Going Live

Onboarding & Going Live

URLs

API basehttps://api.abstrapay.com — all server-to-server calls
Widgethttps://widget.abstrapay.com/?sid=<SESSION_ID> — embed the url returned by /session/create
Live referencehttps://operator-demo.abstrapay.com — a fully working operator (widget embed + webhook handling) you can copy from

What AbstraPay provides you

  • Your OPERATOR_SECRET_KEY, sent over a secure channel — authenticates /session/create and signs/verifies every webhook.
  • The API + widget above, and this guide.

What we need from you

  • Your webhook callback URL — where we POST DEPOSIT / WITHDRAW_REQUEST / WITHDRAW_COMPLETE.
  • The site domain(s) where you'll embed the widget or call the API, so we can whitelist them (CORS / embedding).

Steps

  1. Send us your callback URL + domain(s); we send you your OPERATOR_SECRET_KEY.
  2. Server-side: call /session/create, embed the returned widget url, and implement the webhook handlers with signature verification (see Webhooks).
  3. Validate end-to-end with a small deposit (e.g. 0.01 USDC) on a fast, low-fee network such as Base or Arbitrum.
  4. You're live.

Best Practices

  • Idempotency — webhooks may be delivered more than once. Dedupe deposits on idempotencyKey, withdrawals on withdrawRequestId.
  • Always verify the signature before trusting a payload; keep OPERATOR_SECRET_KEY server-side.
  • Credit/debit the USD value (amountInDollar / amountInUsd), not the raw on-chain amount.
  • Respond to WITHDRAW_REQUEST fast — it's a synchronous gate; slow responses delay the user.
  • Ack webhooks immediately (200) and process asynchronously.
Management Panel