Payment API
Payment API: one REST contract in front of every provider you'll ever need.
topropay's unified payment API is the integration point for every connected acquirer, PSP and method — card, wallet, bank rail, ACH, bill payment, mass payout and crypto via partner gateways. Same endpoints across every rail; smart routing on every authorisation; one signed webhook stream; one ledger.
POST /v1/authorizations HTTP/1.1
Host: api.topropay.com
Authorization: Bearer sk_live_***
Idempotency-Key: 1f3a7b09-7d12-4a02-9c5e
Content-Type: application/json
{
"amount": { "value": 18900, "currency": "EUR" },
"customer": { "token": "cus_2nQ8R7zXyJ" },
"payment_method": { "type": "card", "vault_token": "tok_VWxAa3" },
"routing_policy": "approval_weighted",
"metadata": { "order_id": "ORD-71204" }
} HTTP/1.1 201 Created
Content-Type: application/json
{
"id": "auth_8KpQ2vRm",
"status": "authorized",
"amount": { "value": 18900, "currency": "EUR" },
"acquirer": { "id": "acq_eu_visa_03", "bin": "411111" },
"scheme_response": "00",
"route_decision_ms": 134,
"cascade_attempts": 0,
"vault_token": "tok_VWxAa3"
} - 1
- //REST contract
- 300+
- //methods reachable
- <200ms
- //routing decision
- L1
- //PCI DSS posture
Endpoint set
The api for payment gateway operations, all behind one contract
Six endpoint groups cover the vast majority of merchant flows. The same shape applies whether you're authorising a card, sending a payout or refunding a crypto receipt.
-
Authorise a transaction
The single entry point for card, wallet, bank-rail, bill-payment and crypto-gateway authorisations. Same request body shape across methods; the routing engine picks the best provider per call.
-
Capture an authorisation
Full or partial capture against a held authorisation. Vault tokens replace card data, so this call carries no PAN. Webhooks fire on every state change.
-
Refund a captured payment
Full or partial refunds; metadata follows the customer record so the refund pairs with the original ledger row in the reconciliation export.
-
Send a payout
Cards, bank rails, ACH, SEPA and crypto destinations through one endpoint — useful for marketplace seller payouts, mass-payment solution flows and refunds-as-payouts.
-
Read a transaction
Full transaction record — authorisation, captures, refunds, disputes, chargebacks, settlement — keyed off the vault token, not a PAN.
-
Create or update a customer
Vault-token-backed customer record that survives across rails, regions and methods; renewals, retries and account-updater events all reference it.
How it works
From a signed POST to a normalised ledger row
Five lanes between your signed REST call and a normalised ledger row in tomorrow's finance export — with everything from routing to webhooks happening inside the same request lifecycle.
- Request
Signed REST call from your back-end
POST the authorisation body with an idempotency key; the SDK signs the request with your API key. The same call shape works for cards, wallets, bank rails, bill payment and crypto gateway routes.
- Route
Per-transaction scoring across the connected portfolio
The routing engine scores connected acquirers and partner gateways on approval likelihood, cost, country pair and risk signals — picks one in under 200ms. Soft declines cascade to the next inside the same request.
- Vault
PCI DSS Level 1 vault tokenisation
Card data captures into the vault; subsequent refunds, retries, recurring and chargebacks all run on tokens. Your origin servers never see a PAN.
- Event
Signed webhook + event-stream emission
Authorisation, capture, refund, dispute and settlement events fire as signed webhooks and on the event stream — one shape across every method and rail.
- Reconcile
Normalised ledger across acquirers and gateways
Settlement, fees, refunds and chargebacks across every connected provider normalise into one ledger keyed off vault tokens. CSV / Parquet exports drop daily.
Main use cases
From credit card payment API to mass payment solution — same contract
Six concrete shapes of api payment integration that share the same request/response model. The rail differs; the operational shape doesn't.
- Card checkout
Credit card payment API for online retail
A credit card payment API call from a hosted checkout authorises against the routed acquirer, captures on order confirmation, and refunds via the same endpoint set. SDKs cover web, mobile and server.
- Mobile
Mobile payment API for native apps
A mobile payment API surface for iOS and Android exposes the same authorise/capture/refund endpoints used on web, plus helpers for Apple Pay, Google Pay and wallet deeplinks. One API, two surfaces.
- ACH
ACH payment API for US bank-rail flows
An ACH payment API surface routes debits and credits through connected ACH providers — same request shape as cards, just a different method field. Settlement reports normalise into the unified ledger.
- Bill
Bill payment API for utilities and recurring invoices
A bill payment API endpoint takes the bill metadata (account number, payee code, due date) and routes through the right connected bill-pay gateway for the merchant's region.
- Payouts
Mass payment solution for marketplaces and platforms
A mass payment solution call accepts a batch of destinations — bank account, card, wallet or crypto address — and dispatches each through the appropriate connected rail; one webhook per disbursement, one settlement row per batch.
- Crypto
Crypto payment API alongside fiat
A crypto payment API call surfaces stablecoins, majors and L2 routes via partner crypto gateways. Conversion-on-receipt is a per-asset policy; the response shape matches a card authorisation.
Model comparison
Per-provider API stack vs unified payment API integration
What changes when N per-provider integrations collapse into one unified contract — the difference shows up most in long-term maintenance, not day-one engineering.
| Dimension | Per-provider stack | topropay unified payment API |
|---|---|---|
| Integration count | One per provider — N integrations to maintain | One unified REST contract regardless of how many providers sit behind it |
| Method coverage | Per-provider — card here, ACH there, crypto somewhere else | Card, wallet, bank-rail, bill-pay, mass-payout and crypto behind the same endpoints |
| Routing | Static — your code chooses the provider | Dynamic — the platform picks the best route per authorisation with cascade on soft decline |
| Webhooks | N event schemas, N signing schemes | One signed webhook contract, one event model, one secret to rotate |
| Vault | Per-provider; PAN may touch your servers | Single PCI DSS L1 vault; PAN never touches your origin |
| Reconciliation | N settlement files to merge | One normalised ledger export across every connected provider |
Platform features
Capabilities behind the payment api documentation
What the platform actually ships at the API layer — versioning posture, signing, sandbox parity and the integration ergonomics that make a payment API survive into production at scale.
-
Unified REST contract
One endpoint set across every method and rail; SDKs for web, iOS, Android, server-side languages.
-
Signed webhooks
Replay-safe signed events for every transaction state change, with subscription per event type.
-
Idempotency by default
Idempotency-Key header on every mutating call; safe to retry on network failure without double-charging.
-
Vault tokenisation
PCI DSS Level 1 vault returns tokens scoped to your merchant; refunds, retries and recurring all run on tokens.
-
Per-environment sandbox
Sandbox mirrors production behaviour including routing decisions, cascade scenarios and settlement timing.
-
Bring-your-own fraud engine
Adapter contract lets you plug a fraud provider in front of the routing decision; otherwise use the platform's default.
-
Versioned endpoints
Major-version pinning with a 12-month deprecation window; breaking changes never land mid-version.
-
OpenAPI + Postman
OpenAPI 3.1 spec plus a maintained Postman collection that mirrors every endpoint and example response.
-
Comprehensive payment api documentation
Hosted payment api documentation with searchable endpoints, runnable examples and per-method recipes for cards, ACH, bill-pay, mass-payouts and crypto.
Trust & compliance
Compliance posture inherited at the API layer
Every call runs through the platform's audited environment. Sub-merchants inherit the posture without per-provider re-certification, and the developer surface preserves it (signed everything, scoped keys, versioning discipline).
- PCI DSS Level 1
- Service-provider posture validated annually on-site; quarterly ASV scans run on the platform cycle and inherited by sub-merchants.
- Signed everything
- Webhooks, events and SDK requests are signed; replay protection and idempotency built in by default.
- Scoped API keys
- Multiple key scopes (read-only, write, payouts) with rotation, IP allow-lists and per-key audit logs.
- SCA & 3DS2
- Selective authentication wired into the authorisation path — PSD2-compliant in Europe without breaking conversion.
- Versioning discipline
- Major-version pinning, 12-month deprecation windows, advance breaking-change notice — predictable for production teams.
- Sandbox parity
- Production-equivalent sandbox per environment, including routing, cascade and dispute scenarios.
Ready to integrate
One REST contract. Every provider. Production-ready.
Open the docs, spin up a sandbox key in a minute, and POST your first authorisation before the end of the working day. Or book a 30-minute technical review and we'll walk through the integration shape that fits your stack.
Frequently asked
Buyer and developer questions about the payment API
The questions integration engineers and buyers ask before committing — covering the contract, sandbox parity, versioning, vault, sandbox, mobile, ACH, mass-payment and crypto surfaces.
-
What does topropay's payment api actually do?
The payment api is one REST contract in front of every connected acquirer, PSP and method on the platform. Your back-end calls authorise / capture / refund / payout against a single endpoint set; the platform routes the call to the best connected provider, returns a normalised response, and emits signed webhooks for every state change. The same API covers card, wallet, bank-rail, ACH, bill-pay, mass-payouts and crypto via partner gateways.
-
How is an api for payments different from an api for payment gateway?
An api for payments is the wider category — anything that initiates or reports on a payment. An api for payment gateway specifically refers to the surface a gateway exposes for authorisation, capture and refund. topropay's payment api covers both: gateway-style endpoints plus payout, mass-payment, dispute and reconciliation endpoints in one contract.
-
Is topropay itself an api payment gateway?
topropay exposes an api payment gateway surface and orchestrates traffic across many connected gateways underneath. From your code's perspective it behaves like one gateway; from the routing engine's perspective each connected gateway is a lane that the engine scores per transaction.
-
What does an online payment api integration look like in practice?
An online payment api integration starts with a single authorisation call from your storefront or back-end, a webhook handler to receive state-change events, and (optionally) a hosted checkout iframe if you don't want to build the surface yourself. SDKs cover JavaScript, Python, Go, PHP, Java, Ruby, Swift and Kotlin. Most teams reach a live integration in days.
-
How does the mobile payment api differ from the web one?
Same endpoints, plus native SDKs for iOS and Android that wrap the wallet pay-sheet, biometric authorisation and Apple Pay / Google Pay flows. The mobile payment api also exposes deeplink helpers for crypto wallet flows. Mobile authorisations roll up into the same ledger as web authorisations.
-
Is there a dedicated crypto payment api or is crypto a method on the main API?
Crypto is a method on the main API. The crypto payment api shape is identical to a card authorisation — you set payment_method.type to the relevant crypto rail (USDC on Base, USDT on Tron, BTC on Lightning) and the connected partner gateway handles the chain side. The response shape, vault-token model and reconciliation are the same as for cards.
-
How quickly can a team complete a payment api integration?
A payment api integration with the hosted checkout ships in hours; a fully embedded build is typically a sprint or two. The slowest step is usually onboarding (KYC, underwriting), not engineering — the API surface is small enough that a single back-end engineer can take it end-to-end.
-
Do you offer an ach payment api for US bank flows?
Yes — an ach payment api surface for ACH debits and credits is part of the same unified API. Settlement timing follows ACH norms (T+1 / T+2); the endpoints, webhook events and reconciliation feed match the card flow. Returns and chargebacks are handled in the same dispute queue.
-
How does the mass payment solution endpoint work for marketplaces and platforms?
The mass payment solution endpoint accepts a batch of disbursements — each one a destination (bank account, card, wallet, crypto address), an amount and a metadata blob. The platform fans them out across the appropriate connected rails, emits one webhook per disbursement, and groups the batch into a single settlement row in reconciliation.
-
Is there a bill payment api for utilities and recurring invoices?
Yes. The bill payment api endpoint takes the payee code, account number, due date and amount, and routes the authorisation through the connected bill-pay gateway relevant for the merchant's region. Responses surface confirmation numbers and the underlying provider's reference for downstream reconciliation.
-
Is there a payment api for website checkouts without writing a full integration?
A payment api for website checkouts is available as a drop-in hosted checkout: a single script tag or iframe ships the full checkout UI. Behind the scenes the same payment api is called; for teams that want full control of the UI the SDK / hosted-fields path exposes the same primitives.
-
Where is the payment api documentation?
Hosted payment api documentation lives at the platform's docs site, mirrored as an OpenAPI 3.1 specification and a maintained Postman collection. Every endpoint carries runnable examples, request/response payloads, error codes and a 'recipe' page per method (cards, ACH, crypto, mass-payout, bill-pay).
-
Can the credit card payment api handle 3DS2 and SCA out of the box?
Yes. The credit card payment api exposes selective 3DS2 / SCA on the authorisation path; the platform decides per transaction whether to step up based on the relevant regional rules and the merchant's risk policy. Step-up responses are returned in the same authorisation flow without a second integration.
-
Are the endpoints versioned, and how do breaking changes land?
Endpoints are pinned to a major version (v1, v2 …); breaking changes only happen at major-version increments with a 12-month deprecation window and advance written notice. Non-breaking additions (new fields, new methods, new event types) ship continuously and never break existing clients.
-
Is there a sandbox that behaves like production?
Yes — every environment has a sandbox that mirrors production behaviour, including routing decisions, cascade scenarios, settlement timing, dispute injection and webhook delivery. Most production bugs we see are caught in sandbox; the parity is deliberate.
Related
Related on the topropay platform
- Docs API documentation The hosted endpoint reference, OpenAPI spec and runnable examples for every endpoint group on this page.
- Aggregation Payment aggregator overview The aggregation pattern that turns this single API into many provider connections behind the scenes.
- Processors Payment processors, orchestrated Every connected processor as a routable lane behind the same unified API.
- Routing Smart routing & cascading The per-transaction scoring engine sitting behind every authorisation call.
- Crypto Crypto payments orchestration Crypto rails accessed through the same payment API as cards and wallets.
- Acceptance Accept online payment, MID optional The merchant-facing view of the API — accept every method, sub-merchant or direct MID.