Skip to main content

API route reference

This page lists every endpoint in the CashXChain API. Routes are grouped by the authentication tier they belong to.

Base URL: https://api.sandbox.cashxchain.com (sandbox) / https://api.cashxchain.com (production)


Auth tiers

TierAcceptsRejects
PublicNo credential required
UnifiedJWT (any aud), sk_, pk_ (read-only), rk_ (scoped), mk_
ElevatedJWT (aud=internal or aud=admin), mk_sk_, pk_, rk_ → 401
HMACHMAC-SHA-256 (AUTH_PORTAL_WEBHOOK_SECRET)Everything else
Bearer secretAUTH_PORTAL_REPLAY_SECRET or JWT

Public routes (no authentication)

MethodPathDescription
GET/Service info and version
GET/healthLiveness probe
GET/readyReadiness probe (database connectivity)
POST/webhooks/{partner}/{env}Receive partner webhook events (HMAC-verified internally)
POST/v1/fx/quotesStateless FX quote — no auth, no persistence

Unified auth — Developer API

These routes accept any valid credential (JWT, sk_, pk_, rk_, or mk_). Publishable keys are limited to read-only methods. Restricted keys are gated by the scope column.

Accounts

MethodPathWriteScope (RK)Description
POST/v1/accountsCreate account. Requires api_tier=platform_ready JWT when ?acting_as= is set.
POST/v1/customersCreate customer (legacy alias). Idempotent on email.

Transfers

MethodPathWriteScope (RK)Description
POST/v1/transferstransfers:writeCreate internal (email-to-email) or external (bank) transfer. Requires Idempotency-Key header.
GET/v1/transferstransfers:readList transfers for the caller's account.
GET/v1/transfers/{id}transfers:readRetrieve a single transfer by UUID.

Payments (low-level)

MethodPathWriteScope (RK)Description
POST/v1/payments/add-fundspayments:writeAdd funds to a customer wallet via a partner. Requires Idempotency-Key header.
POST/v1/payments/sendpayments:writeSend a claimless payment to an external payee via a partner. Requires Idempotency-Key header.
GET/v1/paymentspayments:readList payments. Filter by customer_id, status, limit.
GET/v1/payments/{id}payments:readRetrieve a single payment by UUID.

FX

MethodPathWriteScope (RK)Description
POST/v1/fx/quotesPublic. Stateless, non-persisted FX quote.
POST/v1/fx/quotefx:readPersisted FX quote with 30-second TTL. Returns quote_id for execute step. Sandbox only.
POST/v1/fx/executepayments:writeExecute a persisted FX quote. Atomic DB transaction — debit/credit + transfers row. Sandbox only.

Transactions

MethodPathWriteScope (RK)Description
GET/v1/transactionstransactions:readList transactions for the caller's account.
GET/v1/transactions/{id}transactions:readRetrieve a single transaction by UUID.

Contacts

MethodPathWriteScope (RK)Description
GET/v1/contactscontacts:readList payment beneficiaries / contacts.

API keys

MethodPathWriteScope (RK)Description
POST/v1/api-keysapi_keys:writeCreate a new API key. Full token returned once only.
GET/v1/api-keysapi_keys:readList all API keys for the account. No tokens returned.
DELETE/v1/api-keys/{id}api_keys:writeRevoke an API key. Returns 204.

Request logs

MethodPathWriteScope (RK)Description
GET/v1/request-logsrequest_logs:readList request logs. Supports limit, before (cursor).
GET/v1/request-logs/{id}request_logs:readRetrieve a single request log with full request/response bodies.

Usage analytics

MethodPathWriteScope (RK)Description
GET/v1/usage/summaryusage:readSummary stats: request count, error rate, volume, avg settlement.
GET/v1/usage/timeseriesusage:readTime-series data. Query param `?window=7d

Utility

MethodPathWriteScope (RK)Description
GET/v1/utility/validate-addressValidate a blockchain address. Params: address, chain, asset (optional). Solana: checks ATA existence.

Identity

MethodPathWriteScope (RK)Description
GET/v1/meReturns the caller's identity and account info from the auth token.

Elevated auth — Dashboard / Platform

These routes require JWT with aud=internal or aud=admin, or a master key (mk_). Regular API keys (sk_, pk_, rk_) are rejected with 401 before any database lookup — they cannot access these routes under any circumstance.

Accounts (dashboard)

MethodPathDescription
GET/v1/accountsList accounts. Filter by tenant_id, managed_by, limit, offset.
GET/v1/accounts/{id}Retrieve a single account by UUID.
GET/v1/accounts/meCaller's own account. Elevated context.
GET/v1/accounts/me/balanceCaller's balance breakdown by currency.
GET/v1/accounts/me/vibansCaller's virtual IBANs.
GET/v1/accounts/{id}/statementsAccount statement.

Customers (dashboard)

MethodPathDescription
GET/v1/customersList customers for the caller's account.
GET/v1/customers/{id}Retrieve a single customer.
POST/v1/customers/{id}/partner-linkEnroll a customer with a payment partner.
GET/v1/customers/{id}/partner-linkList all partner links for a customer.
GET/v1/customers/{id}/partner-link/{partner}Retrieve a specific partner link.

vIBANs (dashboard)

MethodPathDescription
POST/v1/customers/{id}/vibansCreate a vIBAN for a customer. Requires Idempotency-Key.
GET/v1/customers/{id}/vibansList vIBANs for a customer.
GET/v1/customers/{id}/vibans/{viban_id}Retrieve a vIBAN.
GET/v1/customers/{id}/vibans/{viban_id}/balancevIBAN balance.
GET/v1/customers/{id}/vibans/{viban_id}/transactionsvIBAN transaction history.
GET/v1/customers/{id}/walletCustomer's crypto wallet info.

Platform permissions (dashboard)

MethodPathDescription
DELETE/v1/platform-permissions/{id}Revoke a platform permission (managed account link).

Notifications (dashboard)

MethodPathDescription
GET/v1/notificationsServer-sent events stream. JWT via ?access_token= for EventSource clients.

Crypto addresses (dashboard)

MethodPathDescription
GET/v1/crypto-addresses/meCaller's on-chain addresses.

Internal — HMAC service-to-service

Not accessible from developer or platform API keys. Authenticated via HMAC-SHA-256 (AUTH_PORTAL_WEBHOOK_SECRET).

MethodPathEvents
POST/internal/webhooks/authuser.created, user.kyc.approved, user.kyc_status_changed, user.updated

Sandbox-only routes

These routes are only available when APP_ENV=sandbox. They do not exist in production.

Faucet

MethodPathAuthDescription
POST/v1/sandbox/faucetJWTCredit sandbox balances for testing.

Admin

MethodPathAuthDescription
POST/v1/sandbox/admin/wipeBearer secret (AUTH_PORTAL_REPLAY_SECRET)Reset all sandbox data.
POST/v1/sandbox/admin/replayBearer secretReplay a set of seed events.
POST/v1/sandbox/admin/reprovision/{account_id}JWTRe-run provisioning for an account.
GET/v1/sandbox/admin/whoamiJWTDebug identity endpoint.

API documentation (sandbox only)

MethodPathDescription
GET/v1/openapi.jsonOpenAPI 3.0 spec (sandbox only — not exposed in production)
GET/v1/docsSwagger UI (sandbox only)

Common request headers

HeaderRequiredDescription
AuthorizationYes (protected routes)Bearer <token>
Content-TypeYes (POST/PUT/PATCH)application/json
Idempotency-KeyYes (all write routes)Unique key per distinct request. Repeating the same key returns the cached response.
X-Request-IDOptionalClient-supplied request correlation ID. Echoed back in X-CXC-Request-ID.