Skip to content

OwnPay Feature Reference

Complete reference of every capability built into OwnPay. For architectural deep-dives, see Architecture. For the REST API Reference, see docs.ownpay.org. For integration details, see the API Integration Guide.


🏆 Flagship - Sovereign White-Label Architecture

OwnPay is the first self-hosted payment platform to implement a full white-label, multi-brand, custom-domain checkout architecture on a single installation.

No other self-hosted payment gateway does this.

Here is exactly what it means:

  • One server, one installation - owned by one super-admin.
  • Multiple brands - create unlimited stores (brands). Each is a fully isolated entity with its own custom domain, logo, name, color scheme, gateways, customers, ledgers, and staff.
  • Custom domain per brand - map pay.yourbrand.com to a brand. OwnPay verifies ownership via a DNS TXT record (_ownpay-verification.{domain}) and confirms routing via A-record check, then activates the domain.
  • Invisible infrastructure - when a customer reaches checkout, they land on pay.yourbrand.com. They see the brand's logo, name, and colors. There is no mention of OwnPay, no shared domain, no "powered by" indicator unless the brand explicitly adds one.
  • Admin panel stays private - the admin dashboard is only accessible on the master installation domain. Custom brand domains return 404 for all /admin/* paths.
  • Complete data isolation - every customer record, transaction, ledger entry, gateway credential, and webhook secret is scoped per brand via merchant_id in the database. Zero data bleed between brands.
  • Brand-aware URLs - all checkout URLs, gateway callback URLs, and webhook endpoints are automatically built using the brand's custom domain via DomainUrlService. The installation domain never leaks into customer-facing flows.

The result: One server. Multiple brands. Each brand is a complete, independent, fully custom-branded payment gateway - invisible to each other and invisible to OwnPay.


🏢 Core Platform & Infrastructure

1. Multi-Brand Management

FeatureDescription
Unlimited brandsCreate any number of brands, each with name, slug, email, logo, timezone, and currency
Brand switchingSuper-admin switches brand context from a single dashboard
Brand isolationAll data strictly scoped per brand by merchant_id; no cross-brand access possible
Per-brand settingsBrand-specific config overrides system defaults (JSON key-value)
Brand deactivationSuspend a brand without data loss

2. Custom Domain & White-Label Pipeline

FeatureDescription
Custom domain mappingRegister any domain against a brand in op_domains
DNS TXT verification_ownpay-verification.{domain} TXT record proves domain ownership
A-record checkConfirms domain routes to the OwnPay server before activation
Automated DNS re-checkDnsVerificationJob cron re-checks pending/broken domains on a schedule
Domain middlewareEvery request resolves HTTP_HOST against active domains, injects brand context
Admin path blocking/admin/* paths return 404 on all custom brand domains
Brand URL builderDomainUrlService builds all checkout, callback, and redirect URLs using the brand's domain
Domain cacheIn-memory cache avoids repeated DB lookups within a request cycle

3. Brand Theming & Customization

FeatureDescription
Logo & faviconPer-brand logo and favicon (uploaded via admin)
Primary & accent colorsPer-brand hex color values applied to the checkout UI
Custom CSSInject arbitrary CSS into checkout pages per brand
Custom JavaScriptInject arbitrary JS into checkout pages per brand
Support emailPer-brand customer-facing support address on checkout pages
Footer textCustom footer text on all public-facing brand pages
Theme pluginsInstall visual theme plugins to replace the default checkout skin per brand
Hierarchical fallbackBrand value → merchant value → system default

4. Plugin System

FeatureDescription
Plugin typesGateway, Theme, Addon
Manifest-based discoveryEach plugin declares metadata, capabilities, and hooks in manifest.json
Static code auditSource scanned for dangerous calls (exec, shell_exec, eval, passthru, raw PDO) before loading
Sandboxed executionPlugin runtime isolated; exceptions caught and logged without crashing the system
Manual installationAdmin uploads ZIP; system extracts, validates, and installs
Per-brand activationEnable plugins globally or only for specific brands
Plugin migrationsPlugins can include database migrations run on install
Settings UIEach plugin registers its own settings page under /admin/plugins/{slug}/settings
Hook integrationPlugins register doAction / applyFilter callbacks via manifest
Uninstall with cleanupRemoves plugin files, data, and migrations on uninstall

5. Event Hook System

FeatureDescription
Actions (doAction)Fire events; plugins and addons listen and react
Filters (applyFilter)Transform values in-flight (e.g., modify payment amount, alter checkout output)
Built-in eventssystem.boot, system.shutdown, payment.intent.created, payment.intent.expired, payment.completed, payment.failed, refund.created, dispute.created, customer.created, domain.mapped, domain.verified, domain.removed
Plugin registrationHooks declared in plugin manifest or registered programmatically

6. Internationalization (i18n)

FeatureDescription
Full admin panel i18nEvery admin UI string is translatable
Full checkout i18nCustomer-facing checkout pages fully translatable
Dot-notation keysFlat JSON format (menu.dashboard, common.actions.save)
Placeholder supportDynamic values via :name, :amount syntax
Per-staff languageStaff set their own language preference
System default languageAdmin sets the fallback language for all sessions
Translation importUpload flat or nested JSON file; system auto-flattens nested keys
Translation editorInline admin UI to edit strings key-by-key
Filesystem cacheCompiled to storage/languages/{code}.json for fast loads
English fallbackMissing keys fall back to config/languages/en.json

7. Installation

FeatureDescription
Web-based installerMulti-step /install wizard - no CLI or SSH required
Database connection testTests connection before importing schema
Schema importCreates all 48 tables automatically
Admin account creationCreates super-admin during install
Key generationGenerates APP_KEY, ENCRYPTION_KEY, and JWT_SECRET
Install lockWrites storage/.installed to prevent re-running the wizard
Shared hosting supportNo SSH or Composer required - vendor/ bundled in release archives

💳 Payment & Transaction Engine

8. Payment Gateway System

FeatureDescription
123 built-in gatewaysCovers global cards (Stripe, Adyen, Braintree, Authorize.net, Square, Worldpay, Cybersource, Checkout.com, Shift4, NMI, Moneris), wallets (Apple Pay, Google Pay, Alipay, PayPal), mobile financial services (bKash, Nagad, M-Pesa, MTN MoMo, GCash, Dana, GrabPay, PhonePe), buy-now-pay-later (Klarna), crypto (Coinbase Commerce, BTCPay, Bitpay), regional platforms (Razorpay, Cashfree, CCAvenue, PayU, Flutterwave, Paystack, MyFatoorah, Midtrans, Xendit, Rapyd, dLocal, Mercado Pago, Tap, Toss, Trustly, Przelewy24, Neteller, Skrill, Wise, GoCardless, 2checkout, Amazon Pay, and more)
Plugin-based architectureEvery gateway lives in modules/gateways/{slug}/; add providers without touching core
Manual gatewaysCustom offline methods (bank transfer, cash, mobile money) with configurable fields
Per-brand activationEnable different gateways per brand with separate credential sets
Encrypted credentialsGateway API keys stored AES-256-GCM encrypted at rest
GatewayAdapterInterfaceStandard contract: initiate, verify, verifyWebhook, refund, supports, supportedCurrencies
GatewayDefaults traitNo-op defaults so adapters only implement what they support
Express checkoutPre-filled quick payment submission

9. Payment Processing

FeatureDescription
Payment intentsAtomic payment requests with a unique token, amount, currency, expiry, and metadata
Intent lifecyclepending → processing → completed / failed / cancelled / expired
Token-based checkoutCheckout URL contains only a secure token; amount and gateway details never exposed in URL
Intent expiryCron auto-marks stale intents as expired and fires hooks
Multi-currency checkoutCustomer can pay in any enabled currency
Auto currency conversionIf a gateway supports only specific currencies, the intent amount is converted automatically
Conversion audit trailOriginal amount, converted amount, and exchange rate logged on the transaction record
Status pollingGET /checkout/{token}/status AJAX endpoint for real-time status updates
Manual verificationSMS or offline gateway transactions verified manually by admin

10. Transaction Management

FeatureDescription
Immutable transaction recordEvery payment creates a permanent record with OwnPay trx_id, gateway trx_id, amounts, fees, and status
13 statusespending, created, processing, callback_processing, completed, failed, cancelled, expired, refunded, disputed, awaiting_verification, pending_review
Admin status overrideSuper-admin can manually adjust transaction status with full audit trail
Transaction filtersFilter by status, gateway, date range, amount, customer
CSV exportExport filtered transaction sets for accounting
Fee trackingamount, fee, and net_amount all stored separately per transaction

11. Refunds

FeatureDescription
Partial refundsIssue any amount up to the original transaction value
Full refundsOne-click full refund routed to the original gateway
Refund lifecyclepending → completed / failed
Gateway routingRefund sent to the same gateway that processed the original payment
Refund reconciliationRefundReconciliationJob cron syncs refund status from gateway APIs
Audit trailReason, actor, and timestamps stored per refund
Ledger postingRefund auto-posted as balanced debit/credit in the double-entry ledger

12. Invoicing

FeatureDescription
Numbered invoicesLine-item invoices (description, quantity, unit price) with auto-calculated subtotal, tax, discount, and total
Customer linkingOptional customer reference on each invoice
Invoice checkoutCustomer pays via public URL at /invoice/{token}
Status trackingdraft → sent → paid / overdue / cancelled
Due date & notesConfigurable due date, internal notes, and unique invoice number per merchant
FeatureDescription
Reusable shareable linksCreate URLs for recurring or product payments
Custom slugMemorable URL path (e.g., /pay/annual-subscription)
Fixed or variable amountSet exact amount or let customer choose within min/max bounds
Custom fieldsCollect name, email, account ID, or any data before payment
Usage limitsCap total accepted payments (link auto-expires after N uses)
Expiration dateOptional date after which the link no longer accepts payment
Per-link redirectCustom success and cancellation redirect URLs per link

14. Fee Rules

FeatureDescription
Flat feesFixed amount per transaction
Percentage feesPercentage of transaction value
Tiered feesDifferent rates per amount bracket
Min/max capsSet a minimum or maximum fee amount
ScopingPer brand, per gateway, or system-wide fallback
Automatic applicationFeeService applies rules during payment before ledger posting

15. Currency & Exchange Rates

FeatureDescription
180+ currenciesEnable/disable world currencies per brand
Exchange rate tableop_exchange_rates: base, target, rate, source, updated_at
Manual rate entryAdmin sets rates manually
Auto-syncCurrencyUpdateJob fetches live rates on a schedule

📊 Ledger, Webhooks & Operations

16. Double-Entry Ledger & Accounting

FeatureDescription
GAAP double-entryEvery financial event posts balanced debit/credit pairs
Standard directionalityAssets & Expenses debit (+); Liabilities, Equity & Revenue credit (+)
Account typesAsset, Liability, Equity, Revenue, Expense
Multi-currency accountsSeparate ledger accounts per currency per brand
Automatic postingPayments, refunds, and fees auto-posted on completion
Trial balanceVerify total debits equal total credits at any point
Ledger historyQuery all entries per account with date-range filters
Balance verificationBalanceVerificationJob cron cross-checks ledger vs gateway balances
bcmath precisionAll monetary math uses bcmath strings - never floats

17. Webhooks

FeatureDescription
Merchant webhook endpointsRegister URLs to receive real-time payment events
Event subscriptionsSubscribe each webhook endpoint to specific event types
HMAC-SHA256 signingEach delivery signed with merchant's secret; receiver validates
Delivery trackingStatus, response code, duration, and error per delivery attempt
Retry with backoffFailed webhooks retried with exponential backoff by WebhookRetryJob
Dead letter queuePermanently failed webhooks queued for manual replay
Manual replayAdmin can replay any failed webhook delivery
Inbound deduplicationGateway callbacks deduplicated by payload hash (idempotent processing)
Unified inbound handlerSingle POST /webhook/{gateway} endpoint handles all 123 gateway callbacks

18. Disputes & Chargebacks

FeatureDescription
Dispute lifecycleopen → under_review → won / lost → closed
Evidence uploadAttach documents and screenshots as dispute evidence
Resolution trackingWho resolved it, when, and the outcome
Transaction linkEvery dispute tied to the originating transaction
Ledger adjustmentFinancial impact posted on resolution

19. Scheduled Jobs (Cron)

JobPurpose
WebhookRetryJobRetry failed outbound webhook deliveries with exponential backoff
QueueWorkerJobProcess background job queue (emails, exports, bulk operations)
BalanceVerificationJobCross-check ledger balances against gateway-reported balances
CurrencyUpdateJobFetch and update live exchange rates
SmsVerificationJobProcess pending SMS verifications for manual gateways
RefundReconciliationJobSync refund status from gateway APIs
DnsVerificationJobRe-check DNS records for pending custom domains
UpdateCheckJobPoll for new OwnPay releases
SystemUpdateJobAuto-apply update if configured

Triggered by GET /cron/{secret}. Individual jobs can also be run manually from the admin settings panel.

20. Background Job Queue

FeatureDescription
Async processingPush long-running tasks to queue (emails, exports, webhook sends)
Storage backendsFile-based (default) or Redis
Retry with backoffConfigurable max attempts with exponential delay between retries
Scheduled jobsSet available_at to delay job execution
Error loggingExceptions logged per attempt without dropping the job

📱 Mobile Companion & SMS Automation

21. Mobile Companion App API

FeatureDescription
OTP device pairingAdmin generates OTP; device exchanges it for JWT + AES session key
Multiple devicesStaff can pair phone and tablet simultaneously
Device managementView, revoke, or bulk-revoke paired devices from admin
HeartbeatDevices send periodic heartbeat; server tracks online/offline status
Mobile dashboardToday's revenue, pending transactions, recent payment summary
Push notificationsServer pushes transaction.completed, refund.issued, dispute.filed events to devices
Notification acknowledgementDevice marks notifications read; server tracks unread count
Token refreshJWT refresh endpoint extends sessions without re-pairing
SMS privacy filterConfig rules tell the app which SMS senders/keywords to ignore

22. SMS-Based Payment Verification

FeatureDescription
Mobile SMS forwardingPaired mobile device forwards incoming SMS to POST /api/mobile/v1/sms
Regex parserPer-gateway regex template extracts amount, sender, and trx ID from SMS body
Heuristic parserFallback AI-pattern parser when regex doesn't match
Smart analyzerCombines regex + heuristic with confidence scoring
Transaction matchingParsed SMS auto-linked to pending transaction by amount and timestamp
Payment confirmationMatched SMS marks the pending manual gateway payment as complete
SMS logop_sms_data stores all parsed SMS with match status
SMS template editorAdmin UI to create, test, and manage per-gateway regex templates
Regex testerTest a regex pattern against a sample SMS body without processing a real payment

🔒 Security & Administration

23. Customer Management

FeatureDescription
Customer recordsUUID, encrypted name, email, phone, metadata
PII encryptionCustomer fields encrypted AES-256-GCM at rest; email and phone stored as hash for lookup
Brand isolationEach customer belongs to exactly one brand; no cross-brand access
Customer historyView all transactions, invoices, and payment links for a customer
REST API accessCreate, fetch, and list customers via the Merchant API
DeduplicationEmail/phone hash prevents creating duplicate customer records

24. Audit & Compliance

FeatureDescription
Immutable audit logEvery action logged with actor, entity, old/new values, IP, and timestamp
Cryptographic signingEach log entry signed to detect post-creation tampering
Integrity scannerAdmin can run a scan to detect any modified log entries
Activity trackingLogin/logout history, permission changes, config updates
PII maskingEmails and phone numbers masked in all log output

25. Authentication & Access Control

FeatureDescription
Email/password loginStandard credential-based admin login
Configurable login slugAdmin login URL slug configurable for obscurity
Two-factor authenticationTOTP (RFC 6238) via authenticator app; per-staff enable/disable
Password resetToken-based email link for forgotten passwords
Login attempt trackingFailed logins logged per IP for rate-limiting and audits
Session managementSessions in op_sessions with IP, user ID, last-activity
Bearer API keysScoped keys (read / write / admin) with last-used tracking and revocation
JWT (mobile)JSON Web Tokens issued after device pairing, with refresh support
RBACCustom roles per brand with granular permission assignment
Staff managementCreate staff with role assignment per brand; suspend/activate accounts
IP allowlistOptional IP-based access restriction for admin routes

26. Security

FeatureDescription
AES-256-GCM encryptionCustomer PII and gateway credentials encrypted at rest
Argon2id passwordsStaff and admin passwords hashed with Argon2id
bcrypt fallbackLegacy bcrypt support for upgrade compatibility
CSRF protectionPer-session CSRF tokens; all POST/PUT/DELETE require a valid token
Content Security PolicyPer-request nonce; strict policy blocks unauthorized inline scripts
HSTSHTTP Strict Transport Security header enforced
X-Frame-OptionsDENY - prevents clickjacking
X-Content-Type-Optionsnosniff - prevents MIME sniffing
Referrer-PolicyLimits referrer information leakage
SSRF protectionUrlValidator resolves and pins webhook URLs to validated public IPs; redirect-following blocked
Rate limitingPer-route, per-IP sliding window; 429 with Retry-After header
Login throttlingStrict bucket for login, password reset, and OTP endpoints
Hash-based PII searchEmail/phone stored as hash; lookups never require decryption
Log sanitizationLogSanitizer strips passwords, tokens, and card data from all log output
SQL injection preventionPrepared statements with parameter binding throughout
XSS preventionTwig autoescaping always on; `

27. Self-Update Engine

FeatureDescription
Version trackingCurrent version in config; op_update_history logs all applied updates
Update manifestPolls update server for available release metadata
Pre-update backupAutomatic database + file backup before applying any update
SHA-256 + RSA verificationDownload verified by checksum and RSA signature before extraction
Zip-slip guardExtraction blocks path traversal attacks in release archives
Schema migrationsDB changes in the release applied automatically
RollbackRestores from backup if verification fails
Maintenance modeSystem enters maintenance during update; exits automatically on success
Manual + auto modesAdmin triggers manually or enables auto-update via cron

28. System Settings

CategorySettings
GeneralApp name, timezone, base currency, maintenance mode
BrandingLogo, favicon, company name, footer text, support email
ThemePrimary color, accent color, custom CSS, custom JS
MailSMTP driver, host, port, from address, reply-to, templates
SMSSMS provider, sender ID
PaymentDefault gateway, payment timeout, fee defaults
DeveloperAPI rate limits, webhook limits, test key generation
LanguageDefault language, translation management
CacheClear all caches
DatabaseOptimize tables
LogsArchive and clean old logs

29. Developer Tools

FeatureDescription
Developer hubAdmin UI at /admin/developer for API and webhook tooling
Webhook testerSend test payloads to merchant webhook endpoints from admin
API key managementGenerate, list, and revoke API keys
Rate limit displayView current API rate limit configuration
Webhook delivery logsInspect delivery attempts, response codes, and errors
Health check endpointGET /api/v1/health - confirms database, cache, and queue status
CSP violation reportingCollect and log Content Security Policy violations
Custom login slugSet admin login URL to any custom slug

30. REST API Surface

LayerPrefixAuth
Merchant API/api/v1/*Bearer API key (read / write scopes)
Mobile Companion API/api/mobile/v1/*JWT (after device pairing)
Admin API/api/admin/v1/*Bearer API key (admin scope)

📈 Platform at a Glance

MetricValue
Built-in payment gateways123
Database tables48
REST API endpoints37+
Web routes120+
Scheduled jobs9
Middleware components16
Supported currencies180+
PHP required8.3+
LicenseAGPL-3.0