Deprecation Notice

February 9, 2023

Currently, card principals (VISA, MASTERCARD, JCB, AMEX) do not process 3DS version 1 transactions anymore. Cards that do not support 3DS version 2 will be rejected on the principal side. However, we are still processing 3DS version 1 transactions although the transactions will be denied on the principal side.
Starting on 9th February 2023, all transactions using 3DS version 1 card will be denied on the /charge API before it goes to principal.

October 4, 2022



Midtrans is sanitizing order id characters for MPGS to make sure it's URL safe. Allowed symbols in order id are dash(-), underscore(_), tilde(~), and dot(.).

On Midtrans MAP (Merchant Portal), order id shown will be the same with the one sent by Merchant. but order id shown on MPGS portal or Bank settlement report could be different because of order id sanitization.

For more details, refer Transaction Details Object.

February 1st, 2018

Starting on 1st February, 2018, channel parameter from Get Card Token request and Charge API request will be permanently removed. Once it is effective, any channel parameter sent to Midtrans will be disregarded. We advise you to remove channel parameter on your end immediately.

Following this announcement, we have made channel parameter as optional. However, should you choose to do a transaction via MIGS banks, you will need to send bank parameter to Midtrans. Otherwise it will return an error. A few instances where the changes may be applicable are given below.

NoNoany non-MIGS bank
NoMIGSspecific MIGS bank
NoNon-MIGSspecific non-MIGS bank
MIGSNoany MIGS bank
MIGSMIGSspecific MIGS bank
MIGSNon-MIGS402 Error

August 31, 2017

We are improving our API to meet your security needs. Currently, Mandiri ClickPay API payload consists of full PAN number which pose a risk of leaking customer's card credentials.

We are introducing new flow for Mandiri ClickPay. This new flow will enable you to exchange customer card data for a token_id on client side. Consequently, the token_id is passed as Mandiri ClickPay parameter instead of card_number.

We highly recommend you to update your Mandiri ClickPay implementation to cater this new flow since we are going to deprecate the old implementation by 1st December, 2017.

August 3, 2017

Starting from 1st November, 2017, we are limiting the characters to make sure that order_id are URL safe. Allowed Symbols are dash(-), underscore(_), tilde (~), and dot (.). For more details, refer Transaction Details Object.

December 1, 2016

Starting from 15th January, 2017, we are going to prohibit the use of decimal value for gross_amount. Few examples of valid and invalid values are given below.


Invalid gross_amount will be rejected with a status_code:400 (validation error).

  • User-Agent header in the HTTP notification from Midtrans will no longer be 'Veritrans'. It will be the same as the HTTP client we are using in code. Please do not use the User-Agent Header or depend on it.
    In line with the change of the name of the organization, we will also deprecate the usage of domain in the next 3-4 months. The changes in the domain names are listed below.

  • changed to

  • changed to

  • changed to

  • changed to

Please switch to using the new host names and URL's immediately to avoid failures.