# Create authorization Enables you to authorize the availability of funds for a transaction but delay the capture of funds until a later time. Subsequently, use Create a payment or Create an order to capture the authorized funds, or use Cancel authorization to cancel the authorization. For gateway integrations that support this operation, see Delayed Capture. Endpoint: POST /v1/payment-methods/{payment-method-id}/authorize Version: 2026-02-20 Security: bearerAuth ## Header parameters: - `Idempotency-Key` (string) Specify a unique idempotency key if you want to perform an idempotent POST or PATCH request. Do not use this header in other request types. With this header specified, the Zuora server can identify subsequent retries of the same request using this value, which prevents the same operation from being performed multiple times by accident. - `Accept-Encoding` (string) Include the Accept-Encoding: gzip header to compress responses as a gzipped file. It can significantly reduce the bandwidth required for a response. If specified, Zuora automatically compresses responses that contain over 1000 bytes of data, and the response contains a Content-Encoding header with the compression algorithm so that your client can decompress it. - `Content-Encoding` (string) Include the Content-Encoding: gzip header to compress a request. With this header specified, you should upload a gzipped file for the request payload instead of sending the JSON payload. - `Zuora-Track-Id` (string) A custom identifier for tracing the API call. If you set a value for this header, Zuora returns the same value in the response headers. This header enables you to associate your system process identifiers with Zuora API calls, to assist with troubleshooting in the event of an issue. The value of this field must use the US-ASCII character set and must not include any of the following characters: colon (:), semicolon (;), double quote ("), and quote ('). - `Zuora-Entity-Ids` (string) An entity ID. If you have Zuora Multi-entity enabled and the OAuth token is valid for more than one entity, you must use this header to specify which entity to perform the operation in. If the OAuth token is only valid for a single entity, or you do not have Zuora Multi-entity enabled, you should not set this header. - `Zuora-Org-Ids` (string) Comma separated IDs. If you have Zuora Multi-Org enabled, you can use this header to specify which orgs to perform the operation in. If you do not have Zuora Multi-Org enabled, you should not set this header. The IDs must be a sub-set of the user's accessible orgs. If you specify an org that the user does not have access to, the operation fails. This header is important in Multi-Org (MO) setups because it defines the organization context under which the API should operate—mainly used for read access or data visibility filtering. If the header is not set, the operation is performed in scope of the user's accessible orgs. - `Zuora-Version` (string) The minor API version. For a list of available minor versions, see API upgrades. ## Path parameters: - `payment-method-id` (string, required) The unique ID of the payment method where the authorization is created. ## Request fields (application/json): - `accountId` (string) The ID of the customer account. Either accountId or accountNumber is required. Example: "402881e861bd8a7e0161c6a453750026" - `accountNumber` (string) The number of the customer account. Either accountNumber or accountId is required. - `amount` (number, required) The amount of the transaction. Example: 1.99 - `gatewayOptions` (object) The field used to pass gateway-specific parameters and parameter values. The fields supported by gateways vary. For more information, see the Overview topic of each gateway integration in [Zuora Knowledge Center](https://knowledgecenter.zuora.com/Zuora_Billing/Billing_and_Payments/M_Payment_Gateways/Supported_Payment_Gateways). Zuora sends all the information that you specified to the gateway. If you specify any unsupported gateway option parameters, they will be ignored without error prompts. - `gatewayOptions.key` (string) The name of a gateway-specific parameter. - `gatewayOptions.value` (string) The value of the gateway-specific parameter. - `gatewayOrderId` (string, required) The order ID for the specific gateway. The specified order ID will be used in transaction authorization. If you specify an empty value for this field, Zuora will generate an ID and you will have to associate this ID with your order ID by yourself if needed. It is recommended to specify an ID for this field. Example: "A001" - `mitTransactionSource` (string) Payment transaction source used to differentiate the transaction source in Stored Credential Transaction framework. - C_Unscheduled: Cardholder-initiated transaction (CIT) that does not occur on scheduled or regularly occurring dates. - M_Recurring: Merchant-initiated transaction (MIT) that occurs at regular intervals. - M_Unscheduled: Merchant-initiated transaction (MIT) that does not occur on scheduled or regularly occurring dates. - M_MOTO: Mail Order Telephone Order (MOTO) payment transaction. This option is only available for credit card payments on Stripe v2. See [Overview of Stripe payment gateway integration](https://knowledgecenter.zuora.com/Zuora_Collect/Payment_gateway_integrations/Supported_payment_gateways/Stripe_Payment_Gateway/A_Overview_of_Stripe_payment_gateway_integration) for more information. Enum: "C_Unscheduled", "M_Recurring", "M_Unscheduled", "M_MOTO" - `paymentGatewayId` (string) The ID of the payment gateway instance. If Payment Gateway Routing is enabled: - If this field is not specified, gateway routing rules will be invoked. - If this field is specified, the specified gateway will be used to authorize the payment. If Payment Gateway Routing is disabled: - If this field is not specified, the default payment gateway will be used to authorize the payment. The default gateway of the customer account takes precedence over the default gateway of the tenant. - If this field is specified, the specified gateway will be used to authorize the payment. - `softDescriptor` (string) A text, rendered on a cardholder’s statement, describing a particular product or service purchased by the cardholder. - `softDescriptorPhone` (string) The phone number that relates to the soft descriptor, usually the phone number of customer service. ## Response 200 fields (application/json): - `gatewayOrderId` (string) The order ID for the specific gateway. The specified order ID will be used in transaction authorization. If you specify an empty value for this field, Zuora will generate an ID and you will have to associate this ID with your order ID by yourself if needed. It is recommended to specify an ID for this field. Example: "A001" - `paymentGatewayResponse` (object) The response data returned from the gateway. This field is available only if the success field is false and the support for returning additional error information from the gateway is enabled. - `paymentGatewayResponse.additionalInfo` (object) The additional information returned from the gateway. The returned fields vary for gateways. Here is an example. "additionalInfo": { "ProcessorName": "MasterCard Saferpay Test", "ProcessorResult": "51", "ProcessorMessage": "Insufficient funds", "ErrorName": "TRANSACTION_DECLINED" } - `paymentGatewayResponse.gatewayResponseCode` (string) The HTTP response code. - `paymentGatewayResponse.gatewayResponseMessage` (string) The error message returned from the gateway. - `paymentGatewayResponse.gatewayType` (string) The gateway type. - `paymentGatewayResponse.gatewayVersion` (string) The gateway version. - `processId` (string) The ID of the running process when the exception occurs. This field is available only if the success field is false. - `reasons` (array) The container of the error code and message. This field is available only if the success field is false. - `reasons.code` (string) Error code. - `reasons.message` (string) Error message. It usually contains a combination of gateway response code and response message. - `requestId` (string) The ID of the request. This field is available only if the success field is false - `resultCode` (string) The result code of the request. 0 indicates that the request succeeded, and the following values indicate that the request failed: - 1: The request is declined. - 7: The field format is not correct. - 10: Client connection has timed out. - 11: Host connection has timed out. - 12: Processor connection has timed out. - 13: Gateway server is busy. - 20: The card type is not supported. - 21: The merchant account information is invalid. - 22: A generic error occurred on the processor. - 40: The card type has not been set up yet. - 41: The limit for a single transaction is exceeded. - 42: Address checking failed. - 43: Card security code checking failed. - 44: Failed due to the gateway security setting. - 45: Fraud protection is declined. - 46: Address checking or card security code checking failed (for Authorize.net gateway only). - 47: The maximum amount is exceeded (for Authorize.net gateway only). - 48: The IP address is blocked by the gateway (for Authorize.net gateway only). - 49: Card security code checking failed (for Authorize.net gateway only). - 60: User authentication failed. - 61: The currency code is invalid. - 62: The transaction ID is invalid. - 63: The credit card number is invalid. - 64: The card expiration date is invalid. - 65: The transaction is duplicated. - 66: Credit transaction error. - 67: Void transaction error. - 90: A valid amount is required. - 91: The BA code is invalid. - 92: The account number is invalid. - 93: The ACH transaction is not accepted by the merchant. - 94: An error occurred for the ACH transaction. - 95: The version parameter is invalid. - 96: The transaction type is invalid. - 97: The transaction method is invalid. - 98: The bank account type is invalid. - 99: The authorization code is invalid. - 200: General transaction error. - 500: The transaction is queued for submission. - 999: Unknown error. - -1: An error occurred in gateway communication. - -2: Idempotency is not supported. - -3: Inquiry call is not supported. - `resultMessage` (string) The corresponding request ID. Example: "Request ID: 5231719060426316203012" - `success` (boolean) Indicates whether the call succeeded. Example: true - `transactionId` (string) The ID of the transaction. Example: "5231719060426316203012" ## Response 500 fields (application/json): - `reasons` (array) Example: [{"code":"ObjectNotFound","message":"Notification definition with id 6e569e1e05f040eda51a927b140c0ac1 does not exist"}] - `reasons.code` (string) The error code of response. - `reasons.message` (string) The detail information of the error response ## Response 4XX fields (application/json): - `processId` (string) The ID of the process that handles the operation. - `reasons` (array) The container of the error code and message. This field is available only if the success field is false. - `reasons.code` (string) The error code of response. - `reasons.message` (string) The detail information of the error response - `requestId` (string) Unique identifier of the request. - `success` (boolean) Indicates whether the call succeeded.