Developer Docs

Gateway API

Create invoice sessions and redirect users to hosted checkout with clean API responses.

Try Live Demo Create Account

API Reference

Request format, auth, and checkout response details.

Gateway API

Accept USD with a hosted checkout

This page documents the latest Gateway API for both Self and App merchant portals: same authentication, JSON fields, webhooks, and REST shapes. One POST creates a payment session; you send the customer to checkout_url. When they pay, we notify your server at notify_url with a signed payload.

After sign up on Self or App: Dashboard → Merchants → Integration for your payment API key and webhook secret (numeric merchant id is optional in requests).

Self · Log in App · Log in Self · Sign up App · Sign up

Which API base URL?

Self merchants (keys from the Self portal): use https://gatenoc.com — the code samples below use this host.

App merchants (keys from the App portal): same paths and headers, but call https://app.gatenoc.com, e.g. POST https://app.gatenoc.com/api/v1/merchant/checkout-session and the same /api/v1/merchant/… paths for balance, payments, and refunds.

Hosted checkout_url in responses still points at your deployment’s checkout origin (e.g. pay.*), regardless of which API host you used.

1 · Create session

POST /api/v1/merchant/checkout-session with your API key

2 · Redirect

Customer opens checkout_url and pays

3 · Confirm

Verify the webhook signature, or poll GET /payments/{id}

01

Credentials

Every API merchant has a payment API key and webhook secret in the dashboard under Merchants → your API merchant → Integration. The key identifies your merchant for outbound API calls; the secret verifies inbound webhooks. A numeric merchant id is shown for your records—you do not need to send it if you authenticate only with the API key.

Merchant ID (optional)

Numeric id for support and dashboard linking. Not required to call the API—the payment API key alone selects your merchant. If you send merchant / X-Merchant-Id / JSON merchant_id, it must match the merchant that owns the key.

Reference only → optional on requests

Payment API key

Secret key for authenticating requests to our API. Send as Authorization: Bearer …. Never expose this in a browser or mobile app—only on your server.

Used on → outgoing API requests

Webhook secret

Not sent as a header on your checkout or REST calls. Store it only on your server. When we POST to your notify_url, we sign the body—your backend recomputes the signature with this secret to prove the request is from us.

Used on → verifying incoming webhooks

Is the webhook secret required? For production you should always verify signatures. Without the secret you cannot cryptographically validate callbacks—anyone who guesses your URL could fake posts. Regenerating the secret is available on the same Integration page if it leaks.
02

Authentication

Authenticate with your payment API key only: Authorization: Bearer … or header X-Merchant-Key. The webhook secret is not used here—see Webhooks.

Optional merchant id headers, query, or JSON fields are ignored unless present; when present they must match the merchant that owns the key.

Recommended headers

Authorization: Bearer YOUR_PAYMENT_API_KEY
Content-Type: application/json
Accept: application/json

Alternative

X-Merchant-Key: YOUR_PAYMENT_API_KEY

Optional compatibility: merchant, X-Merchant-Id, ?merchant=, or JSON merchant / merchant_id when provided must match your merchant.

03

Create checkout session

amount (required) is in USD; settlement is USDT 1:1. note is your order reference. notify_url receives the signed webhook when paid. 

POST https://gatenoc.com/api/v1/merchant/checkout-session
Authorization: Bearer YOUR_PAYMENT_API_KEY
Content-Type: application/json

{
  "amount": 10.50,
  "note": "order_123",
  "notify_url": "https://yoursite.com/webhooks/paid",
  "success_url": "https://yoursite.com/thanks",
  "return_url": "https://yoursite.com/deposit"
}
  • Optional return_url — page to send the customer after pay; any valid http(s) URL (any domain). If omitted, we may capture the browser Referer when allowed. success_url still wins when it is a specific path; if success_url is only your site root, return_url / captured page is preferred.
  • Optional Idempotency-Key header — same key within 24h returns the same response.
  • username is accepted as an alias for note.
  • Response includes checkout_url, invoice_url (same value), and expires_at — URL shape /checkout/<public_key>/<session> (legacy ?cs= on the base checkout URL still works). Session is valid until expires_at (often ~30 minutes).
04

Webhooks

We send an HTTP POST with Content-Type: application/json to the notify_url you passed at checkout. Verify the request using your webhook secret from the Integration page (not the payment API key).

Request headers we send

X-Gateway-Timestamp
Unix seconds (string)
X-Gateway-Signature
t=<timestamp>,v1=<hex>
X-Gateway-Merchant-Key
Your payment API key (informational; verify with signature)

Compute v1 as HMAC-SHA256, hex-encoded, of the string timestamp + "." + raw_request_body using your webhook secret as the key. Compare to the v1 value in X-Gateway-Signature (constant-time compare). The timestamp in the signature must match X-Gateway-Timestamp.

Example JSON body

{
  "event": "payment.completed",
  "status": "completed",
  "merchant_id": 1,
  "amount": "10.50",
  "total_amount": "10.50",
  "currency": "USD",
  "reference": "…",
  "merchant_trade_no": "…",
  "note": "order_123",
  "payment_record_id": 42,
  "paid_at": "2026-03-24T12:00:00+00:00"
}

reference — gateway transaction or order id (format depends on the payment method). Webhooks no longer include bybit_pay_id; use reference instead.

05

Other endpoints

Same authentication as above. About 120 requests per minute per merchant. For merchants created only on App, use https://app.gatenoc.com instead of https://gatenoc.com in each URL below.

  • GET https://gatenoc.com/api/v1/merchant/payments/{id} — one payment (404 if not yours)
  • GET https://gatenoc.com/api/v1/merchant/payments?status=&from=&to=&per_page= — paginated data, current_page, total (merchant inferred from API key)
  • GET https://gatenoc.com/api/v1/merchant/balance — received_total, refunded_total, available_ledger
  • POST https://gatenoc.com/api/v1/merchant/payments/{id}/refund — body {"amount":1,"reason":"..."}201 with refund_id, status

Payment object (REST)

Returned by GET …/payments/{id} and as each element of data on GET …/payments.

{
  "id": 42,
  "status": "completed",
  "amount": "10.50",
  "currency": "USD",
  "note": "order_123",
  "merchant_trade_no": "550e8400-e29b-41d4-a716-446655440000",
  "reference": "1293e171-2094-4e2f-aacb-9c0dc900beab",
  "memo": "…",
  "paid_at": "2026-03-24T12:00:00+00:00",
  "created_at": "2026-03-24T11:55:00+00:00"
}
reference
Gateway transaction / order identifier (same meaning as in webhooks). Not sent as bybit_pay_id.
note
Your checkout note / order reference from the session (note or username when creating the session).
memo
Internal payment memo we store after completion (may be empty).
06

HTTP errors

Code Meaning
401 Missing or invalid payment API key, optional merchant id mismatch, or inactive merchant / gateway account
404 Payment id not found (REST)
422 Validation error (e.g. amount below minimum)
429 Rate limited — retry after retry_after_seconds