Payflow Docs

Errors

Understand Payflow's response envelope, HTTP status codes, validation errors, authentication failures, and provider failures.

Payflow business endpoints return expected failures in the standard envelope:

{
  "success": false,
  "data": null,
  "message": "Readable error message"
}

Unexpected server errors hide internal details:

{
  "success": false,
  "data": null,
  "message": "Internal server error"
}

Status codes

StatusMeaningExample
400Invalid request body, query, signature, or field value.Invalid payment request.
401Missing, invalid, inactive, or expired API credential.Invalid API credential.
403Authenticated but not allowed.ACH transfers require a secret key.
404Resource does not exist in the caller's scope.Application not found.
409Business conflict or disabled capability.Routing is not configured yet.
422Provider or domain validation rejected the operation.ACH transfer could not be created.
428Password confirmation is required for a sensitive session action.Password confirmation required.
429Rate limit exceeded.Rate limit exceeded.
500Unexpected server failure.Internal server error.
502Upstream provider failed after Payflow prepared the operation.Provider could not confirm payment.
503Required infrastructure, authentication, Redis, or provider config is unavailable.Dwolla ACH is not configured.

Validation errors

Validation errors are intentionally concise. They do not expose full Zod issue lists to public callers.

Example:

{
  "success": false,
  "data": null,
  "message": "Invalid payment request."
}

Use the endpoint reference to validate fields before sending requests.

Authentication errors

Authentication can fail for several reasons:

  • The Bearer token is missing.
  • The token format does not match a Payflow key.
  • The secret key digest does not match.
  • The organization or application is inactive.
  • Sandbox onboarding is not ready.
  • Production access has not been approved.
  • The secret was revoked or its retiring window ended.
  • A publishable-key browser request came from an unregistered origin.

Provider errors

Provider-facing operations can fail after Payflow validates the request. For example:

  • Stripe could not create a checkout session.
  • Square could not create a payment link.
  • Stripe could not retrieve or confirm a Payment Intent.
  • Square rejected a component payment.
  • Dwolla rejected customer, funding source, or transfer details.

In customer-facing apps, prefer a calm generic message such as:

We could not start this payment. Please try again or use another method.

Keep the Payflow message, requestId, payflowReference, and provider reference in your internal logs.

Retry guidance

ScenarioRetry?Notes
Network timeout before responseYesUse the same idempotency key for ACH. For card flows, check whether a Payflow reference was created.
400 validation errorNoFix the request.
401 or 403NoFix credentials, permissions, origin, or environment access.
409 routing or state conflictNo automatic retryOperator action is usually required.
429 rate limitedYes, with backoffUse exponential backoff and reduce request rate.
502 or 503 provider unavailableYes, with backoffAvoid tight loops; provider readiness work may be required.

Request IDs and support

Include a request ID in every server-side call:

X-Request-Id: checkout-order-1001-attempt-1

When contacting support or debugging internally, collect:

  • Request ID.
  • Payflow reference.
  • Application ID.
  • Environment.
  • Timestamp.
  • Endpoint and HTTP status.
  • Provider reference if available.

On this page