Always ask for
- Merchant account or merchant ID.
- The affected endpoint, dashboard page, or workflow.
- Kyren order number, checkout session ID, or merchant
out_trade_nowhen available. - Timestamp in the merchant’s timezone and, for API requests, the Unix millisecond timestamp if relevant.
- Response status, error code, and error message.
- Redacted server logs that show request time, endpoint, and response.
Never ask for
- Full API keys.
- Webhook signing secrets.
- Raw card numbers, card security codes, or full payment credentials.
- Customer passwords or private customer documents.
- Unredacted production server secrets.
Issue-specific handoff
API authentication
Ask for:- Endpoint path.
- Request time.
- Response status and error message.
- Whether an IP allowlist is enabled.
- The first and last few visible characters of the key only, if the merchant can safely provide them.
x-api-key.
Webhooks
Ask for:- Configured Webhook URL host and path.
- Event type expected, such as
order.paid. - Order number or checkout session ID.
- Merchant server log timestamp.
- Response status returned by the merchant server.
Paid but not credited
Ask for:- Kyren order number.
- Internal user ID or internal order ID, if the merchant stored one.
- The paid time shown by Kyren.
- The merchant fulfillment job log around that time.
- Whether the fulfillment handler is idempotent.
Settlement or payout review
Ask for:- Merchant account.
- Available balance, pending balance, and frozen balance if shown.
- Any dashboard message shown.
- Currency.
- Last relevant order or balance transaction IDs if available.
Epay migration
Ask for:- Endpoint used:
submit.php,mapi.php, orapi.php. pid.out_trade_noortrade_no.- Payment
type. - Redacted signing string inputs.
- Numeric
codeandmsgreturned by Kyren.