BridgPay Docs

BridgPay Merchant API

HMAC-SHA256 authenticated payout APIs. Public routes use /v1; HMAC v2 is a signing mode, not a /v2 URL.

BridgPay's merchant APIs use HMAC-SHA256 authentication to ensure request authenticity, payload integrity, replay-attack prevention, and response integrity.

API path vs signing version

All public merchant API endpoints currently use /v1/... paths.

v1 in the URL is the API path version. HMAC v1 and HMAC v2 are request signing versions used on those /v1/... paths.

There are no /v2/... merchant endpoints. For example, a list request should call:

GET /v1/payouts?limit=50&offset=0

and, because it has query parameters, it should be signed with HMAC v2 headers including x-bridg-sig-version: 2.

Endpoints and portals

EnvironmentMerchant portalAPI base URL
Productionhttps://merchant.bridg.moneyhttps://api.bridg.money
Testing/UAThttps://merchant-beta.bridg.moneyhttps://api-beta.bridg.money

Public API surface

MethodPathPurpose
POST/v1/beneficiariesCreate a beneficiary
GET/v1/beneficiariesList/search beneficiaries
PATCH/v1/beneficiaries/:beneficiaryIdUpdate a beneficiary
POST/v1/beneficiaries/:beneficiaryId/reactivateReactivate an archived beneficiary
DELETE/v1/beneficiaries/:beneficiaryIdArchive a beneficiary
GET/v1/walletCheck payout-usable wallet balance
GET/v1/wallet/transactionsList wallet movements
POST/v1/payoutsInitiate a payout
GET/v1/payoutsList payouts
GET/v1/payouts/:payoutTransactionIdFetch a payout's current state
GET/v1/payouts/:payoutTransactionId/status-eventsFetch the payout status timeline

List/search endpoints use query parameters and should be signed with HMAC v2. The URL still remains /v1/...; only the signing headers change. See API Keys and IP Whitelist.

Quick start

  1. Complete merchant onboarding and ensure API access is enabled.
  2. Generate an API key + signing key under Settings -> API Keys in the merchant portal. The signing key is shown once — store it in your secret manager immediately.
  3. Configure production source IPs under Settings -> IP Whitelist.
  4. Compute the HMAC signature over the canonical request string for every call. Use HMAC v2 for new integrations and for every request with query parameters. See Generate Signature.
  5. Send the required auth headers on every signed request: x-api-key, x-timestamp, x-signature. See Authentication Headers. For v2, also send x-bridg-sig-version: 2 and x-nonce.
  6. Check payout-usable wallet balance with GET /v1/wallet when your system needs a real-time balance check before creating payouts.
  7. Receive payout status updates via webhook. See Webhooks.

Everything else - KYC, wallet operations, API keys, webhooks, IP whitelist, and merchant settings - happens inside the merchant portal.

On this page