API Reference

API Reference

MethodEndpointAuthPurpose
POST/session/createoperator keyCreate a user session → widget URL
POST/depositor/addresssession (sid)Get the deposit address — body: sid, currency, chainId
GET/chainpublicList networks + token contracts/decimals
POST/withdraw/direct-transfersession (sid)Initiate a withdrawal
POST/withdraw/:id/decisionoperator keyApprove / reject a withdrawal (external-approval mode)
GET/admin/withdrawalsadmin (dashboard-only)List withdrawals (management panel)
PATCH/admin/withdrawals/:id/statusadmin (dashboard-only)Approve / reject a withdrawal

POST /depositor/address is session-scoped: it is authenticated by the sid in the request body (called by the hosted widget), and takes no Bearer key. It requires the body fields sid, currency, and chainId.

POST /withdraw/:id/decision is operator-authenticated with your OPERATOR_SECRET_KEY (Bearer) — used only when your operator is on external-approval mode. :id is the withdrawal UUID from the async WITHDRAW_REQUEST webhook; body: { "decision": "APPROVE" | "REJECT", "reason"?: string }. See Withdrawals → External approval. Unlike the /admin/* endpoints, this one is partner-callable with your operator key.

The /admin/* endpoints are dashboard/admin-only — used internally by the management panel under a separate admin login. They are not partner-callable with your OPERATOR_SECRET_KEY.