API Reference
| Method | Endpoint | Auth | Purpose |
|---|---|---|---|
POST | /session/create | operator key | Create a user session → widget URL |
POST | /depositor/address | session (sid) | Get the deposit address — body: sid, currency, chainId |
GET | /chain | public | List networks + token contracts/decimals |
POST | /withdraw/direct-transfer | session (sid) | Initiate a withdrawal |
GET | /admin/withdrawals | admin (dashboard-only) | List withdrawals (management panel) |
PATCH | /admin/withdrawals/:id/status | admin (dashboard-only) | Approve / reject a withdrawal |
POST /depositor/address is session-scoped: it is authenticated by the sid in the request body (called by the hosted widget), and takes no Bearer key. It requires the body fields sid, currency, and chainId.
The /admin/* endpoints are dashboard/admin-only — used internally by the management panel under a separate admin login. They are not partner-callable with your OPERATOR_SECRET_KEY.