Voiding an authorized payment
A void describes the process of how merchants void funds for an authorized payment. A void is the second part of a two-part payment flow, and occurs after an authorized payment is finalized. Finalized payments have
kind set to
authorization. When a merchant wishes to cancel the order for an authorized transaction, Shopify sends a void request to a payments app, and the app can resolve or reject it.
This guide assumes that you've completed the following steps:
- Created a payments app.
- Made sure your payments app meets the payments apps requirements.
- Been granted access to use the protected access scopes for your app, and your app is aware of the access scopes that are needed, if you are using GraphQL mutations.
The process of voiding an authorized paymentAnchor link to section titled "The process of voiding an authorized payment"
- The merchant requests to void an authorized payment.
- Shopify sends a backend request to the payments app, specifying the void request.
- The app replies with a 201 and an empty response body.
- The app finalizes the void request using either voidSessionResolve or voidSessionReject mutations.
- Shopify updates the payment status.
Initiate the flowAnchor link to section titled "Initiate the flow"
A void can only be performed when the payment initiated by Shopify has a
kind property with a value of
authorization. With an authorization you place a hold on funds and then reply to Shopify's void request with either VoidSessionResolve or VoidSessionReject mutations to either accept or reject the voiding of funds.
The void flow begins with an HTTP POST request sent from Shopify to the provider's URL as provided during app extension configuration:
Request body exampleAnchor link to section titled "Request body example"
||Unique identifier for the void attempt. Used as the idempotency key. It can be assumed that requests with a given ID are identical to any previously-received requests with the same ID.||
||Identifies the void when communicating with Shopify (in GraphQL mutations, for example).||
||The ID of the authorized payment that is to be voided.||
||Indicates whether the void is in test or live mode. The ||
||The IETF BCP 47 language tag representing the language used by the merchant.||
||A timestamp representing when the void request was proposed.||
Request headersAnchor link to section titled "Request headers"
||The permanent domain of the merchant's shop. Can be used to identify which shop is initiating the void.|
||The unique request ID used to track specific requests for troubleshooting purposes.|
||The API version selected in the payments app configuration. The version selected defines the response expected by the payments app.|
Shopify must receive a HTTP 201 response for the void session creation to be successful.
If the request fails, then it's retried several times. If the request still fails, then the merchant needs to manually retry the void in the Shopify admin.
Resolve a void requestAnchor link to section titled "Resolve a void request"
After you've successfully processed the void request, you can resolve it by using the voidSessionResolve mutation:
id argument corresponds to the
gid of the void.
Reject a void requestAnchor link to section titled "Reject a void request"
If you can't process a void request, then you should reject it. You should only reject a void in the case of final and irrecoverable errors. Otherwise, you can re-attempt to resolve the void.
You can reject a void using the voidSessionReject mutation:
As part of the rejection, you need to include a reason why the void was rejected as part of VoidSessionRejectionReasonInput.
VoidSessionRejectionReasonInput.code is a
VoidSessionStatusReasonRejectionCode, which is an enum of standardized error codes.
VoidSessionRejectionReasonInput.merchantMessage argument is a localized error message presented to the merchant explaining why the void was rejected.
Retry policyAnchor link to section titled "Retry policy"
If there's a Shopify service disruption (or if 5xx status codes are being returned), then requests must be retried. Follow the guidelines in the retry policy section.