Documentation

Introduction

Our platform provides a comprehensive solution for managing your team, API integrations, and workspace settings. This guide will help you get started with the basic features.

Team Management

You can invite team members to your workspace and assign them different roles:

• Admin: Full access to all features and settings
• Manager: Can manage most resources but cannot change critical settings
• Viewer: Read-only access to resources

API Keys

API keys allow your applications to authenticate with our API. You can generate, manage, and revoke API keys from the API Keys section.

Workspace Settings

Configure your workspace name, billing information, and other settings from the Workspace Settings page.

Documentation.creatingProducts.productSetup.title

Documentation.creatingProducts.productSetup.description

Documentation.creatingProducts.twoProductTypes.title

Documentation.creatingProducts.twoProductTypes.description

Documentation.creatingProducts.acceptedTokens.title

Documentation.creatingProducts.acceptedTokens.description

Creating Payments

To create a payment, you'll use the createPayment API endpoint with your product. The process differs slightly based on your product type:

• Fixed Price Products: Simply provide the product ID - the price is already defined
• Flexible Price Products: You must include the currencyAmount field to specify the payment amount in the product's currency (e.g., USD)

Payment Creation Steps

1. Create a Product: Set up your product with either fixed or flexible pricing
2. Generate Payment: Use the createPayment API endpoint or dashboard
3. For Flexible Pricing: Include the currencyAmount field with the exact amount in your product's currency (if you're using flexible pricing)
4. Share Payment Link: Provide the generated payment URL to your customer
5. Monitor Status: Track payment progress via webhooks, api or dashboard

Payment Flow

When a customer initiates payment for your product:

1. They select their preferred cryptocurrency on your Payment Creation Page
2. A unique payment address is generated
3. Customer sends the exact amount to the address
4. Our system automatically detects the payment
5. You receive notification via webhook (if configured)
6. Customer is redirected to your success page

How Webhooks Work

Webhooks are HTTP POST requests sent to your server when specific events occur. This allows your application to react instantly to payment updates without constantly polling our API.

Webhook Configuration

To start receiving webhook notifications, you need to create and configure your webhook endpoints. Go to the Webhook Configuration page to set up your webhooks.

In the webhook configuration, you can:

• Set multiple webhook URLs for different events
• Test webhook endpoints before going live

Webhook Events

We send webhooks for the following events:

• payment.created: A new payment has been initiated
• payment.updated: Payment updated (status: PENDING, CONFIRMED, DECLINED)
• product.created: A new product has been created
• product.updated: Product updated (name, price, etc.)
• product.deleted: Product deleted

Webhook Security & Verification

Critical: Always verify webhook signatures to ensure requests are legitimate and from our servers. This prevents malicious actors from triggering fake payment confirmations.

Verification Implementation

Here's how to implement webhook signature verification in your application:

// Extract webhook headers
const webhookSignature = req.headers["x-webhook-signature"];
const webhookTimestamp = req.headers["x-webhook-timestamp"];

// Verify webhook signature before processing
const isSignatureValid = WebhookService.verifyWebhookSignature(
  body,
  webhookTimestamp,
  webhookSignature
);

if (!isSignatureValid) {
  return res.status(401).json({ error: "Invalid webhook signature" });
}

// Process the webhook payload safely
processWebhookPayload(body);

verifyWebhookSignature(payload, timestamp, signature, secret) {
  try {
    // Create the message to sign: "{timestamp}.{payload}"
    const message = `${timestamp}.${payload}`;

    // Generate HMAC-SHA256 signature
    const expectedSignature = crypto
      .createHmac("sha256", secret)
      .update(message, "utf8")
      .digest("hex");

    // Compare signatures (time-constant comparison to prevent timing attacks)
    const isValid = crypto.timingSafeEqual(
      Buffer.from(signature, "hex"),
      Buffer.from(expectedSignature, "hex")
    );

    if (isValid) {
      console.log("✅ Webhook signature verified successfully");
    } else {
      console.log("❌ Webhook signature verification failed");
    }

    return isValid;
  } catch (error) {
    console.error("❌ Error verifying webhook signature:", error);
    return false;
  }
}

Security Best Practices

• Always verify signatures: Never process unverified webhooks
• Use HTTPS: Ensure your webhook endpoint uses SSL/TLS
• Implement idempotency: Handle duplicate webhook deliveries gracefully
• Timeout protection: Add timestamp validation to prevent replay attacks
• Rate limiting: Implement rate limiting on your webhook endpoint
• Error handling: Return appropriate HTTP status codes (200 for success, 4xx/5xx for errors)