Endpoints
Merchant-facing API operation catalog, grouped by resource.
This catalog lists the merchant-facing API operations grouped by resource. Each operation is described by its kind (command or query), its result class, and its canonical inputs and fields — using the exact field names the API accepts and returns.
Operations are described semantically. The envelope, status mapping, error codes, authentication, idempotency, and pagination contracts are fixed once and apply to every operation below:
- Envelope and result classes — Conventions
- Authentication — Authentication
- Idempotency — Idempotency
- Pagination and filtering — Pagination and filtering
- Error codes and HTTP mapping — Errors
- Limits — Reference › Rate limits
Reading rules for every row:
- Result class is one of
singleton,collection, orack(Conventions). A command that creates a new resource returns201; every other success returns200. - Selectors and filters use the exact canonical field names. Unknown parameters are rejected as
VALIDATION_ERROR. - A singleton selector that resolves to nothing returns
NOT_FOUND. A collection that matches nothing returns an emptydata: [], not an error. - Collection reads page through results with
limitandcursorwhere the surface supports pagination.
Payment intents
A payment intent is the entry point of a payment, anchored by payment_intent_id.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Create payment intent | Command | singleton (201) | body fields below |
| Get payment intent | Query | singleton | selector payment_intent_id |
| List payment intents | Query | collection | filter merchant_id |
| Cancel payment intent | Command | ack | selector payment_intent_id |
| List intent status history | Query | collection | filter payment_intent_id |
Create — request body
| Field | Required | Notes |
|---|---|---|
merchant_id | required | Merchant reference. |
order_reference | required | Merchant order reference. |
base_amount | required | Payer-facing base amount. |
base_currency | required | Payer-facing base currency. |
expires_at | required | Intent expiry. |
snapshot_id | optional | Immutable merchant configuration reference. |
metadata | optional | Caller metadata; nullable/empty allowed. |
idempotency_key | optional | Deduplication key, scoped to merchant_id. See Idempotency. |
Re-using an idempotency_key with different semantic input returns IDEMPOTENCY_CONFLICT.
Payment intent — result fields
| Field | Notes |
|---|---|
payment_intent_id | Identity. |
merchant_id | |
order_reference | |
base_amount | |
base_currency | |
metadata | nullable |
expires_at | |
created_at | |
updated_at | |
idempotency_key | optional |
final_attempt_id | optional reference |
paid_at | optional; projection marker, not settlement truth |
Any status label on a payment intent is a projection label, not write-model truth. Cancellation is recorded as intent status history; it does not mean payment failure.
Intent status history — result fields
| Field | Notes |
|---|---|
history_id | |
payment_intent_id | |
status | terminal label, e.g. cancelled / expired |
reason | nullable |
changed_at | |
changed_by |
History is append-only audit truth; it is not payment finality truth.
Payment attempts
A payment attempt is an expected on-chain execution under a payment intent, anchored by attempt_id.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Get payment attempt | Query | singleton | selector attempt_id |
| List payment attempts | Query | collection | filter payment_intent_id and/or merchant_id (at least one) |
| List attempt status history | Query | collection | filter attempt_id |
Payment attempt — result fields
| Field | Notes |
|---|---|
attempt_id | Identity. |
payment_intent_id | Parent intent. |
merchant_id | |
chain_id | |
token_id | |
amount_in_token | |
deposit_address | On-chain matching anchor for the attempt. |
payer_address | nullable |
attempt_expires_at | |
status | Attempt lifecycle label. |
fail_reason | nullable |
created_at |
Attempt records are expected-execution truth, not settlement truth. Additional persisted fields may be present.
Checkout sessions
A checkout session is the checkout context for one payment intent, anchored by session_id.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Get checkout session | Query | singleton | selector session_id |
Checkout session — result fields
| Field | Notes |
|---|---|
session_id | Identity. |
payment_intent_id | Parent intent. |
status | Session lifecycle label (checkout context only, not finality). |
ui_chain_id | UI-selected chain. |
ui_token_id | UI-selected token. |
Payment status summary
A composite, read-only status view rooted at one payment_intent_id, for status rendering.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Get payment status summary | Query | singleton | selector payment_intent_id; optional scope session_id, attempt_id |
The summary combines the intent expectation, the relevant session and attempt projection fields, and any materialized outcome projection. Settlement-style labels in this view — PAID, FAILED, DUPLICATE_PAYMENT — are projections derived from the canonical finality outcome and MUST NOT be treated as authoritative settlement truth. The canonical record is the Proof of Payment. When no session or attempt context exists yet, only the intent-root summary is returned.
KYT decisions
The merchant's own KYT decisions, read back. get resolves one decision; list returns the full decision history for an attempt.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Get KYT decision | Query | singleton | selector kyt_decision_id |
| List KYT decisions | Query | collection | filter attempt_id |
list is ordered by received_at ascending. Decisions are append-only per attempt; the effective decision is the record with the latest received_at. Position alone does not imply applicability.
KYT decision — result fields
| Field | Notes |
|---|---|
kyt_decision_id | Identity. |
attempt_id | Parent attempt. |
kyt_invocation_ref | Invocation correlation reference. |
decision | approve | reject | hold |
sweep_to | nullable; present iff decision = approve |
refund_to | nullable; present iff decision = reject |
reason | nullable |
retry_after | nullable; seconds; present iff decision = hold |
received_at |
Proof of Payment
The canonical, blockchain-derived record of a payment event, anchored by pop_id. For record contents and verification, see Proof of Payment and Verifying a PoP.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Get Proof of Payment | Query | singleton | selector pop_id |
| Get Proof of Payment by attempt | Query | singleton | selector attempt_id |
| List by payment intent | Query | collection | filter payment_intent_id |
| List by merchant | Query | collection | filter merchant_id; optional confirmed_at range |
A single payment_intent_id may correlate to more than one record (duplicate analysis across attempts). The confirmed_at range is interpreted against the record's confirmation timestamp.
Webhook endpoints
A webhook endpoint is a registered notification destination, anchored by endpoint_id. Its signing secret is anchored by signing_secret_id. For delivery and verification semantics, see Notifications.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Register endpoint | Command | singleton (201) | body url, enabled, merchant_id |
| Get endpoint | Query | singleton | selector endpoint_id |
| List endpoints | Query | collection | filter merchant_id and/or enabled |
| Enable endpoint | Command | ack | selector endpoint_id |
| Disable endpoint | Command | ack | selector endpoint_id |
| Generate signing secret | Command | singleton (201) | selector endpoint_id |
| Rotate signing secret | Command | singleton (201) | selector endpoint_id |
| Revoke signing secret | Command | ack | selector signing_secret_id |
| Get signing secret metadata | Query | singleton | selector signing_secret_id |
Endpoint — result fields
| Field | Notes |
|---|---|
endpoint_id | Identity. |
merchant_id | |
url | Immutable after registration. |
enabled | Gating state. |
created_at | |
disabled_at | nullable |
The url is immutable. To change a destination, register a new endpoint and disable the old one. A disabled endpoint receives no deliveries.
Signing secret — result fields (metadata only)
| Field | Notes |
|---|---|
signing_secret_id | Identity. |
endpoint_id | Owning endpoint. |
created_at | |
revoked_at | nullable |
At most one active signing secret exists per endpoint: generating or rotating invalidates the prior secret. Read surfaces never return secret material.
API keys
A merchant API key authenticates calls, anchored by api_key_id.
| Operation | Kind | Result class | Inputs |
|---|---|---|---|
| Generate API key | Command | singleton (201) | body merchant_id |
| List API keys | Query | collection | filter merchant_id; optional active/revoked filter via revoked_at |
| Get API key metadata | Query | singleton | selector api_key_id |
| Revoke API key | Command | ack | selector api_key_id |
API key — result fields (metadata only)
| Field | Notes |
|---|---|
api_key_id | Identity. |
merchant_id | |
created_at | |
revoked_at | nullable |
At most one active key exists per merchant: generating a new key invalidates the prior one. A key is active while revoked_at is null. Read surfaces never return key material.