All REST API endpoints require authentication before you can call them. Webhook callbacks use a separate HMAC signature scheme.
Obtain an access token
Request a JWT access token using your Client ID and Client Secret from the merchant dashboard.
Request a token using POST /api/v1.1/access-token/b2b, listed under Security in the API reference sidebar (OpenAPI-generated endpoint page).
You can also use POST /api/v1.0/access-token/b2b on older integrations.
| Header | Value |
|---|
Authorization | Basic {base64(client_id:client_secret)} |
X-PARTNER-ID | Your API key (Partner ID) |
Content-Type | application/x-www-form-urlencoded or application/json |
Token request body
| Field | Value |
|---|
grant_type | client_credentials |
The response includes a Bearer token and expiry time. Request a new token before the current one expires.
Authenticated API requests
Include these headers on every REST API call after you obtain a token:
| Header | Description |
|---|
Authorization | Bearer {access_token} |
X-PARTNER-ID | Your API key from the merchant dashboard |
Content-Type | application/json (unless the endpoint specifies otherwise) |
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
X-PARTNER-ID: b3ed7d4b-a96c-6c08-b3c7-12c3124242d9
Content-Type: application/json
Signed requests (selected endpoints)
Some money-out operations require additional headers for request signing:
| Header | Description |
|---|
X-Signature | HMAC-SHA512 signature of the request |
X-Timestamp | Unix timestamp in seconds |
Endpoints that typically require signing include:
- Disbursement transfer (
POST /api/v2.0/disbursement/transfer)
- QRIS issuer payment credit and related money-out flows
- E-Wallet trigger top-up (
POST /api/v2.0/ewallet/trigger-topup)
Refer to the OpenAPI reference for each endpoint to confirm required headers. The signing algorithm follows the same METHOD:ENDPOINT:ACCESS_TOKEN:HASHED_BODY:TIMESTAMP pattern described in Security and signature validation, applied to outbound API requests rather than inbound webhooks.
IP whitelist
Merchant API routes may require your server IP to be registered on the merchant account before requests are accepted. Configure allowed IPs in the merchant dashboard before going to production.
IP Whitelist Required — Ensure your server IP is registered for the merchant account before making API requests from production systems.
Environments
| Environment | Base URL |
|---|
| Sandbox | https://sandbox-payment-b2b.singapay.id |
| Production | https://payment-b2b.singapay.id |
Use Sandbox for development and testing. No real money moves in Sandbox.