Authentication
- Base URL:
https://api.abstrapay.com - Operator endpoints — server-to-server calls you make directly. These require
Authorization: Bearer <OPERATOR_SECRET_KEY>(we provision this key for you — keep it server-side only):/session/create,/depositor/create, and/depositor/:externalUserId/check. - Session-scoped endpoints —
/depositor/addressand/withdraw/direct-transferare called by the hosted widget, not your backend. They take no Bearer key; they are authenticated by thesid(session id) in the request body. - The same
OPERATOR_SECRET_KEYsigns/verifies all webhooks. - Response shape: the operator/session endpoints (
/session/create,/depositor/address,/withdraw/direct-transfer) wrap their result as{ "status", "message", "data": { … } }.GET /chainand the/admin/*endpoints return the raw object/array (no envelope).