Developer Documentation
Endpoints
SikaaHub API Endpoints
Base URL: https://api.sikaahub.com/v1
All responses use:
{"success":true,"message":"Human readable message","data":{},"meta":{}}Errors use:
{"success":false,"message":"Human readable error","error":{"code":"ERROR_CODE","details":{}}}Health
GET /healthGET /status
Authentication
POST /auth/register/customerPOST /auth/register/merchantPOST /auth/loginPOST /auth/logoutPOST /auth/refreshPOST /auth/forgot-passwordPOST /auth/reset-passwordPOST /auth/verify-phonePOST /auth/verify-devicePOST /auth/resend-otpPOST /auth/request-password-resetPOST /auth/change-pinPOST /auth/change-transaction-pinPOST /auth/set-transaction-pinPOST /auth/verify-transaction-pin
Login supports X-Device-ID and X-App-Version. Access tokens expire. Refresh tokens are stored hashed and rotated.
Customer and merchant registrations start as pending_verification until OTP verification succeeds.
Customers
GET /customers/mePUT /customers/meGET /customers/me/walletsPOST /customers/me/link-walletDELETE /customers/me/wallets/{id}GET /customers/me/transactionsGET /customers/me/paymentsGET /customers/me/withdrawals
Merchants
POST /merchants/applyGET /merchants/mePUT /merchants/meGET /merchants/me/qrPOST /merchants/me/qr/regeneratePOST /merchants/me/submit-kycGET /merchants/me/walletGET /merchants/me/transactionsGET /merchants/me/paymentsGET /merchants/me/withdrawalsGET /merchants/me/commissionsGET /merchants/verify/{merchantCode}
Merchant QR payloads expose only the merchant code and a SikaaHub type marker, never internal numeric IDs.
KYC
POST /kyc/customer/basicPOST /kyc/merchant/basicPOST /kyc/merchant/documentsGET /kyc/me/status
Devices
GET /devicesPOST /devices/trustDELETE /devices/{id}
QR Verification
POST /qr/verify
Payments
POST /payments/initiatePOST /payments/confirmGET /payments/{paymentId}GET /paymentsPOST /payments/{paymentId}/cancel
Financial creation endpoints require Idempotency-Key. Confirmation requires transaction PIN. Wallet balance updates run inside database transactions with row-level locks.
Payment lifecycle: pending, processing, successful, failed, cancelled, reversed.
Confirmed payments create one transaction record and immutable ledger entries:
- customer wallet debit
- merchant wallet credit
- optional commission debit/credit when an active commission rule applies
Wallets and Ledger
GET /wallets/meGET /wallets/me/balanceGET /wallets/me/ledger
Wallet balances are stored for fast reads. The immutable ledger is the source of truth. Every financial movement writes at least two ledger entries, one debit and one credit. Corrections must use reversal entries, not edits or deletes.
Wallet owner types:
customermerchantsystem
Ledger entry types:
paymentwithdrawalcommissionsettlementrefundreversaladjustment
Withdrawals
POST /withdrawals/initiatePOST /withdrawals/approvePOST /withdrawals/confirmPOST /withdrawals/completeGET /withdrawals/{withdrawalId}GET /withdrawals
Statuses: pending_customer_confirmation, pending_merchant_approval, approved, completed, failed, cancelled, reversed.
Withdrawal lifecycle:
1. Customer initiates withdrawal from merchant.
2. Merchant approves.
3. Customer confirms with transaction PIN.
4. Merchant completes after cash payout.
5. Merchant wallet is debited.
6. System settlement placeholder wallet is credited.
7. Commission is calculated and ledgered when applicable.
Transactions
GET /transactionsGET /transactions/{transactionId}GET /transactions/summaryGET /transactions/export
Supported filters: type, status, from, to, cursor, limit. Default limit is 20, maximum is 100.
Cursor format is opaque to clients. Use the next_cursor returned in meta.
{
"meta": {
"limit": 20,
"next_cursor": "MjAyNi0wNS0xMSAwNjowMDowMHwxMjM=",
"has_more": true
}
}Merchant Commissions
GET /merchants/me/commissionsGET /merchants/me/commission-summary
Admin Commission Rules
GET /admin/commission-rulesPOST /admin/commission-rulesPUT /admin/commission-rules/{id}POST /admin/commission-rules/{id}/activatePOST /admin/commission-rules/{id}/deactivate
Rules support flat and percentage commissions with optional caps.
Admin Wallet Monitoring
GET /admin/walletsGET /admin/wallets/{id}GET /admin/wallets/{id}/ledger
Risk
GET /admin/risk-alertsPOST /admin/risk-alerts/{id}/resolvePOST /admin/risk-alerts/{id}/dismiss
Basic risk checks currently flag high amounts, velocity, failed PIN attempts, new devices, and suspicious merchant/customer patterns as placeholder hooks for a stronger fraud engine.
Webhooks
POST /webhooks/payment-providerPOST /webhooks/bankPOST /webhooks/ghipss-partnerPOST /webhooks/{providerCode}GET /webhooks/eventsPOST /webhooks/retry/{eventId}
Provider Operations
GET /admin/provider-configsPOST /admin/provider-configsGET /admin/provider-configs/{id}PUT /admin/provider-configs/{id}POST /admin/provider-configs/{id}/activatePOST /admin/provider-configs/{id}/deactivateGET /admin/providersGET /admin/providers/{providerCode}/healthPOST /admin/providers/{providerCode}/check-health
Settlements and Reconciliation
GET /admin/settlementsGET /admin/settlements/{id}POST /admin/settlements/generatePOST /admin/settlements/{id}/mark-paidPOST /admin/settlements/{id}/cancelGET /merchants/me/settlementsGET /merchants/me/settlements/{id}POST /admin/reconciliation/runGET /admin/reconciliation/runsGET /admin/reconciliation/runs/{id}GET /admin/reconciliation/itemsPOST /admin/reconciliation/items/{id}/resolve
Webhook writes store the raw payload and external event ID to prevent duplicate processing.
Developer API Keys
POST /developer/api-keysGET /developer/api-keysDELETE /developer/api-keys/{id}
API keys are hashed in the database and only shown once at creation.
Mobile App APIs
GET /app/configPOST /mobile/auth/register/customerPOST /mobile/auth/register/merchantPOST /mobile/auth/loginPOST /mobile/auth/logout-allGET /mobile/customer/homeGET /mobile/merchant/homePOST /mobile/qr/verifyPOST /mobile/payments/previewPOST /mobile/payments/initiatePOST /mobile/payments/confirmPOST /mobile/withdrawals/previewPOST /mobile/withdrawals/initiateGET /mobile/merchant/withdrawal-requestsPOST /mobile/merchant/withdrawal-requests/{id}/approvePOST /mobile/merchant/withdrawal-requests/{id}/completeGET /mobile/customer/transactionsGET /mobile/merchant/transactionsGET /mobile/transactions/{id}/receiptGET /mobile/notificationsGET /mobile/customer/linked-walletsGET /mobile/limits/me
Merchant Dashboard APIs
GET /dashboard/merchant/summaryGET /dashboard/merchant/analytics/transactionsGET /dashboard/merchant/analytics/paymentsGET /dashboard/merchant/analytics/withdrawalsGET /dashboard/merchant/analytics/commissionsGET /dashboard/merchant/transactionsGET /dashboard/merchant/paymentsGET /dashboard/merchant/payments/{id}GET /dashboard/merchant/payments/{id}/receiptGET /dashboard/merchant/withdrawalsGET /dashboard/merchant/withdrawals/{id}GET /dashboard/merchant/withdrawal-requestsPOST /dashboard/merchant/withdrawal-requests/{id}/approvePOST /dashboard/merchant/withdrawal-requests/{id}/rejectPOST /dashboard/merchant/withdrawal-requests/{id}/completeGET /dashboard/merchant/commissionsGET /dashboard/merchant/commissions/summaryGET /dashboard/merchant/settlementsGET /dashboard/merchant/settlements/summaryGET /dashboard/merchant/qrPOST /dashboard/merchant/qr/regenerateGET /dashboard/merchant/qr/downloadGET /dashboard/merchant/profileGET /dashboard/merchant/settingsGET /dashboard/merchant/staffPOST /dashboard/merchant/staffPOST /dashboard/merchant/exports/{type}GET /dashboard/merchant/exportsGET /dashboard/merchant/activityPOST /dashboard/merchant/feedback
Disputes, Feedback, and Pilot Operations
POST /disputesGET /disputesGET /disputes/{id}POST /disputes/{id}/messagesPOST /disputes/{id}/closeGET /dashboard/merchant/disputesGET /admin/disputesPOST /admin/disputes/{id}/resolveGET /admin/pilot/merchantsPOST /admin/pilot/merchantsGET /admin/feedback
Admin
GET /admin/dashboardGET /admin/merchantsGET /admin/customersGET /admin/transactionsGET /admin/paymentsGET /admin/withdrawalsPOST /admin/merchants/{id}/approvePOST /admin/merchants/{id}/suspendPOST /admin/merchants/{id}/activateGET /admin/audit-logsGET /admin/risk-alerts
Stage 5 control center additions:
GET /admin/dashboard/summaryGET /admin/dashboard/transactions-chartGET /admin/dashboard/risk-summaryGET /admin/dashboard/provider-healthGET /admin/dashboard/settlement-summaryGET /admin/usersGET /admin/users/{id}POST /admin/users/{id}/suspendPOST /admin/users/{id}/activatePOST /admin/users/{id}/lockPOST /admin/users/{id}/unlockPOST /admin/wallets/{id}/freezePOST /admin/wallets/{id}/unfreezeGET /admin/transactions/{id}POST /admin/transactions/{id}/flagPOST /admin/transactions/{id}/reviewPOST /admin/transactions/{id}/reversal-requestGET /admin/reversal-requestsPOST /admin/reversal-requests/{id}/approvePOST /admin/reversal-requests/{id}/processGET /admin/fraud-rulesPOST /admin/fraud-rulesGET /admin/observability/requestsGET /admin/observability/errorsGET /admin/observability/latencyGET /admin/observability/slow-queriesGET /admin/system/logsGET /admin/system/jobs
Stage 8 admin operations portal additions:
GET /admin/operations/summaryGET /admin/operations/todayGET /admin/operations/alertsGET /admin/operations/queue-summaryGET /admin/customersGET /admin/customers/{id}POST /admin/customers/{id}/suspendPOST /admin/customers/{id}/force-logoutGET /admin/merchantsGET /admin/merchants/{id}POST /admin/merchants/{id}/approvePOST /admin/merchants/{id}/reset-qrGET /admin/kyc/workbenchGET /admin/kyc/submissions/{id}/documentsGET /admin/kyc/documents/{id}/secure-downloadGET /admin/monitoring/transactionsGET /admin/monitoring/failed-transactionsGET /admin/monitoring/transaction-timeline/{id}GET /admin/finance/summaryGET /admin/finance/ledgerPOST /admin/finance/settlements/{id}/approveGET /admin/support/summaryGET /admin/support/ticketsPOST /admin/support/ticketsGET /admin/risk/summaryGET /admin/risk/blacklistPOST /admin/risk/blacklistGET /admin/providers/{providerCode}/transactionsPOST /admin/providers/{providerCode}/maintenance-onGET /admin/settingsPUT /admin/settings/{key}GET /admin/maintenancePOST /admin/maintenance/enablePOST /admin/maintenance/disableGET /admin/notes/{entityType}/{entityId}POST /admin/exports/{type}GET /admin/compliance/summaryGET /admin/admin-activityGET /admin/announcements
Stage 9 Operations
GET /health/deepGET /admin/observability/slow-requests- CLI:
php cli/worker.php --queue=default - CLI:
php cli/queue-listen.php --queue=webhooks - CLI:
php cli/retry-failed-jobs.php - CLI:
php cli/clear-stale-jobs.php - CLI:
php cli/recalculate-summaries.php --date=YYYY-MM-DD
Stage 10 Sandbox and QA
POST /admin/sandbox/wallets/{id}/creditPOST /admin/sandbox/wallets/{id}/debitPOST /admin/sandbox/wallets/{id}/resetGET /admin/sandbox/provider-scenariosPOST /admin/sandbox/provider-scenariosPUT /admin/sandbox/provider-scenarios/{id}POST /admin/sandbox/provider-scenarios/{id}/activatePOST /admin/sandbox/provider-scenarios/{id}/deactivatePOST /sandbox/provider/payments/successPOST /sandbox/provider/payments/failPOST /sandbox/provider/withdrawals/successPOST /sandbox/provider/withdrawals/failPOST /sandbox/provider/webhooks/sendPOST /sandbox/provider/webhooks/duplicatePOST /sandbox/provider/webhooks/invalid-signatureGET /admin/pilot/metricsGET /admin/pilot/merchant-metrics/{merchantId}- CLI:
php cli/seed-sandbox.php - CLI:
php cli/reset-sandbox.php --force - CLI:
php cli/run-qa-suite.php
Stage 11 Developer Platform
POST /developers/registerGET /developers/mePUT /developers/meGET /developers/appsPOST /developers/appsGET /developers/apps/{id}POST /developers/apps/{id}/api-keysGET /developers/apps/{id}/api-keysGET /developers/apps/{id}/webhooksPOST /developers/apps/{id}/webhooksPOST /developers/apps/{id}/webhooks/{webhookId}/testGET /developers/apps/{id}/usageGET /developers/apps/{id}/usage/summaryGET /partners/merchants/verify/{merchantCode}POST /partners/payments/previewPOST /partners/payments/initiateGET /partners/payments/{id}GET /partners/transactionsGET /admin/developersPOST /admin/developers/{id}/approveGET /admin/developer-appsPOST /admin/developer-apps/{id}/approve-productionGET /admin/developer-rate-plans
Stage 12 Audit and Readiness CLI
- CLI:
php cli/audit-log-validator.php - CLI:
php cli/ledger-integrity-check.php - CLI:
php cli/reconciliation-dry-run.php --date=YYYY-MM-DD - Test:
php tests/security/security-smoke-test.php