Basics
Production API base:
https://api.settlebolt.com
Send JSON with Content-Type: application/json. Write requests with JSON bodies are capped at 5 MiB, with smaller caps on support ticket and feedback routes.
Authentication
Dashboard APIs use the logged-in dashboard session token:
Authorization: Bearer <dashboard-session-token>
Only verified-email accounts can access the dashboard API. Mutating requests made through admin impersonation are rejected unless they are read-only.
Only accounts with an active paid Pro or Business billing period can create, revoke, or use API keys. Keys authenticate SettleBolt's dedicated, scoped server-to-server Agent API (/api/agent/*) — each key carries per-operation scopes and is not accepted on dashboard routes (it cannot manage wallets, billing, team, or account settings). Keys are shown once and should be treated like passwords; revoke a leaked key in Developers.
Agent API
The Agent API is the supported surface for AI agents and backend automations. It requires an active paid Pro or Business subscription, uses scoped API keys from Developers, and is limited to merchant operations that are safe to automate. Agent keys are not accepted on dashboard endpoints and cannot manage wallets, billing, team members, or account deletion.
Required header:
Authorization: Bearer sb_live_...
| Method | Path | Scope | Purpose |
|---|---|---|---|
| GET | /api/agent/me | any valid scope | Return merchant and API-key details. |
| GET | /api/agent/invoices, /api/agent/invoices/:id | invoices:read | List or inspect invoices. |
| POST | /api/agent/invoices | invoices:create | Create a draft invoice with the same validation as the dashboard. |
| POST | /api/agent/invoices/:id/send | invoices:send | Send an existing draft invoice. No additional dashboard confirmation is required. |
| POST | /api/agent/invoices/send | invoices:create + invoices:send | Create and send an invoice in one request. No additional dashboard confirmation is required. |
| GET | /api/agent/payment-links | payment_links:read | List payment links. |
| POST | /api/agent/payment-links | payment_links:create | Create a payment link. |
| GET | /api/agent/payments | payments:read | List recorded payments. |
| GET | /api/agent/customers | customers:read | List manual customer records. |
| POST | /api/agent/customers | customers:write | Create a customer record. |
| POST | /api/agent/support/tickets | support:create | Open a support ticket. Body: {"subject","message","category?","priority?"}. |
Machine-readable OpenAPI:
https://settlebolt.com/openapi.json
WhatsApp Agent Channel
The WhatsApp channel lets a merchant pair a WhatsApp sender to a scoped SettleBolt agent. It uses the same paid Pro/Business, verified-email, plan-current, scope, wallet, and audit-log checks as the Agent API, but no API key is shown in WhatsApp.
Configure the Meta WhatsApp webhook URL as https://api.settlebolt.com/api/whatsapp/webhook. The Worker verifies X-Hub-Signature-256 with the Meta app secret before parsing inbound messages.
| Method | Path | Auth | Purpose |
|---|---|---|---|
| GET | /api/whatsapp/webhook | Meta verify token | Meta webhook verification challenge. |
| POST | /api/whatsapp/webhook | Meta signature | Receive inbound WhatsApp messages, dedupe by provider message ID, and route commands to the paired merchant. |
| GET | /api/whatsapp/links | dashboard session | List paired WhatsApp senders and show the Meta webhook URL. |
| POST | /api/whatsapp/links/pairing-code | dashboard session | Create a 10-minute pairing code with selected scopes. |
| DELETE | /api/whatsapp/links/:id | dashboard session | Revoke a WhatsApp sender. |
Supported WhatsApp commands include:
send invoice to FPSHEAVEN info@example.com for EUR 1200 due July 16 using USDC on Base
create payment link Website deposit for EUR 500 using USDC on Base
add customer FPSHEAVEN info@example.com
payments
customers
status
WhatsApp cannot manage wallets, billing, team members, account deletion, dashboard sessions, or other high-risk settings.
Public Checkout API
| Method | Path | Purpose |
|---|---|---|
| GET | /api/checkout/:kind/:slug | Load payer-safe checkout data for payment links (kind=l) or invoices (kind=pay). |
| POST | /api/checkout/:kind/:slug/quote | Create or reuse a 15-minute live-priced quote for native assets (BTC, SOL, TRX). Stablecoins are matched at their fixed 1:1 amount and do not need a quote. (Native ETH is not currently enabled.) |
| GET | /api/public/logo/:merchantId, /api/public/icon/:merchantId | Load public merchant logo/icon assets used by checkout and previews. |
Custom checkout domains may call only public checkout and public asset APIs. The public checkout response intentionally returns public RPC fallbacks only, never configured provider secrets.
Dashboard Endpoints
| Area | Paths | Notes |
|---|---|---|
| Auth | /api/auth/* | Signup, login, email verification, 2FA, sessions, password and account management. |
| Merchant | /api/merchants/me, /api/merchants/me/wallets | Business profile, wallets, wallet labels, primary wallets, payout changes. |
| Payment links | /api/payment-links, /api/payment-links/:id | Create, list, edit, delete, and view payments for links. |
| Invoices | /api/invoices, /api/invoices/:id/send, /api/invoices/:id/pdf | Create drafts, edit drafts, send, resend, cancel, and print invoices. |
| Customers | /api/customers, /api/customers/:emailHash, /api/customers/export.csv, /api/customers/manual/:id | List/create customers, detail pages, edit/delete manual customers, and CSV export on paid plans. |
| Payments | /api/payments, /api/payments/:id, /api/payments/export | Payment ledger, filters, payment detail, and CSV export. |
| Branding | /api/branding, /api/branding/domain | Brand colors, PNG logo/icon, support email, and Pro/Business custom domains. |
| Billing | /api/billing/overview, /api/billing/change-plan, /api/billing/cancel | Stripe checkout, cancellation, receipts, portal sessions, and webhook sync. |
| Developers | /api/keys, /api/webhooks/*, /api/whatsapp/* | API key management, webhook endpoints, delivery event log, redelivery, and WhatsApp agent pairing. |
| Support | /api/support/tickets, /api/support/tickets/:id/messages, /api/support/feedback | Create tickets, list tickets, view a ticket thread, reply to a ticket, and submit feedback. |
| Team | /api/team, /api/team/invites, /api/team/members/:id | List members, invite by email, resend invites, change roles, remove members, transfer ownership (owner/admin; Pro/Business seats). |
| Analytics | /api/analytics/summary, /api/analytics/breakdown, /api/analytics/export | Revenue and payment analytics with CSV export (advanced analytics is a Pro/Business feature). |
Examples
Create and send an invoice with an agent key:
curl -X POST "$API/api/agent/invoices/send" \
-H "Authorization: Bearer $SETTLEBOLT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"customerName": "FPSHEAVEN",
"customerEmail": "billing@example.com",
"invoiceNumber": "INV-0008",
"amount": 120000,
"currency": "EUR",
"token": "USDC",
"chain": "base",
"dueDate": "2026-07-16",
"lineItems": [
{ "description": "Brand and website design", "qty": 1, "unitPrice": 90000 },
{ "description": "Hosting setup", "qty": 1, "unitPrice": 30000 }
]
}'
Create a payment link:
curl -X POST "$API/api/payment-links" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"title": "Website design",
"description": "Deposit",
"amount": 120000,
"currency": "EUR",
"token": "USDC",
"chain": "base"
}'
Create a draft invoice:
curl -X POST "$API/api/invoices" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"customerName": "FPSHEAVEN",
"customerEmail": "billing@example.com",
"invoiceNumber": "INV-0008",
"amount": 120000,
"currency": "EUR",
"token": "USDC",
"chain": "base",
"dueDate": "2026-07-16",
"lineItems": [
{ "description": "Brand and website design", "qty": 1, "unitPrice": 90000 },
{ "description": "Hosting setup", "qty": 1, "unitPrice": 30000 }
]
}'
List payments with filters:
curl "$API/api/payments?status=confirmed,overpaid&chain=base&source=invoices" \
-H "Authorization: Bearer $TOKEN"
Webhooks
Webhook management is available only during an active paid Pro or Business billing period.
A signed payment.confirmed POST is sent to each active endpoint when a payment is recorded on-chain, retried with backoff (up to 6 attempts), and logged. The headers, signature base string, verifier, and body below are exact.
| Method | Path | Purpose |
|---|---|---|
| GET | /api/webhooks/endpoints | List webhook endpoints. |
| POST | /api/webhooks/endpoints | Add an HTTPS endpoint. Body: {"url":"https://..."}. The signing secret is returned once. |
| DELETE | /api/webhooks/endpoints/:id | Disable an endpoint. |
| GET | /api/webhooks/events | List recent delivery events. |
| GET | /api/webhooks/events/:id | Fetch a single delivery event. |
| POST | /api/webhooks/events/:id/redeliver | Redeliver a pending or failed event. |
Event headers:
X-SettleBolt-Event: payment.confirmed
X-SettleBolt-Event-Id: <event-id>
X-SettleBolt-Timestamp: 1783100000
X-SettleBolt-Signature: t=1783100000,v1=<hmac>
Signature base string:
<timestamp>.<event_id>.<raw_json_body>
Node verification shape:
import crypto from "node:crypto";
function verifySettleBoltWebhook(rawBody, headers, secret) {
const eventId = headers["x-settlebolt-event-id"];
const timestamp = headers["x-settlebolt-timestamp"];
const sig = headers["x-settlebolt-signature"];
const expected = crypto
.createHmac("sha256", secret)
.update(`${timestamp}.${eventId}.${rawBody}`)
.digest("hex");
return sig && sig.includes(`v1=${expected}`);
}
Request body:
{
"type": "payment.confirmed",
"created_at": "2026-07-03T12:00:00.000Z",
"data": {
"payment_id": "…",
"merchant_id": "…",
"status": "confirmed", // confirmed | underpaid | overpaid
"chain": "base",
"token": "USDC",
"amount": "1200000000", // raw on-chain units, as a string
"amount_eur_cents": 120000, // null for unmatched priced-native (BTC/SOL/TRX)
"tx_hash": "0x…",
"invoice_id": null,
"payment_link_id": "…",
"payer_address": "0x…",
"merchant_address": "0x…"
}
}
Security Notes
- Webhook endpoints must be public HTTPS URLs on port 443.
- Private, loopback, link-local, CGNAT, metadata, credentialed, IPv6 literal, and redirect-following webhook targets are rejected.
- Webhook delivery fetches use manual redirects and an 8 second timeout.
- Webhook secrets are encrypted at rest and the raw secret is only shown once.
- Payment recording validates chain, token, recipient wallet, and idempotency before crediting.
- Do not put dashboard session tokens, API keys, or webhook secrets in browser code.
Errors
Most errors return JSON with an error string and an appropriate HTTP status.
{ "error": "Unsupported chain or token" }
| Status | Meaning |
|---|---|
| 400 | Invalid JSON, invalid field, unsupported token/chain, invalid URL, or invalid signature payload. |
| 401 | Missing or expired authentication. |
| 403 | Plan gate, role gate, unverified email, payout freeze, or forbidden internal secret. |
| 404 | Resource not found or checkout target unavailable. |
| 409 | Duplicate invoice number, duplicate customer, duplicate wallet, or conflicting custom domain. |
| 413 | Request body too large. |
| 429 | Rate limit reached. |
| 503 | Required provider secret or service is not configured. |