Unfortunately, this feature is not supported on mobile devices. For the best experience, please use a computer.

All APIs (latest)

Introduction

The Rebilly API is built on HTTP and is RESTful. It has predictable resource URLs and returns HTTP response codes to indicate errors. It also accepts and returns JSON in the HTTP body. Use your favorite HTTP/REST library in your programming language when using this API, or use one of the Rebilly SDKs, which are available in PHP and JavaScript.

Every action in the Rebilly UI is supported by an API which is documented and available for use, so that you may automate any necessary workflows or processes. This API reference documentation contains the most commonly integrated resources.

Authentication

This topic describes the different forms of authentication that are available in the Rebilly API, and how to use them.

Rebilly offers four forms of authentication: secret key, publishable key, JSON Web Tokens, and public signature key.

  • Secret API key: Use to make requests from the server side. Never share these keys. Keep them guarded and secure.
  • Publishable API key: Use in your client-side code to tokenize payment information.
  • JWT: Use to make short-life tokens that expire after a set period of time.

Manage API keys

To create or manage API keys, select one of the following:

For more information on API keys, see API keys.

Errors

Rebilly follows the error response format proposed in RFC 9457, which is also known as Problem Details for HTTP APIs. As with any API responses, your client must be prepared to gracefully handle additional members of the response.

SDKs

Rebilly provides a JavaScript SDK and a PHP SDK to help interact with the Rebilly API. However, no SDK is required to use the API.

Rebilly also provides FramePay, a client-side iFrame-based solution, to help create payment tokens while minimizing PCI DSS compliance burdens and maximizing your customization ability. FramePay interacts with the payment tokens creation operation.

JavaScript SDK

For installation and usage instructions, see SDKs. All JavaScript SDK code examples are included in the API reference documentation.

PHP SDK

For installation and usage instructions, see SDKs. All SDK code examples are included in the API reference documentation. To use them, you must configure the $client as follows:

$client = new Rebilly\Client([
    'apiKey' => 'YourApiKeyHere',
    'baseUrl' => 'https://api.rebilly.com',
]);

Get started

The full Rebilly API has over 500 operations. This is likely more than you may need to implement your use cases. If you would like to implement a particular use case, contact Rebilly for guidance and feedback on the best API operations to use for the task.

To integrate Rebilly, and learn about related resources and concepts, see Get started.

Rate limits

Rebilly enforces rate limits on the API to ensure that no single organization consumes too many resources. Rate limits are applied to the organization, and not to the API key. In sandbox environment, rate limits are enforced for non-GET endpoints and are set at 3000 requests per 10 minutes. You can find the exact number of consumed requests in the X-RateLimit-Limit and X-RateLimit-Remaining headers in the response. If the rate limit is exceeded, the API returns a 429 Too Many Requests response and a X-RateLimit-Retry-After header that includes a UTC timestamp of when the rate limit resets.

Download OpenAPI description
Languages
Servers
Mock server
https://www.rebilly.com/_mock/catalog/all/
Sandbox server
https://api-sandbox.rebilly.com/organizations/{organizationId}/
Live server
https://api.rebilly.com/organizations/{organizationId}/

Allowlists

Use allowlists to exclude specific customer attribute data from risk score checks.

Allowlists are lists of data that are excluded from risk score checks. Allowlists prevent specific data from being added to a blocklist record when a risk score threshold reached.

Operations

AML

Use Anti-Money Laundering (AML) operations to screen customers and help prevent your business from becoming directly or indirectly involved in criminal activity.

Use AML operations during customer creation, and some transaction processing, to help determine if a potential customer (lead), or customer, has political or economic sanctions against them.

AML operations search the following for screening purposes: Politically Exposed Persons (PEPs) lists, sanction lists, and adverse media lists.

OperationsWebhooks

API keys

Use API keys to identify and authenticate applications and users. Always keep your API keys private. When creating API keys, you can restrict them to a given set of permissions. For information on how to create and manage API keys, see API keys.

Operations

Application owners

Use these operations to register applications to the Rebilly Apps Store and manage application instances. An application owner is a person or organization that has submitted an app to the Rebilly App Store. For more information, see Submit an app.

OperationsWebhooks

Application users

Use these operations to install or uninstall apps from the Rebilly App Store to your Rebilly account, and to manage application instances. An application user is a person or organization that uses an app that is installed from the Rebilly App Store. For more information, see Install or uninstall an app.

Operations

Balance transactions

Use these operations to view and manage balance transactions.

Important: These operations are experimental and may change.

OperationsWebhooks

Billing portals

Use these operations to create and manage billing portals. Rebilly hosted billing portals provide secure, Rebilly hosted pages, where customers can: view invoices, cancel subscriptions, update payment instruments, and update their address.

Operations

Blocklists

Use blocklists to prevent fraud and criminal activity.

Blocklists are lists of customer attribute values that are blocked from buying from you. For example, if a customer attempts to make a purchase from you with a credit card that is in a blocklist, the transaction is blocked and is not processed.

Before a new transaction is processed in Rebilly, blocklists are examined to check for attributes related to the entity. If a match is detected, the operation is aborted. A blocklist that expires after a period of time is called a greylist.

Operations

Broadcast messages

Use broadcast messages to notify customers and leads about upcoming promotions, service updates, and events. Broadcast messages are emails that are sent to a specific group of customers, or all customers. For more information, see Create a broadcast message.

Operations

Checkout forms

Use these operations to create and manage checkout forms. Rebilly hosted checkout forms provide secure and compliant checkouts. Checkout forms are customizable, and use fully responsive design, built-in error messaging, validation, and expedited checkout for returning customers.

Operations

Coupons

Use coupons to reward customers, generate sales, or to test new pricing strategies. Coupons enable you to apply different types of discounts to invoices, subscriptions, and pricing plans.

Redeemed coupons are attached to a customer's account. Depending on the coupon restrictions, the redeemed coupons are then applied from the customer's account to subsequent invoices or subscriptions. Redeemed coupons can only be applied to invoices of the same currency.

Once a coupon is redeemed it cannot be modified. You may deactivate a coupon or create a new coupon, but you cannot reuse the same coupon code. If you have a use case where you must reuse the same code, contact Rebilly.

Operations

Credit memos

Use credit memos to provide a customer with store credit. A common use case for using a credit memo is to provide a customer with store credit, rather than a refund, if the customer pays more than they owe or returns a product. For information on the credit memo resource, see Resources.

OperationsWebhooks

Credit memos timeline

Use credit memo timelines to maintain an audit trail of changes and activity for each credit memo. Credit memos are a means of providing a customer with store credit.

Operations

Custom domains

Use custom domains to configure and use your own domain for forms and billing portals, instead of the default Rebilly domain: portal.secure-payments.app. For more information, see Configure a custom domain.

Operations

Custom fields

Use custom fields to extend a resource scheme to include custom data that is not provided as a common field. Depending on the resource on which the custom field is added, it may be available in the Rebilly UI.

Example: A custom field called preferredCommunicationChannel is added to the customer resource. It has two allowed values, which are 'email' and 'phone'.

{
  "customFields": {
      "preferredCommunicationChannel": "email"
  }
}

For detailed information on Rebilly resources, see Resources.

Operations

Customer authentication

Use these operations to validate the identity of users and manage authentication credentials.

Operations

Customers

Use these operations to manage customers. A customer is an entity that purchases goods or services from you (a merchant), and is the payee in any transaction that is credited to you. Customers are associated with payment instruments, subscriptions, invoices, and other related resources.

In other systems, customers may be referred to as accounts, clients, members, patrons, or players. For information on the customer resource, see Resources.

Operations

Customers timeline

Use customer timelines to maintain an audit trail of changes and activity for each customer.

Operations

Data exports

Use data export operations to manage the export of resource data, such as: transactions, customers, subscriptions, invoices, invoice item data, or revenue audit. Common data export use cases are: accounting, data analysis, reporting, or importing into other databases.

For detailed information on Rebilly resources, see Resources.

For information on how manage reconciliation, see Transaction reconciliation.

OperationsWebhooks

Deposits

Create and manage deposit requests and manage strategies that determine the deposit amounts to display on the page. Rebilly hosted deposit form provides a secure and compliant way to deposit funds. Deposit forms are customizable, and use fully responsive design, built-in error messaging and validation.

Important: These operations are experimental and may change.

Operations

Create a deposit requestExperimental

Request

Creates a deposit request. To complete the deposit, the customer is redirected to the deposit link. After the deposit, the customer is redirected to the redirectUrl. Corresponding transaction webhooks are sent to webhooks subscribers.

Bodyapplication/jsonrequired

Deposit request resource.

websiteIdstring<= 50 charactersrequired

Website ID of the deposit. This value specifies the website with which the deposit is associated.

Example:

"web_0YV7DE4Z26DQSA1AC92FBJ7SEG"

customerIdstring(CustomerId)<= 50 charactersrequired

ID of the customer resource.

strategyIdstring or null<= 50 characters

ID of a strategy to be applied for this request for amounts and customAmount. If this field is not specified, a randomly selected strategy with a matching filter value is applied for empty amounts and customAmount. If there is no matching strategy, the default strategy with the following parameters is applied for empty amounts and customAmount:

  amounts:
    calculator: absolute
    baseAmount: 10
    increments: [10, 20]
    adjustBaseToLastDeposit: true
  customAmount:
    minimum: 1
    multipleOf: 1
    maximum: 10000

For more information, see Create a deposit strategy.

Example:

"dep_str_0YVJ64MAHTDPA97H8S7R5MYR1M"

currencystring(CurrencyCode)= 3 charactersrequired

Currency code in ISO 4217 format.

amountsArray of numbers or null(double)

List of available deposit amounts.

If amounts is not specified when a deposit request is created, amounts are determined from the chosen strategy. For more information, see the strategyId property.

amountLimitsobject or nullnon-empty

Deposit amount limit information. Set optional minimum and maximum deposit amounts. Limits override amounts and customAmount values. If this value is null, deposit amount limits are not set.

customAmountobject or null

Custom amount restrictions. If this value is null, custom amounts are prohibited. If customAmount is not specified when a deposit request is created, amount restrictions are determined from the chosen strategy. For more information, see the strategyId property.

redirectUrlstring or null(uri)

URL to redirect the customer to when a deposit is completed. The default value is the website URL.

expirationTimestring or null(date-time)

Date and time at which the deposit request expires. The default expiration time is one hour after the time the request is created.

customPropertySetIdstring or null<= 50 characters

ID of a custom property set to apply to the request propertiesSchema.

Example:

"4f6cf35x-2c4y-483z-a0a9-158621f77a21"

notificationUrlstring or null(uri)

URL where a server-to-server POST notification is sent. This notification is sent when the transaction result is finalized after a timeout or an offsite interaction.

Do not interpret this notification as a confirmation, complete a GET request to confirm the result of the transaction. To ensure the request is not reattempted, when the result is confirmed, respond with a 2xx HTTP status code.

The following placeholders are available to use in this URI: {id} and {result}. These placeholders are replaced the with the transaction ID and result accordingly.

curl -i -X POST \
  https://www.rebilly.com/_mock/catalog/all/deposit-requests \
  -H 'Content-Type: application/json' \
  -H 'REB-APIKEY: YOUR_API_KEY_HERE' \
  -d '{
    "websiteId": "web_0YV7DE4Z26DQSA1AC92FBJ7SEG",
    "customerId": "cus_0YV7DDSDD1C8DA64KHH2W33CPF",
    "strategyId": "dep_str_0YVJ64MAHTDPA97H8S7R5MYR1M",
    "currency": "USD",
    "amounts": [
      0.01
    ],
    "amountLimits": {
      "minimum": 0,
      "maximum": 0
    },
    "customAmount": {
      "minimum": 0.01,
      "multipleOf": 0.01,
      "maximum": 0.01
    },
    "redirectUrl": "http://example.com",
    "expirationTime": "2019-08-24T14:15:22Z",
    "customPropertySetId": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
    "notificationUrl": "http://example.com"
  }'
Experience it firsthand in the API Explorer!

Responses

Deposit request created.

Headers
Locationstring(uri)

Location of the related resource.

Example:

"https://api.rebilly.com/example"

X-RateLimit-Limitinteger

Total number of rate limit tokens for this request within a rate limit period. For more information, see Rate limits.

Example:

3600

X-RateLimit-Remaininginteger

Remaining number of rate limit tokens for this request within the rate limit period. For example, in the sandbox environment, rate limits for non-GET endpoints are set at 3000 requests per 10 minutes.

Example:

3600

Bodyapplication/json
idstring<= 50 charactersread-only

ID of the deposit request.

Example:

"dep_req_0YVJ65BSGYC3EAT58SEX8KY6J7"

websiteIdstring<= 50 charactersrequired

Website ID of the deposit. This value specifies the website with which the deposit is associated.

Example:

"web_0YV7DE4Z26DQSA1AC92FBJ7SEG"

customerIdstring(CustomerId)<= 50 charactersrequired

ID of the customer resource.

transactionIdsArray of strings

List of transaction IDs that are associated with the deposit request. This list includes transactions that are created from the deposit request. There is a maximum of one approved transaction in the list.

statusstringread-only

Status of the request.

Enum ValueDescription
created

Request is created, but it has not been visited by a customer. This is a temporary state.

pending

Request has been visited by a customer, but no funds have been deposited yet. This is a temporary state.

initiated

A funds deposit transaction has been initiated. This is a temporary state.

attempted

A funds deposit transaction was attempted and declined. This is a temporary state.

completed

A funds deposit transaction has been approved and completed. This is a permanent state.

expired

Request expired without an approved deposit transaction. This is a permanent state.

currencystring(CurrencyCode)= 3 charactersrequired

Currency code in ISO 4217 format.

amountsArray of numbers(double)

List of available deposit amounts.

If amounts is not specified when a deposit is created, amounts are determined from the chosen strategy. For more information, see the strategyId property.

customAmountobject or null

Custom amount restrictions. If this value is null, custom amounts are prohibited. If customAmount is not specified when a deposit request is created, amount restrictions are determined from the chosen strategy. For more information, see the strategyId property.

redirectUrlstring(uri)

URL to redirect the customer to when a deposit is completed. The default value is the website URL.

expirationTimestring(date-time)

Date and time at which the deposit request expires. The default expiration time is one hour from the time the request is created.

propertiesSchemaobject or nullread-only

Defines properties the user can complete when they use the hosted deposit form. This field accepts JSON-schema drafts 4, 6, and 7.

Example:

{"type":"object","properties":{"email":{"type":"string"},"max":{"type":"integer","minimum":0,"exclusiveMaximum":100}},"required":["email"]}

propertiesobject or nullread-only

Properties that are available for the user to complete when they use the hosted deposit form. Use this object to describe fields that are rendered and completed on the hosted deposit form.

Example:

{"email":"email@example.com","max":"33"}

notificationUrlstring or null(uri)

URL where a server-to-server POST notification is sent. This notification is sent when the transaction result is finalized after a timeout or an offsite interaction.

Do not interpret this notification as a confirmation, complete a GET request to confirm the result of the transaction. To ensure the request is not reattempted, when the result is confirmed, respond with a 2xx HTTP status code.

The following placeholders are available to use in this URI: {id} and {result}. These placeholders are replaced the with the transaction ID and result accordingly.

customFieldsobject(ResourceCustomFields)

Use custom fields to extend a resource scheme to include custom data that is not provided as a common field. For more information, see Custom fields.

createdTimestring(date-time)(CreatedTime)read-only

Date and time which is set automatically when the resource is created.

updatedTimestring(date-time)(UpdatedTime)read-only

Date and time which updates automatically when the resource is updated.

_linksArray of objectsread-only

Related links.

_embeddedobjectread-only

Embedded objects that are requested by the expand query parameter.

transactionIdstring or null<= 50 charactersDeprecatedread-only

ID of the transaction that is used in the deposit request.

Example:

"txn_0YVDTQJ8YWDGQACV2N2N5SPWQ0"

Response
application/json
{ "id": "dep_req_0YVJ65BSGYC3EAT58SEX8KY6J7", "websiteId": "web_0YV7DE4Z26DQSA1AC92FBJ7SEG", "customerId": "cus_0YV7DDSDD1C8DA64KHH2W33CPF", "transactionId": "txn_0YVDTQJ8YWDGQACV2N2N5SPWQ0", "transactionIds": [ "string" ], "status": "created", "currency": "USD", "amounts": [ 0.01 ], "customAmount": { "minimum": 0.01, "multipleOf": 0.01, "maximum": 0.01 }, "redirectUrl": "http://example.com", "expirationTime": "2019-08-24T14:15:22Z", "propertiesSchema": { "type": "object", "properties": {}, "required": [] }, "properties": { "email": "email@example.com", "max": "33" }, "notificationUrl": "http://example.com", "customFields": { "foo": "bar" }, "createdTime": "2019-08-24T14:15:22Z", "updatedTime": "2019-08-24T14:15:22Z", "_links": [ {} ], "_embedded": { "customer": {}, "website": {}, "transactions": [] } }

Retrieve deposit requestsExperimental

Request

Retrieves a list of deposit requests.

Query
limitinteger[ 0 .. 1000 ]

Limits the number of collection items to be returned.

offsetinteger[ 0 .. 1000 ]

Specifies the starting point within the collection of items to be returned.

filterstring

Filters the collection items. This field requires a special format. Use , for multiple allowed values. Use ; for multiple fields.

For more information, see Using filter with collections.

sortArray of strings

Sorts and orders the collection of items. To sort in descending order, prefix with -. Multiple fields can be sorted by separating each with ,.

curl -i -X GET \
  'https://www.rebilly.com/_mock/catalog/all/deposit-requests?filter=string&limit=1000&offset=1000&sort=string' \
  -H 'REB-APIKEY: YOUR_API_KEY_HERE'
Experience it firsthand in the API Explorer!

Responses

List of deposit requests retrieved.

Headers
Pagination-Totalinteger

Total number of items.

Example:

332

Pagination-Limitinteger

Maximum number of items per page.

Example:

100

Pagination-Offsetinteger

Specifies the starting point within the collection of resource results. For example, a request with limit=20 retrieves and displays the first 20 results on a page. A following request with limit=20 and offset=20, retrieves the next page of 20 results.

Example:

2

Bodyapplication/jsonArray [
idstring<= 50 charactersread-only

ID of the deposit request.

Example:

"dep_req_0YVJ65BSGYC3EAT58SEX8KY6J7"

websiteIdstring<= 50 charactersrequired

Website ID of the deposit. This value specifies the website with which the deposit is associated.

Example:

"web_0YV7DE4Z26DQSA1AC92FBJ7SEG"

customerIdstring(CustomerId)<= 50 charactersrequired

ID of the customer resource.

transactionIdsArray of strings

List of transaction IDs that are associated with the deposit request. This list includes transactions that are created from the deposit request. There is a maximum of one approved transaction in the list.

statusstringread-only

Status of the request.

Enum ValueDescription
created

Request is created, but it has not been visited by a customer. This is a temporary state.

pending

Request has been visited by a customer, but no funds have been deposited yet. This is a temporary state.

initiated

A funds deposit transaction has been initiated. This is a temporary state.

attempted

A funds deposit transaction was attempted and declined. This is a temporary state.

completed

A funds deposit transaction has been approved and completed. This is a permanent state.

expired

Request expired without an approved deposit transaction. This is a permanent state.

currencystring(CurrencyCode)= 3 charactersrequired

Currency code in ISO 4217 format.

amountsArray of numbers(double)

List of available deposit amounts.

If amounts is not specified when a deposit is created, amounts are determined from the chosen strategy. For more information, see the strategyId property.

customAmountobject or null

Custom amount restrictions. If this value is null, custom amounts are prohibited. If customAmount is not specified when a deposit request is created, amount restrictions are determined from the chosen strategy. For more information, see the strategyId property.

redirectUrlstring(uri)

URL to redirect the customer to when a deposit is completed. The default value is the website URL.

expirationTimestring(date-time)

Date and time at which the deposit request expires. The default expiration time is one hour from the time the request is created.

propertiesSchemaobject or nullread-only

Defines properties the user can complete when they use the hosted deposit form. This field accepts JSON-schema drafts 4, 6, and 7.

Example:

{"type":"object","properties":{"email":{"type":"string"},"max":{"type":"integer","minimum":0,"exclusiveMaximum":100}},"required":["email"]}

propertiesobject or nullread-only

Properties that are available for the user to complete when they use the hosted deposit form. Use this object to describe fields that are rendered and completed on the hosted deposit form.

Example:

{"email":"email@example.com","max":"33"}

notificationUrlstring or null(uri)

URL where a server-to-server POST notification is sent. This notification is sent when the transaction result is finalized after a timeout or an offsite interaction.

Do not interpret this notification as a confirmation, complete a GET request to confirm the result of the transaction. To ensure the request is not reattempted, when the result is confirmed, respond with a 2xx HTTP status code.

The following placeholders are available to use in this URI: {id} and {result}. These placeholders are replaced the with the transaction ID and result accordingly.

customFieldsobject(ResourceCustomFields)

Use custom fields to extend a resource scheme to include custom data that is not provided as a common field. For more information, see Custom fields.

createdTimestring(date-time)(CreatedTime)read-only

Date and time which is set automatically when the resource is created.

updatedTimestring(date-time)(UpdatedTime)read-only

Date and time which updates automatically when the resource is updated.

_linksArray of objectsread-only

Related links.

_embeddedobjectread-only

Embedded objects that are requested by the expand query parameter.

transactionIdstring or null<= 50 charactersDeprecatedread-only

ID of the transaction that is used in the deposit request.

Example:

"txn_0YVDTQJ8YWDGQACV2N2N5SPWQ0"

]
Response
application/json
[ { "id": "dep_req_0YVJ65BSGYC3EAT58SEX8KY6J7", "websiteId": "web_0YV7DE4Z26DQSA1AC92FBJ7SEG", "customerId": "cus_0YV7DDSDD1C8DA64KHH2W33CPF", "transactionId": "txn_0YVDTQJ8YWDGQACV2N2N5SPWQ0", "transactionIds": [], "status": "created", "currency": "USD", "amounts": [], "customAmount": {}, "redirectUrl": "http://example.com", "expirationTime": "2019-08-24T14:15:22Z", "propertiesSchema": {}, "properties": {}, "notificationUrl": "http://example.com", "customFields": {}, "createdTime": "2019-08-24T14:15:22Z", "updatedTime": "2019-08-24T14:15:22Z", "_links": [], "_embedded": {} } ]

Retrieve a deposit requestExperimental

Request

Retrieves a deposit request with a specified ID.

Path
idstring<= 50 characters^[@~\-\.\w]+$required

ID of the resource.

Query
expandstring

Expands a request to include embedded objects within the _embedded property of the response. This field accepts a comma-separated list of objects.

For more information, see Expand to include embedded objects.

curl -i -X GET \
  'https://www.rebilly.com/_mock/catalog/all/deposit-requests/{id}?expand=string' \
  -H 'REB-APIKEY: YOUR_API_KEY_HERE'
Experience it firsthand in the API Explorer!

Responses

Deposit request retrieved.

Bodyapplication/json
idstring<= 50 charactersread-only

ID of the deposit request.

Example:

"dep_req_0YVJ65BSGYC3EAT58SEX8KY6J7"

websiteIdstring<= 50 charactersrequired

Website ID of the deposit. This value specifies the website with which the deposit is associated.

Example:

"web_0YV7DE4Z26DQSA1AC92FBJ7SEG"

customerIdstring(CustomerId)<= 50 charactersrequired

ID of the customer resource.

transactionIdsArray of strings

List of transaction IDs that are associated with the deposit request. This list includes transactions that are created from the deposit request. There is a maximum of one approved transaction in the list.

statusstringread-only

Status of the request.

Enum ValueDescription
created

Request is created, but it has not been visited by a customer. This is a temporary state.

pending

Request has been visited by a customer, but no funds have been deposited yet. This is a temporary state.

initiated

A funds deposit transaction has been initiated. This is a temporary state.

attempted

A funds deposit transaction was attempted and declined. This is a temporary state.

completed

A funds deposit transaction has been approved and completed. This is a permanent state.

expired

Request expired without an approved deposit transaction. This is a permanent state.

currencystring(CurrencyCode)= 3 charactersrequired

Currency code in ISO 4217 format.

amountsArray of numbers(double)

List of available deposit amounts.

If amounts is not specified when a deposit is created, amounts are determined from the chosen strategy. For more information, see the strategyId property.

customAmountobject or null

Custom amount restrictions. If this value is null, custom amounts are prohibited. If customAmount is not specified when a deposit request is created, amount restrictions are determined from the chosen strategy. For more information, see the strategyId property.

redirectUrlstring(uri)

URL to redirect the customer to when a deposit is completed. The default value is the website URL.

expirationTimestring(date-time)

Date and time at which the deposit request expires. The default expiration time is one hour from the time the request is created.