Cursor / Claude Code — Master Prompt

Полный контекст Tegro.Money API для AI-агента. Дайте этот промпт в начало разговора с Cursor / Claude Code / Copilot Chat — и агент сможет: создавать платежи, проверять статусы, обрабатывать webhook'и, делать выплаты с правильной подписью.

Что копировать

Нажмите Copy в правом верхнем углу блока ниже и вставьте в чат с AI-агентом. Дальше пишите задачу обычным языком — например: «Сделай checkout на Next.js: страница товара, кнопка "Оплатить", редирект на Tegro.Money, success/fail-страницы, webhook-эндпоинт».

You are integrating Tegro.Money — an online-acquiring payment gateway — into the user's codebase.
Treat this block as the SINGLE SOURCE OF TRUTH for the API. Do NOT invent endpoints.

# Base URL
https://tegro.money

# Authentication (REQUIRED on every request to /api/*)
- The merchant has: shop_id (hash, NOT integer) and api_key (secret).
- Every request body MUST contain: {"shop_id": "<hash>", "nonce": "<random-string>", ...other-fields}.
- Compute signature: sign = HMAC_SHA256(raw_request_body, api_key) — hex digest.
- Send the signature in HTTP header: Authorization: Bearer <sign>
- Server validates by recomputing HMAC over received body. Any whitespace change breaks the signature.
- Response is always JSON: {"type":"success"|"error", "desc": "...", "data": {...}}.

# Endpoints (all POST, Content-Type: application/json)

POST /api/createOrder/
  Creates a new payment order, returns a payment URL.
  Body: {shop_id, nonce, currency: "RUB"|"USD"|"EUR"|"USDT", amount: float, order_id: "merchant-side-id", description?, success_url?, fail_url?, email?}
  Response data: {url: "https://tegro.money/pay/<order_hash>/", order: {hash, ...}}
  → Redirect user's browser to data.url to let them pay.

POST /api/order/
  Get a single order by either tegro's order hash or the merchant's payment_id.
  Body: {shop_id, nonce, order_id?: "<tegro-hash>", payment_id?: "<merchant-id>"}
  Response data: {id, shop_id, status, amount, currency, date_created, date_payed, payment_system_id, ...}
  status: 0=new/pending, 1=paid, 9=cancelled

POST /api/orders/
  List orders for a shop (paginated, 100 per page).
  Body: {shop_id, nonce, page?: int, status?: 0|1|9}
  Response data: [{...order}, ...]

POST /api/shops/
  List all shops of the merchant (across the whole account).
  Body: {shop_id, nonce}
  Response data: {user_id, shops: [{id, name, url, status, success_url, fail_url, notify_url, shop_id (hash)}, ...]}

POST /api/balance/
  Current balances of the merchant (per currency).
  Body: {shop_id, nonce}
  Response data: {user_id, balance: [{currency, sum}, ...]}

POST /api/createWithdrawal/
  Initiate a payout from the merchant's balance.
  Body: {shop_id, nonce, currency: "RUB"|"USD"|"EUR", amount: float, account: "destination", payment_system: int, payment_id?: "merchant-side-id", description?: "<=200 chars", fee_type?: 0|1}
  Response data: {order_id, balances, order_data: {amount_from, amount_to, date, account}}

POST /api/withdrawal/
  Get a single withdrawal by tegro hash or merchant payment_id.
  Body: {shop_id, nonce, order_id?: hash, payment_id?: merchant-id}
  Response data: {id, status, amount_from, amount_to, currency, ...}

POST /api/withdrawals/
  List withdrawals (paginated).
  Body: {shop_id, nonce, page?, status?: 0|1|9}

GET  /rates/<FROM>-<TO>/
  Currency rate. NOT under /api/ — this is a separate public endpoint, no auth needed.
  Example: GET https://tegro.money/rates/USDT-RUB/
  Response: {"type":"success","data":{"from":"USDT","to":"RUB","value":"97.39"}}

# Webhook (notify_url)
- Tegro POSTs to the merchant's notify_url after status change.
- Form-encoded body, not JSON.
- Verify signature: sign = MD5(secret_key + sorted_array_values(body_minus_sign)).
  Better: check the docs at /docs/payments/notify/ — the exact algorithm differs by API version.
- Respond with HTTP 200 + plain text "OK" to acknowledge.

# Common pitfalls (ALWAYS apply)
1. shop_id is a HASH STRING, never an integer. Never JSON-decode it as number.
2. nonce — generate a fresh random per request (timestamp or uuid). Server checks it for replay.
3. The signature is computed over the EXACT raw body bytes sent. If you re-serialize via JSON.stringify
   after computing — the signature breaks. Compute signature AFTER serialization, then send the same bytes.
4. amount is float in major units (rubles, not kopeks). "100.50" not 10050.
5. Status 1 = paid. Don't fulfill orders on status 0 (pending).
6. order_id in /api/createOrder/ is the MERCHANT-SIDE id. tegro returns its own hash in response.data.order.hash.
7. test_order: orders made in shop's test mode return test_order=1 — handle accordingly.

# Test mode
- Each shop in the merchant cabinet has a "test mode" toggle. In test mode no real money moves.
- Use test mode while wiring up.

# Documentation pages (read these if user asks specifics)
- /docs/payments/create-payment/ — full payment form flow
- /docs/payments/notify/ — exact notify webhook signature scheme
- /docs/payments/signature/ — signing details
- /docs/api/ — API overview
- /docs/codes/ — payment_system codes
- /docs/codes/currency-codes/ — currency codes

# When you write code
- Use the merchant's language/framework choice. If unspecified, default to TypeScript+Node.js.
- Always handle the {type: "error"} response — surface server desc to the user.
- Don't store api_key in client-side code. Server only. Treat it like a database password.
- For frontend: just redirect to data.url returned by /api/createOrder/.

End of context. Now I will give you the actual task.

Что делать дальше

1. Скопируйте промпт выше.
2. Откройте Cursor (или Claude Code, или Copilot Chat).
3. В новом диалоге вставьте промпт первым сообщением.
4. Следующим сообщением — задача: «Сделай Next.js страницу с кнопкой "Купить за 500 ₽", при клике редирект на Tegro.Money, плюс webhook-обработчик /api/notify».
5. Подставьте shop_id и api_key из Личного кабинета в код перед запуском.