API v2026-05-27
Baynoy API
A REST API for accepting card and wallet payments, managing customers, issuing refunds, sending invoices, and reading webhook events. Every endpoint is gated by anAuthorization: Bearersecret key, optionally scoped to specific IP ranges and permission lists.
Quickstart
Fetch your balance in one request
Replace sk_test_… with your sandbox key from /dashboard/developers.
curl https://baynoy.com/api/v1/balance \ -H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxxxxxx"
Returns the merchant's current available / pending / reserve balance. Every other endpoint follows the same auth pattern.
Security model
Bearer secret keys
Server-side only. Hashed at rest, prefix-only display in the dashboard. Test keys (sk_test_…) and live keys (sk_live_…) are isolated; live keys require Tier 1 KYC.
Per-key permissions
Each key declares scopes (payments:read, customers:write, …) and an optional IP allowlist. Requests outside the allowlist or lacking the required scope return 403 — no silent grants.
Replay defence
Optional HMAC signing of every request body protects against tampering on a compromised partner network. Idempotency-Key on POSTs caches responses for 24h to make retries safe.
Reference
Authentication
Bearer keys, IP allowlist, HMAC signing, version header.
Errors
Status codes and structured error bodies returned by the API.
Idempotency
Make POSTs safe to retry with the Idempotency-Key header.
Webhooks
Receive event callbacks. Verify the Baynoy-Signature header.
Balance
Current ledger snapshot.
Payments
List + retrieve charges.
Customers
Create, retrieve, update, delete.
Refunds
Issue and list refunds against past payments.
Invoices
Create, send, mark paid.
Payment links
Sharable hosted checkout URLs.
Products & prices
Catalogue of products and price points.
Payouts
Read-only history of disbursements to your bank.
Events
Replay-safe archive of every webhook event.