> ## Documentation Index
> Fetch the complete documentation index at: https://docs-alpha.pepay.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 3 - Create invoice and order

> Creates the final order and payment invoice.
Returns payment session credentials for payment session APIs.

Checkout semantics:
- Only `validItems[]` from the estimate are included in the created order.
- The customer cart is **not** automatically cleared or modified.
- Use `GET /api/commerce/merchant/orders/{orderId}` for the canonical merchant-facing order snapshot after creation.




## OpenAPI

````yaml /api-reference/openapi.json post /api/commerce/merchant/checkout/invoice
openapi: 3.0.0
info:
  title: Pepay API (SDK-scoped)
  version: 1.0.0
  description: API documentation for Pepay API
servers:
  - url: https://api-beta.pepay.io
    description: Beta server
  - url: http://localhost:3000
    description: Local development
security:
  - bearerAuth: []
tags:
  - name: Events
    description: Events API (history + debugging) for canonical notification envelopes.
  - name: Metrics
    description: Internal Prometheus metrics (restricted).
  - name: WebSockets
    description: WebSocket streams (upgrade endpoints) and message schemas.
  - name: Commerce - Devnet Simulator
    description: >
      Deterministic devnet-only endpoints for simulating Commerce V2 order state
      transitions.


      Use this when integrating as a merchant on devnet to test your backend/UI
      against realistic order lifecycle changes

      (payment confirmation, settlement gating, placement, tracking,
      cancellation, refunds) without placing real retailer

      orders or sending real on-chain refunds.


      How it works:

      - Requires a devnet `X-Commerce-Api-Key` (merchant-scoped).

      - Only operates on orders created in `networkEnvironment=devnet`.

      - Updates the order using the same reducer/persistence paths used in
      mainnet (provider snapshots are simulated).

      - After each simulation, Pepay emits the normal `commerce.order.updated`
      merchant webhook event.
  - name: Merchant Checkout
    description: >
      Merchant-scoped **three-step** checkout flow:

      1) `POST /api/commerce/merchant/checkout/estimate` — validate items
      against current eligible offers and return `validItems[]` +
      `invalidItems[]`.

      2) `POST /api/commerce/merchant/checkout/address` — attach and validate a
      shipping address for the estimate.

      3) `POST /api/commerce/merchant/checkout/invoice` — create the final
      invoice + commerce order.


      Cart behavior (when `useCart: true`):

      - The estimate call **reads** the saved cart but does **not** remove or
      modify cart items.

      - Items with no eligible offers are returned in `invalidItems[]`.

      - To remove items from the saved cart, call the Merchant Cart APIs (`PUT
      /api/commerce/merchant/carts/items/:itemId` with `quantity: 0`, or `DELETE
      /api/commerce/merchant/carts/items/:itemId`).

      - To exclude items for *this checkout attempt* without mutating the cart,
      use `itemOverrides[]` with `quantity: 0`.
  - name: Payment Sessions
    description: >
      Payor-facing APIs used by the hosted payment page and other embedded
      checkout clients.


      Canonical base path:

      - All documented endpoints are under `/api/v1/payments/*`.


      Authentication:

      - These endpoints do **not** accept merchant API keys or bearer JWTs.

      - Send `x-session-token` and `x-signature` headers on every request (both
      are returned when creating an invoice).


      Typical flow:

      1) Create an invoice (`POST /api/v1/invoices`) → receive `payment_url`,
      `session_token`, `signature`.

      2) Render/open the `payment_url` for the payor.

      3) Fetch invoice context (`GET /api/v1/payments/session-details`).

      4) List supported tokens (`GET /api/v1/payments/available-tokens`).

      5) Allocate a payment address (`POST /api/v1/payments/payment-addresses`)
      → use `ws_connection` for `/ws/payment`.

      6) Track progress via polling (`GET /api/v1/payments/payment-status`)
      and/or websocket (`/ws/payment`).


      Security notes:

      - Treat `session_token` and `signature` as sensitive values (anyone with
      them can read the invoice/payment status).

      - Do not store them in long-lived browser storage; prefer in-memory usage
      on the payment page.
  - name: Quotes
    description: Token settlement quotes and rate calculations
  - name: Webhooks
    description: >
      Webhook endpoint management and delivery history for canonical
      notifications.


      Delivery model:

      - At-least-once delivery; receivers must dedupe by `event.id` (also sent
      as `X-Pepay-Event-ID`).

      - Payloads are canonical `PepayEvent` objects and match websocket
      `event_v1` frames for the same event type.


      Security:

      - Endpoints must be HTTPS.

      - Deliveries are signed using `HMAC_SHA256("${timestamp_ms}.${raw_body}")`
      and sent in `X-Pepay-Signature`.
paths:
  /api/commerce/merchant/checkout/invoice:
    post:
      tags:
        - Merchant Checkout
      summary: Step 3 - Create invoice and order
      description: >
        Creates the final order and payment invoice.

        Returns payment session credentials for payment session APIs.


        Checkout semantics:

        - Only `validItems[]` from the estimate are included in the created
        order.

        - The customer cart is **not** automatically cleared or modified.

        - Use `GET /api/commerce/merchant/orders/{orderId}` for the canonical
        merchant-facing order snapshot after creation.
      operationId: createMerchantInvoice
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CommerceMerchantCheckoutInvoiceRequest'
            examples:
              create_invoice:
                summary: Create invoice + order
                value:
                  customer_id: cust_123456
                  estimateId: 550e8400-e29b-41d4-a716-446655440000
                  addressId: 550e8400-e29b-41d4-a716-446655440222
                  refundDestinationWalletAddressBsc: '0x0000000000000000000000000000000000000001'
      responses:
        '200':
          description: Invoice created successfully
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/PostapicommercemerchantcheckoutinvoiceResponse200
              examples:
                created:
                  summary: Invoice created (use invoiceUrl + payment session headers)
                  value:
                    success: true
                    data:
                      orderId: 550e8400-e29b-41d4-a716-446655440333
                      invoiceId: 550e8400-e29b-41d4-a716-446655440111
                      invoiceUrl: https://pay.example.com/pay?session=...&signature=...
                      session: 550e8400-e29b-41d4-a716-446655440444
                      signature: <signatureHash>.<timestamp>
                      payment_session_headers:
                        x-session-token: 550e8400-e29b-41d4-a716-446655440444
                        x-signature: <signatureHash>.<timestamp>
                      merchantId: 123
                      networkEnvironment: devnet
                      customerId: cust_123456
                      amount: 13.99
                      status: unpaid
                      expiresAt: 1765844400
                      endpoints:
                        checkOrder: >-
                          /api/commerce/merchant/orders/550e8400-e29b-41d4-a716-446655440333
                        checkPayment: >-
                          /api/commerce/merchant/payments/550e8400-e29b-41d4-a716-446655440333/status
                        cancelOrder: >-
                          /api/commerce/merchant/orders/550e8400-e29b-41d4-a716-446655440333/cancel
      security:
        - commerceApiKey: []
        - merchantApiKey: []
components:
  schemas:
    CommerceMerchantCheckoutInvoiceRequest:
      description: >-
        Step 3 request. Creates the final invoice + commerce order from an
        existing estimate + address.
      allOf:
        - $ref: '#/components/schemas/CommerceCustomerIdentifier'
        - type: object
          required:
            - estimateId
            - addressId
          properties:
            estimateId:
              type: string
              format: uuid
            addressId:
              type: string
              format: uuid
            webhookUrl:
              type: string
              format: uri
              nullable: true
              description: >-
                Deprecated/ignored; use merchant webhook configuration endpoints
                instead.
            refundDestinationWalletAddressBsc:
              type: string
              nullable: true
              description: Optional BSC destination address for refunds (0x…).
              example: '0x0000000000000000000000000000000000000001'
    PostapicommercemerchantcheckoutinvoiceResponse200:
      type: object
      properties:
        success:
          type: boolean
          example: true
        data:
          $ref: '#/components/schemas/CommerceMerchantCheckoutInvoiceResult'
    CommerceCustomerIdentifier:
      description: Customer identification for merchant-scoped commerce APIs.
      oneOf:
        - type: object
          required:
            - customer_id
          properties:
            customer_id:
              type: string
              example: cust_123456
        - type: object
          required:
            - wallet_address
            - wallet_network
          properties:
            wallet_address:
              type: string
              example: '0x0000000000000000000000000000000000000001'
            wallet_network:
              type: string
              enum:
                - ethereum
                - base
                - solana
                - avalanche
                - ton
                - bsc
                - arbitrum
                - optimism
                - cardano
                - sui
              example: bsc
    CommerceMerchantCheckoutInvoiceResult:
      type: object
      description: Step 3 result. Contains invoice URL and payment session headers.
      properties:
        orderId:
          type: string
          format: uuid
        invoiceId:
          type: string
          format: uuid
        invoiceUrl:
          type: string
          format: uri
        session:
          type: string
          description: Payment session token
        signature:
          type: string
          description: Payment signature (`signatureHash.timestamp`)
        payment_session_headers:
          type: object
          properties:
            x-session-token:
              type: string
            x-signature:
              type: string
        merchantId:
          type: integer
          example: 123
        networkEnvironment:
          type: string
          enum:
            - devnet
            - mainnet
          example: devnet
        customerId:
          type: string
          nullable: true
          example: cust_123456
        amount:
          type: number
          description: Invoice amount in USD
          example: 13.99
        expiresAt:
          type: integer
        status:
          type: string
          example: unpaid
        endpoints:
          type: object
          properties:
            checkOrder:
              type: string
              example: /api/commerce/merchant/orders/<orderId>
            checkPayment:
              type: string
              example: /api/commerce/merchant/payments/<orderId>/status
            cancelOrder:
              type: string
              example: /api/commerce/merchant/orders/<orderId>/cancel
        qrCode:
          type: string
          nullable: true
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: JWT token for wallet authentication
    commerceApiKey:
      type: apiKey
      in: header
      name: x-commerce-api-key
      description: >-
        Legacy alias for commerce-scoped API keys. Prefer `x-api-key` with
        scope=commerce.
    merchantApiKey:
      type: apiKey
      in: header
      name: x-api-key
      description: API key for server-to-server operations (scope=merchant or commerce)

````