REBORNPAY Payment API
REST API for creating payments, verifying status, and processing refunds. Base URL: https://paycore.app
Authentication
Every request must include your API key and secret as headers:
X-Api-Key: pk_live_xxxxxxxxxxxxxxxxxxxx
X-Api-Secret: sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCreate and manage keys in your Merchant → API Keys page. Never expose your secret in client-side code.
Request signing (recommended)
For sensitive endpoints you can additionally send an HMAC signature. Compute HMAC-SHA256(secret, "{timestamp}.{body}") in lowercase hex.
X-Timestamp: 1719238400
X-Signature: 9af34c1e8b...Rate limits & IP whitelist
Limit: 120 req/min/merchant. If you configure an IP whitelist in Merchant → Security, requests from other IPs return 403 ip_not_allowed.
/api/v1/payment/createCreate a new payment intent. Returns a checkout URL the customer can complete.
curl -X POST https://paycore.app/api/v1/payment/create \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx" \
-H "Content-Type: application/json" \
-d '{
"invoice_id": "INV-1001",
"amount": 2500,
"currency": "BDT",
"customer_name": "Karim Rahman",
"customer_phone": "+8801711000000",
"customer_email": "karim@example.com",
"payment_method": "bkash",
"metadata": {
"order_id": "ORD-42"
}
}'/api/v1/payment/verifyConfirm a payment after the customer completes checkout. Credits the merchant balance on success.
curl -X POST https://paycore.app/api/v1/payment/verify \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx" \
-H "Content-Type: application/json" \
-d '{
"invoice_id": "INV-1001",
"transaction_id": "BKS123456789",
"status": "success"
}'/api/v1/payment/status/{invoice_id}Look up the current status of a payment.
curl https://paycore.app/api/v1/payment/status/{invoice_id} \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx"/api/v1/refund/requestSubmit a refund request against a successful payment. Goes to admin queue.
curl -X POST https://paycore.app/api/v1/refund/request \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx" \
-H "Content-Type: application/json" \
-d '{
"invoice_id": "INV-1001",
"amount": 2500,
"reason": "Customer requested cancellation"
}'/api/v1/refund/status/{refund_id}Check the status of a refund request.
curl https://paycore.app/api/v1/refund/status/{refund_id} \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx"/api/v1/balanceReturns available, reserved and pending-settlement balances for the merchant.
curl https://paycore.app/api/v1/balance \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx"/api/v1/settlementsRecent settlements (most recent first). Query: ?limit=50.
curl https://paycore.app/api/v1/settlements \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx"/api/v1/transactionsRecent transactions. Query: ?limit=50&status=success.
curl https://paycore.app/api/v1/transactions \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx"/api/v1/webhook/testSend a synthetic event to your configured webhook URL for end-to-end verification.
curl -X POST https://paycore.app/api/v1/webhook/test \
-H "X-Api-Key: pk_live_xxxx" \
-H "X-Api-Secret: sk_xxxx" \
-H "Content-Type: application/json" \
-d '{
"event": "test.ping",
"data": {
"hello": "world"
}
}'Webhooks
REBORNPAY sends a POST to your configured webhook URL on these events: payment.success, payment.failed, refund.processed, settlement.paid. Verify the X-REBORNPAY-Signature HMAC header using your API secret.
POST https://your-site.com/webhooks/paycore
Content-Type: application/json
X-REBORNPAY-Signature: sha256=<hex>
{
"event": "payment.success",
"data": {
"invoice_id": "INV-1001",
"transaction_id": "BKS123456789",
"amount": 2500,
"currency": "BDT"
}
}Errors
| Code | HTTP | Meaning |
|---|---|---|
| missing_credentials | 401 | No X-Api-Key/X-Api-Secret |
| invalid_credentials | 401 | Wrong key or secret |
| merchant_not_approved | 403 | Account pending approval |
| invalid_body | 400 | Validation failed (see details) |
| duplicate_invoice_id | 409 | An invoice with that ID already exists |
| payment_not_found | 404 | No payment matches |