API Reference
| Method | Endpoint | Auth | Purpose |
|---|---|---|---|
POST | /session/create | operator key | Create a user session → widget URL |
POST | /depositor/address | session (sid) | Get the deposit address — body: sid, currency, chainId |
GET | /chain | public | List networks + token contracts/decimals |
POST | /withdraw/direct-transfer | session (sid) | Initiate a withdrawal |
POST | /withdraw/:id/decision | operator key | Approve / reject a withdrawal (external-approval mode) |
GET | /admin/withdrawals | admin (dashboard-only) | List withdrawals (management panel) |
PATCH | /admin/withdrawals/:id/status | admin (dashboard-only) | Approve / reject a withdrawal |
POST /depositor/address is session-scoped: it is authenticated by the sid in the request body (called by the hosted widget), and takes no Bearer key. It requires the body fields sid, currency, and chainId.
POST /withdraw/:id/decision is operator-authenticated with your OPERATOR_SECRET_KEY (Bearer) — used only when your operator is on external-approval mode. :id is the withdrawal UUID from the async WITHDRAW_REQUEST webhook; body: { "decision": "APPROVE" | "REJECT", "reason"?: string }. See Withdrawals → External approval. Unlike the /admin/* endpoints, this one is partner-callable with your operator key.
The /admin/* endpoints are dashboard/admin-only — used internally by the management panel under a separate admin login. They are not partner-callable with your OPERATOR_SECRET_KEY.