API List (merchant-api)
All interface paths use the/open-api prefix.
Except for Get Token, all other interfaces require the headers: Api-Key, Timestamp, Access-Token.
1. Common Interfaces (Both Credit & Authorization Modes)
Interfaces supported by both credit extension and authorization modes.| Module | Method | Path | Description |
|---|---|---|---|
| Authentication | GET | /open-api/v1/merchant/token | Get Access-Token (only requires Api-Key; no Access-Token needed) |
| Cardholder | POST | /open-api/v1/cardholder/apply | Cardholder authentication application |
| Cardholder | POST | /open-api/v1/cardholder/list | Cardholder list |
| Cardholder | GET | /open-api/v1/cardholder//info | Cardholder details |
| Card | POST | /open-api/v1/card/apply | Apply for card (pass package_no for credit, card_bin_no for auth) |
| Card | POST | /open-api/v1/card/list | Card list |
| Card | GET | /open-api/v1/card//detail | Card details |
| Card | GET | /open-api/v1/card//private/info | Card privacy JSON (data is an AES-encrypted string) |
| Card | POST | /open-api/v1/card/active | Physical card activation (cvv must be AES-encrypted) |
| Card | POST | /open-api/v1/card/status/update | Update card status (Frozen / Activated / Delete) |
| Card | POST | /open-api/v1/card/pin/set | Set physical card PIN (pin must be AES-encrypted) |
| Consumption | GET | /open-api/v1/card/consume//info | Consumption details |
| Consumption | POST | /open-api/v1/card/consume/list | Consumption list |
| PCI | GET | /open-api/v1/merchant/client//token | Issue PCI Client Access Token (called when integrating iframe) |
2. Credit Extension Mode Interfaces (CREDIT_EXTENSION)
Only merchants with credit extension integration mode can call these.| Module | Method | Path | Description |
|---|---|---|---|
| Account | POST | /open-api/v1/account/transfer | Cardholder fund transfer (fixed to TUSDT) |
| Account | GET | /open-api/v1/account//info | Cardholder account list |
| Account | POST | /open-api/v1/account/transfer/list | Account transfer flow list |
| Card | POST | /open-api/v1/card/package/list | Card package list |
3. Authorization Mode Interfaces (AUTHORIZATION)
Only merchants with authorization integration mode can call these.| Module | Method | Path | Description |
|---|---|---|---|
| Card | POST | /open-api/v1/card/support/bins | Supported card BIN list |
4. Transaction Simulation Interfaces (Webhook Testing)
Integration/testing interfaces. After querying and assembling data, simulate Webhook callbacks to the business system. Do not use the standardApi-Key / Access-Token authentication headers for these interfaces.
Path prefix:
- Sandbox:
https://sandbox-openplatform.keysecure.io/open-api/v1/simulate
| Module | Method | Path | Description |
|---|---|---|---|
| Simulation | POST | /auth | Simulate authorization |
| Simulation | POST | /consumption_clear | Simulate consumption clearance success |
| Simulation | POST | /consumption_fail | Simulate consumption failure |
| Simulation | POST | /reversal | Simulate reversal/cancellation |
| Simulation | POST | /refund | Simulate refund |
Quick Navigation
By Business Flow
Cardholder Flow:- Get Token →
GET /merchant/token - Cardholder authentication application →
POST /cardholder/apply - Query cardholder →
POST /cardholder/listorGET /cardholder/{cardholder_no}/info
- Get card packages/BINs →
POST /card/package/listorPOST /card/support/bins - Apply for card →
POST /card/apply - Query card list →
POST /card/listor get card details →GET /card/{card_no}/detail - Activate physical card →
POST /card/active(physical cards only) - Set PIN →
POST /card/pin/set(physical cards, optional)
- Query consumption details →
GET /consume/{consume_no}/info - Query consumption list →
POST /consume/list
- Query account info →
GET /account/{cardholder_no}/info - Execute transfer →
POST /account/transfer - Query transfer flow →
POST /account/transfer/list
By HTTP Method
GET Methods:/merchant/token— Get Token/cardholder/{cardholder_no}/info— Cardholder details/card/{card_no}/detail— Card details/card/{card_no}/private/info— Card privacy info (PCI)/consume/{consume_no}/info— Consumption details/account/{cardholder_no}/info— Account info/merchant/client/{card_no}/token— PCI Client Token
/cardholder/apply— Cardholder application/cardholder/list— Cardholder list/card/apply— Card application/card/list— Card list/card/active— Card activation/card/status/update— Update card status/card/pin/set— Set PIN/card/package/list— Card packages (credit)/card/support/bins— Supported BINs (auth)/consume/list— Consumption list/account/transfer— Transfer (credit)/account/transfer/list— Transfer flow (credit)/merchant/pci/card/detail— PCI card sensitive info
Permissions & Prerequisites
Authentication Requirements
| Interface | Requires Api-Key | Requires Access-Token | Notes |
|---|---|---|---|
| Get Token | ✓ | ✗ | Only requires Api-Key + Timestamp |
| Other interfaces | ✓ | ✓ | Requires full authentication |
Prerequisites
Before Card Application:- The cardholder must exist and have passed KYC authentication (status: Approved)
- Otherwise returns 2002 (cardholder not found) or 2005 (authentication failed)
- Requires merchant to have PCI enabled
- Not enabled returns 1013
- Card status must be Activated
- Card status must be ToActivate
- CVV must be AES-encrypted before being passed
- Physical cards only
- Card status must be Activated
- PIN must be AES-encrypted before being passed
Error Handling
All error responses follow a unified format:| Code | Meaning | Common Cause |
|---|---|---|
| 1003 | IP address incorrect | Request IP not in whitelist |
| 1005 | Timestamp expired | Timestamp deviation from server exceeds 60 seconds |
| 1007 | Access-Token expired | Token has expired or is invalid |
| 2002 | Cardholder does not exist | Cardholder not found |
| 4005 | Current card status does not allow this operation | Card status unsupported for this operation |
