settlebolt

API and webhooks

Reference for SettleBolt dashboard APIs, public checkout APIs, webhook endpoints, signatures, and common integration patterns.

Basics

Production API base:

https://api.settlebolt.com

Send JSON with Content-Type: application/json. Write requests with JSON bodies are capped at 5 MiB, with smaller caps on support ticket and feedback routes.

Authentication

Dashboard APIs use the logged-in dashboard session token:

Authorization: Bearer <dashboard-session-token>

Only verified-email accounts can access the dashboard API. Mutating requests made through admin impersonation are rejected unless they are read-only.

API keys

Only accounts with an active paid Pro or Business billing period can create, revoke, or use API keys. Keys authenticate SettleBolt's dedicated, scoped server-to-server Agent API (/api/agent/*) — each key carries per-operation scopes and is not accepted on dashboard routes (it cannot manage wallets, billing, team, or account settings). Keys are shown once and should be treated like passwords; revoke a leaked key in Developers.

Agent API

The Agent API is the supported surface for AI agents and backend automations. It requires an active paid Pro or Business subscription, uses scoped API keys from Developers, and is limited to merchant operations that are safe to automate. Agent keys are not accepted on dashboard endpoints and cannot manage wallets, billing, team members, or account deletion.

Required header:

Authorization: Bearer sb_live_...
MethodPathScopePurpose
GET/api/agent/meany valid scopeReturn merchant and API-key details.
GET/api/agent/invoices, /api/agent/invoices/:idinvoices:readList or inspect invoices.
POST/api/agent/invoicesinvoices:createCreate a draft invoice with the same validation as the dashboard.
POST/api/agent/invoices/:id/sendinvoices:sendSend an existing draft invoice. No additional dashboard confirmation is required.
POST/api/agent/invoices/sendinvoices:create + invoices:sendCreate and send an invoice in one request. No additional dashboard confirmation is required.
GET/api/agent/payment-linkspayment_links:readList payment links.
POST/api/agent/payment-linkspayment_links:createCreate a payment link.
GET/api/agent/paymentspayments:readList recorded payments.
GET/api/agent/customerscustomers:readList manual customer records.
POST/api/agent/customerscustomers:writeCreate a customer record.
POST/api/agent/support/ticketssupport:createOpen a support ticket. Body: {"subject","message","category?","priority?"}.

Machine-readable OpenAPI:

https://settlebolt.com/openapi.json

WhatsApp Agent Channel

The WhatsApp channel lets a merchant pair a WhatsApp sender to a scoped SettleBolt agent. It uses the same paid Pro/Business, verified-email, plan-current, scope, wallet, and audit-log checks as the Agent API, but no API key is shown in WhatsApp.

Setup in Meta

Configure the Meta WhatsApp webhook URL as https://api.settlebolt.com/api/whatsapp/webhook. The Worker verifies X-Hub-Signature-256 with the Meta app secret before parsing inbound messages.

MethodPathAuthPurpose
GET/api/whatsapp/webhookMeta verify tokenMeta webhook verification challenge.
POST/api/whatsapp/webhookMeta signatureReceive inbound WhatsApp messages, dedupe by provider message ID, and route commands to the paired merchant.
GET/api/whatsapp/linksdashboard sessionList paired WhatsApp senders and show the Meta webhook URL.
POST/api/whatsapp/links/pairing-codedashboard sessionCreate a 10-minute pairing code with selected scopes.
DELETE/api/whatsapp/links/:iddashboard sessionRevoke a WhatsApp sender.

Supported WhatsApp commands include:

send invoice to FPSHEAVEN [email protected] for EUR 1200 due July 16 using USDC on Base
create payment link Website deposit for EUR 500 using USDC on Base
add customer FPSHEAVEN [email protected]
payments
customers
status

WhatsApp cannot manage wallets, billing, team members, account deletion, dashboard sessions, or other high-risk settings.

Public Checkout API

MethodPathPurpose
GET/api/checkout/:kind/:slugLoad payer-safe checkout data for payment links (kind=l) or invoices (kind=pay).
POST/api/checkout/:kind/:slug/quoteCreate or reuse a 15-minute live-priced quote for native assets (BTC, SOL, TRX). Stablecoins are matched at their fixed 1:1 amount and do not need a quote. (Native ETH is not currently enabled.)
GET/api/public/logo/:merchantId, /api/public/icon/:merchantIdLoad public merchant logo/icon assets used by checkout and previews.

Custom checkout domains may call only public checkout and public asset APIs. The public checkout response intentionally returns public RPC fallbacks only, never configured provider secrets.

Dashboard Endpoints

AreaPathsNotes
Auth/api/auth/*Signup, login, email verification, 2FA, sessions, password and account management.
Merchant/api/merchants/me, /api/merchants/me/walletsBusiness profile, wallets, wallet labels, primary wallets, payout changes.
Payment links/api/payment-links, /api/payment-links/:idCreate, list, edit, delete, and view payments for links.
Invoices/api/invoices, /api/invoices/:id/send, /api/invoices/:id/pdfCreate drafts, edit drafts, send, resend, cancel, and print invoices.
Customers/api/customers, /api/customers/:emailHash, /api/customers/export.csv, /api/customers/manual/:idList/create customers, detail pages, edit/delete manual customers, and CSV export on paid plans.
Payments/api/payments, /api/payments/:id, /api/payments/exportPayment ledger, filters, payment detail, and CSV export.
Branding/api/branding, /api/branding/domainBrand colors, PNG logo/icon, support email, and Pro/Business custom domains.
Billing/api/billing/overview, /api/billing/change-plan, /api/billing/cancelStripe checkout, cancellation, receipts, portal sessions, and webhook sync.
Developers/api/keys, /api/webhooks/*, /api/whatsapp/*API key management, webhook endpoints, delivery event log, redelivery, and WhatsApp agent pairing.
Support/api/support/tickets, /api/support/tickets/:id/messages, /api/support/feedbackCreate tickets, list tickets, view a ticket thread, reply to a ticket, and submit feedback.
Team/api/team, /api/team/invites, /api/team/members/:idList members, invite by email, resend invites, change roles, remove members, transfer ownership (owner/admin; Pro/Business seats).
Analytics/api/analytics/summary, /api/analytics/breakdown, /api/analytics/exportRevenue and payment analytics with CSV export (advanced analytics is a Pro/Business feature).

Examples

Create and send an invoice with an agent key:

curl -X POST "$API/api/agent/invoices/send" \
  -H "Authorization: Bearer $SETTLEBOLT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "customerName": "FPSHEAVEN",
    "customerEmail": "[email protected]",
    "invoiceNumber": "INV-0008",
    "amount": 120000,
    "currency": "EUR",
    "token": "USDC",
    "chain": "base",
    "dueDate": "2026-07-16",
    "lineItems": [
      { "description": "Brand and website design", "qty": 1, "unitPrice": 90000 },
      { "description": "Hosting setup", "qty": 1, "unitPrice": 30000 }
    ]
  }'

Create a payment link:

curl -X POST "$API/api/payment-links" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Website design",
    "description": "Deposit",
    "amount": 120000,
    "currency": "EUR",
    "token": "USDC",
    "chain": "base"
  }'

Create a draft invoice:

curl -X POST "$API/api/invoices" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "customerName": "FPSHEAVEN",
    "customerEmail": "[email protected]",
    "invoiceNumber": "INV-0008",
    "amount": 120000,
    "currency": "EUR",
    "token": "USDC",
    "chain": "base",
    "dueDate": "2026-07-16",
    "lineItems": [
      { "description": "Brand and website design", "qty": 1, "unitPrice": 90000 },
      { "description": "Hosting setup", "qty": 1, "unitPrice": 30000 }
    ]
  }'

List payments with filters:

curl "$API/api/payments?status=confirmed,overpaid&chain=base&source=invoices" \
  -H "Authorization: Bearer $TOKEN"

Webhooks

Webhook management is available only during an active paid Pro or Business billing period.

Payment webhooks are live

A signed payment.confirmed POST is sent to each active endpoint when a payment is recorded on-chain, retried with backoff (up to 6 attempts), and logged. The headers, signature base string, verifier, and body below are exact.

MethodPathPurpose
GET/api/webhooks/endpointsList webhook endpoints.
POST/api/webhooks/endpointsAdd an HTTPS endpoint. Body: {"url":"https://..."}. The signing secret is returned once.
DELETE/api/webhooks/endpoints/:idDisable an endpoint.
GET/api/webhooks/eventsList recent delivery events.
GET/api/webhooks/events/:idFetch a single delivery event.
POST/api/webhooks/events/:id/redeliverRedeliver a pending or failed event.

Event headers:

X-SettleBolt-Event: payment.confirmed
X-SettleBolt-Event-Id: <event-id>
X-SettleBolt-Timestamp: 1783100000
X-SettleBolt-Signature: t=1783100000,v1=<hmac>

Signature base string:

<timestamp>.<event_id>.<raw_json_body>

Node verification shape:

import crypto from "node:crypto";

function verifySettleBoltWebhook(rawBody, headers, secret) {
  const eventId = headers["x-settlebolt-event-id"];
  const timestamp = headers["x-settlebolt-timestamp"];
  const sig = headers["x-settlebolt-signature"];
  const expected = crypto
    .createHmac("sha256", secret)
    .update(`${timestamp}.${eventId}.${rawBody}`)
    .digest("hex");
  return sig && sig.includes(`v1=${expected}`);
}

Request body:

{
  "type": "payment.confirmed",
  "created_at": "2026-07-03T12:00:00.000Z",
  "data": {
    "payment_id": "…",
    "merchant_id": "…",
    "status": "confirmed",        // confirmed | underpaid | overpaid
    "chain": "base",
    "token": "USDC",
    "amount": "1200000000",       // raw on-chain units, as a string
    "amount_eur_cents": 120000,   // null for unmatched priced-native (BTC/SOL/TRX)
    "tx_hash": "0x…",
    "invoice_id": null,
    "payment_link_id": "…",
    "payer_address": "0x…",
    "merchant_address": "0x…"
  }
}

Security Notes

  • Webhook endpoints must be public HTTPS URLs on port 443.
  • Private, loopback, link-local, CGNAT, metadata, credentialed, IPv6 literal, and redirect-following webhook targets are rejected.
  • Webhook delivery fetches use manual redirects and an 8 second timeout.
  • Webhook secrets are encrypted at rest and the raw secret is only shown once.
  • Payment recording validates chain, token, recipient wallet, and idempotency before crediting.
  • Do not put dashboard session tokens, API keys, or webhook secrets in browser code.

Errors

Most errors return JSON with an error string and an appropriate HTTP status.

{ "error": "Unsupported chain or token" }
StatusMeaning
400Invalid JSON, invalid field, unsupported token/chain, invalid URL, or invalid signature payload.
401Missing or expired authentication.
403Plan gate, role gate, unverified email, payout freeze, or forbidden internal secret.
404Resource not found or checkout target unavailable.
409Duplicate invoice number, duplicate customer, duplicate wallet, or conflicting custom domain.
413Request body too large.
429Rate limit reached.
503Required provider secret or service is not configured.