Binding Card
Initiates a Direct Debit binding flow. The merchant must redirect the customer to data.redirect_url to complete bank authentication; the link is single-use and expires at data.expires_at (typically ~15 minutes). Final binding outcome is delivered via the configured direct_debit_notif_url callback.
Authorizations
JWT issued by POST /api/v1.1/access-token/b2b. Send Authorization: Bearer <token>.
Merchant API key (Credential.api_key). Required on every request.
Body
Initiates a Direct Debit binding flow. The merchant must redirect the customer to the returned redirect_url to complete bank authentication. bank_code is optional; when omitted the hosted webview renders a bank picker. payment_otp_mode is a preferred charge-time mode and the bank may still enforce its own OTP rules.
Merchant-side stable id for the customer (NOT the bank account number). Used to scope future bindings of the same customer.
4 - 15"cust-9001"
Customer mobile phone in E.164-ish form (e.g. +6281234567890). The bank may use this to deliver OTP.
20"+6281234567890"
3-digit BI/SNAP code of the target bank. Common values: 002 BRI, 008 Mandiri, 009 BNI, 011 Danamon, 014 BCA, 022 CIMB, 490 BNC.
3"008"
Preferred OTP behavior for later charge requests. The actual bank flow may still require OTP regardless of this hint.
WITH_OTP, WITHOUT_OTP "WITH_OTP"
Where the hosted webview redirects after a successful authorization.
512"https://example.com/success"
Where the hosted webview redirects after a failed/cancelled authorization.
512"https://example.com/failure"
Response
SP000 Binding initiated — data matches DirectDebitBindingInitiationData. The customer must open redirect_url to authenticate.
SingaPay Merchant API v2 custom response envelope (ApiResponderHelper::responseJson, ApiResponseTrait). Business outcome is determined by response_code (SP000–SP020), not by HTTP status alone. On success (SP000), data holds the operation payload. On errors, data often includes a message and may echo request fields.
SingaPay custom business response code.
"SP000"
Human-readable label paired with response_code.
"Successfully"
Endpoint-specific payload on success, or error context (validation message, inquiry result with status invalid, etc.).
