Gateway API
Hosted checkout sessions, REST, and signed webhooks.
Reference
Gateway API
POST /api/v1/merchant/checkout-session creates a session; redirect the buyer to checkout_url. We POST a signed webhook to your notify_url when paid.
API base URL
https://gatenoc.com
Prefix all paths below with this origin (Self and App merchants use the same Gateway API when your deployment uses one public API host).
Legacy: merchants created on App may also call https://app.gatenoc.com with the same paths—prefer https://gatenoc.com unless your operator documents otherwise.
1 · Session
POST …/checkout-session
2 · Pay
Open checkout_url
3 · Verify
Webhook HMAC or GET …/payments/{id}
Credentials
Dashboard → Merchants → Integration: payment API key (outbound auth) and webhook secret (verify inbound POSTs). Numeric merchant id is optional if you only send the key.
Payment API key
Authorization: Bearer … or X-Merchant-Key. Server-side only.
Webhook secret
Not sent on your API requests. Used to verify notify_url signatures.
Authentication
Authorization: Bearer YOUR_PAYMENT_API_KEY Content-Type: application/json Accept: application/json
Optional merchant / X-Merchant-Id / JSON merchant_id must match the merchant that owns the key when provided.
Create checkout session
amount (USD; settled as USDT 1:1). note — your reference. notify_url — webhook URL.
POST https://gatenoc.com/api/v1/merchant/checkout-session
Authorization: Bearer YOUR_PAYMENT_API_KEY
Content-Type: application/json
{
"amount": 10.50,
"note": "order_123",
"notify_url": "https://yoursite.com/webhooks/paid",
"success_url": "https://yoursite.com/thanks",
"return_url": "https://yoursite.com/deposit"
}
- Optional
Idempotency-Key— same value within 24h replays the stored response. usernamealias fornote.- Optional JSON
merchant/merchant_idmust match your merchant when sent. - Response:
checkout_url,invoice_url(same URL),merchant_id,amount,currency(USD),expires_at, optionalnote.
Webhooks
We POST JSON to notify_url. Verify with your webhook secret (not the API key).
- Content-Type
application/json- User-Agent
BybitPayGateway/1.1- X-Gateway-Merchant-Key
- Your payment API key (informational; verify with signature)
- X-Gateway-Timestamp
- Unix seconds (string)
- X-Gateway-Signature
t=<ts>,v1=<hex>— present only when a webhook secret is configured
When present: HMAC-SHA256 hex of <timestamp> + "." + raw_body using your webhook secret; <timestamp> must match X-Gateway-Timestamp. Compare v1 with constant-time equality.
{
"event": "payment.completed",
"status": "completed",
"merchant_id": 1,
"amount": "10.50",
"total_amount": "10.50",
"currency": "USD",
"reference": "…",
"merchant_trade_no": "550e8400-e29b-41d4-a716-446655440000",
"note": "order_123",
"payment_record_id": 42,
"paid_at": "2026-03-24T12:00:00+00:00"
}
Use reference as the gateway transaction id; merchant_trade_no is your invoice/session correlation id.
Other endpoints
Same authentication as above. About 300 requests per minute per merchant (sliding window).
- GEThttps://gatenoc.com/api/v1/merchant/payments/{id}
- GEThttps://gatenoc.com/api/v1/merchant/payments — query:
status,from,to(dates),per_page(1–100, default 50) - GEThttps://gatenoc.com/api/v1/merchant/balance — JSON:
received_total,refunded_total,available_ledger,currency,note - POSThttps://gatenoc.com/api/v1/merchant/payments/{id}/refund — JSON: required
amount, optionalreason;201withrefund_id,status(pending) when accepted
Payment object
{
"id": 42,
"status": "completed",
"amount": "10.50",
"currency": "USD",
"note": "order_123",
"merchant_trade_no": "550e8400-e29b-41d4-a716-446655440000",
"reference": "1293e171-2094-4e2f-aacb-9c0dc900beab",
"memo": "…",
"paid_at": "2026-03-24T12:00:00+00:00",
"created_at": "2026-03-24T11:55:00+00:00"
}
HTTP errors
| Code | Meaning |
|---|---|
| 201 | Refund request accepted (POST …/refund) |
| 401 | Invalid key, mismatched optional merchant id, or inactive / pending merchant |
| 404 | Payment not found |
| 422 | Validation error (body fields, notify URLs, amount minimums, refund rules, etc.) |
| 429 | Rate limited — see Retry-After header |