Charge
Pulls funds from a bound bank account into the merchant settlement account.
Authorizations
JWT issued by POST /api/v1.1/access-token/b2b. Send Authorization: Bearer <token>.
Merchant API key (Credential.api_key). Required on every request.
Headers
HMAC-SHA512 hex signature, computed as HMAC_SHA512(clientSecret, "{HTTP_METHOD}:{REQUEST_URI}:{ACCESS_TOKEN}:{SHA256_HEX(MINIFIED_BODY)}:{X_TIMESTAMP}"). MINIFIED_BODY is the request body with object keys recursively sorted alphabetically and re-serialised with no whitespace (an empty/missing body hashes the empty string). ACCESS_TOKEN is the bearer token without the Bearer prefix. Signature mismatch returns 401 with response_code=4019900.
ISO-8601 timestamp of the request; used as part of the signed string and rejected by the gateway if more than ±5 minutes off the server clock.
Body
Pulls funds from an active binding into the merchant settlement account identified by account_id. The binding must be ACTIVE. merchant_reference is an idempotency key; replaying the same value returns 409 SP_DD_DUPLICATE_REFERENCE with the original transaction_id in data.
ULID of the merchant settlement account that should receive the funds. Must be owned by the authenticated merchant; access policy on the account is also enforced.
"01HZX9JK4M5N6P7Q8R9STUVWXY"
UUID of an ACTIVE DirectDebitBinding owned by the merchant.
"01HZX9JK4M5N6P7Q8R9STUVWXY"
Merchant-side unique idempotency key for this charge.
100"ref-123456"
Amount to debit, in the unit of currency. Minimum 1 IDR.
x >= 110000
ISO-4217. Defaults to IDR (the only value supported by Direct Debit).
3"IDR"
Customer-facing description for this charge. This value is stored with the transaction and may appear in reports.
512"Description of the charge"
Response
SP000 Charge accepted. data matches DirectDebitTransactionData; status=PENDING (await settlement webhook) or status=FAILED if the upstream rejected immediately. fees are present only on a later SUCCESS.
SingaPay Merchant API v2 custom response envelope (ApiResponderHelper::responseJson, ApiResponseTrait). Business outcome is determined by response_code (SP000–SP020), not by HTTP status alone. On success (SP000), data holds the operation payload. On errors, data often includes a message and may echo request fields.
SingaPay custom business response code.
"SP000"
Human-readable label paired with response_code.
"Successfully"
Endpoint-specific payload on success, or error context (validation message, inquiry result with status invalid, etc.).
