API Reference

Base URL: https://quatapay.com/api/v1

All requests must include Content-Type: application/json. All responses follow the envelope format:

{ "data": { … } }

Error responses:

{ "error": "Validation failed", "code": "VALIDATION_ERROR", "details": { … } }

Authentication

API key (merchant gateway)

Pass your secret API key as a Bearer token:

Authorization: Bearer qpay_live_…

User JWT (checkout flows)

After a user logs in, pass their access token:

Authorization: Bearer eyJ…

Gateway payments

Create a payment intent

POST /gateway/payments

Auth: API key

Body:

Field	Type	Required	Description
`amount`	integer	✓	Amount in smallest currency unit (XAF)
`currency`	string	✓	ISO 4217 currency code. Currently `XAF`
`description`	string	—	Human-readable description shown to customer
`return_url`	string	—	Redirect URL on success
`cancel_url`	string	—	Redirect URL on cancellation
`customer_reference`	string	—	Your internal order/customer ID
`metadata`	object	—	Arbitrary key-value pairs passed through to webhooks
`expires_in_minutes`	integer	—	Intent TTL, default 60

Response: 201 Created

{
  "data": {
    "payment": { "id": "…", "slug": "…", "status": "requested", … },
    "checkout_url": "https://quatapay.com/checkout/…"
  }
}

Get a payment intent

GET /gateway/payments/{payment_id}

Auth: API key (must be the creating merchant's key)

List payment intents

GET /gateway/payments?status=succeeded&limit=50

Auth: API key

Query param	Type	Default	Description
`status`	string	—	Filter by status: `requested`, `succeeded`, `failed`, `cancelled`
`limit`	integer	50	Max 200

Hosted checkout — preview

GET /gateway/checkout/{slug}

Auth: None (public)

Returns the intent summary for the checkout UI to display.

Hosted checkout — pay

POST /gateway/checkout/{slug}/pay

Auth: User JWT

Body:

Field	Type	Required	Description
`pin`	string	—	User's wallet PIN (required if PIN is set)
`idempotency_key`	string	—	Client-generated unique key (prevent double-pay)

Hosted checkout — cancel

POST /gateway/checkout/{slug}/cancel

Auth: None

Payment intent statuses

Status	Meaning
`requested`	Created, awaiting customer action
`succeeded`	Customer paid; funds moved; webhook fired
`failed`	Transfer rejected (insufficient funds, etc.)
`cancelled`	Customer cancelled or TTL expired

Idempotency

Supply idempotency_key on mutating requests. Replaying the same key within 24 hours returns the cached response instead of creating a duplicate transaction.

Rate limits

Tier	Limit
API key requests	300 req / min
Checkout page loads	600 req / min

Exceeding limits returns 429 Too Many Requests.

Errors

HTTP Status	Code	Description
400	`VALIDATION_ERROR`	Request body failed validation
401	`UNAUTHORIZED`	Missing or invalid credentials
403	`FORBIDDEN`	Valid credentials but insufficient permission
404	`NOT_FOUND`	Resource does not exist
409	`CONFLICT`	Duplicate idempotency key or state conflict
410	`GONE`	Intent expired
422	`VALIDATION_ERROR`	Semantic validation failure
429	`RATE_LIMITED`	Too many requests
503	`SERVICE_UNAVAILABLE`	Temporary downstream issue