

Your external order reference ID

Maximum string length: 255
description
string

Human-readable description of the order

integration_type
enum<string>
default:full_checkout

How the card is collected. full_checkout = hosted redirect; embedding = mount the iframe via the SDK.

Available options:
full_checkout,
embedding
callback_url
string

For hosted checkout: the https URL Prava redirects the cardholder to after they finish.

Maximum string length: 2048
card
object

Pre-select a card for the session

Response

Session created

session_id
string

Unique session identifier

session_token
string

JWT to authenticate client-side SDK operations within this session

iframe_url
string

URL for the secure card collection surface

order_id
string

Internal order identifier

expires_at
string<date-time>

ISO 8601 timestamp when the session expires