Unfortunately, this feature is not supported on mobile devices. For the best experience, please use a computer.

Core APIs (latest)

Introduction

The Rebilly API is built on HTTP and is RESTful. It has predictable resource URLs and returns HTTP response codes to indicate errors. It also accepts and returns JSON in the HTTP body. Use your favorite HTTP/REST library in your programming language when using this API, or use one of the Rebilly SDKs, which are available in PHP and JavaScript.

Every action in the Rebilly UI is supported by an API which is documented and available for use, so that you may automate any necessary workflows or processes. This API reference documentation contains the most commonly integrated resources.

Authentication

This topic describes the different forms of authentication that are available in the Rebilly API, and how to use them.

Rebilly offers four forms of authentication: secret key, publishable key, JSON Web Tokens, and public signature key.

  • Secret API key: Use to make requests from the server side. Never share these keys. Keep them guarded and secure.
  • Publishable API key: Use in your client-side code to tokenize payment information.
  • JWT: Use to make short-life tokens that expire after a set period of time.

Manage API keys

To create or manage API keys, select one of the following:

For more information on API keys, see API keys.

Errors

Rebilly follows the error response format proposed in RFC 9457, which is also known as Problem Details for HTTP APIs. As with any API responses, your client must be prepared to gracefully handle additional members of the response.

SDKs

Rebilly provides a JavaScript SDK and a PHP SDK to help interact with the Rebilly API. However, no SDK is required to use the API.

Rebilly also provides FramePay, a client-side iFrame-based solution, to help create payment tokens while minimizing PCI DSS compliance burdens and maximizing your customization ability. FramePay interacts with the payment tokens creation operation.

JavaScript SDK

For installation and usage instructions, see SDKs. All JavaScript SDK code examples are included in the API reference documentation.

PHP SDK

For installation and usage instructions, see SDKs. All SDK code examples are included in the API reference documentation. To use them, you must configure the $client as follows:

$client = new Rebilly\Client([
    'apiKey' => 'YourApiKeyHere',
    'baseUrl' => 'https://api.rebilly.com',
]);

Get started

The full Rebilly API has over 500 operations. This is likely more than you may need to implement your use cases. If you would like to implement a particular use case, contact Rebilly for guidance and feedback on the best API operations to use for the task.

To integrate Rebilly, and learn about related resources and concepts, see Get started.

Rate limits

Rebilly enforces rate limits on the API to ensure that no single organization consumes too many resources. Rate limits are applied to the organization, and not to the API key. In sandbox environment, rate limits are enforced for non-GET endpoints and are set at 3000 requests per 10 minutes. You can find the exact number of consumed requests in the X-RateLimit-Limit and X-RateLimit-Remaining headers in the response. If the rate limit is exceeded, the API returns a 429 Too Many Requests response and a X-RateLimit-Retry-After header that includes a UTC timestamp of when the rate limit resets.

Download OpenAPI description
Languages
Servers
Mock server
https://www.rebilly.com/_mock/docs/dev-docs/api/
Sandbox server
https://api-sandbox.rebilly.com/organizations/{organizationId}/
Live server
https://api.rebilly.com/organizations/{organizationId}/

Customers

Use these operations to manage customers. A customer is an entity that purchases goods or services from you (a merchant), and is the payee in any transaction that is credited to you. Customers are associated with payment instruments, subscriptions, invoices, and other related resources.

In other systems, customers may be referred to as accounts, clients, members, patrons, or players. For information on the customer resource, see Resources.

Operations

Customer authentication

Use these operations to validate the identity of users and manage authentication credentials.

Operations

Tags

Use tags to organize and categorize customers or KYC documents based on keywords.

Operations

Customers timeline

Use customer timelines to maintain an audit trail of changes and activity for each customer.

Operations

Payment instruments

Use these operations to manage payment instruments. Payment instrument is a term which describes any means of making a digital payment, such as: credit cards, debit cards, direct debits, payment service providers, and digital wallets.

For more information on payment instruments, see Payment instruments.

OperationsWebhooks

Payment tokens

Use payment tokens to reduce the scope of PCI DSS compliance.

A payment token can be made using a different authentication scheme (public key authentication), which enables you to create a payment token directly from the browser. This bypasses the need to send sensitive cardholder info to your servers. We recommend using this with the FramePay library, which helps you integrate a form into this API resource and create payment tokens.

Operations

Create a payment token

Request

Creates a payment token which can be exchanged into a payment instrument. FramePay is the recommended way to create a payment token because it minimizes PCI DSS compliance. Once a payment token is created, it can only be used once.

A payment token expires upon first use or within 30 minutes of the token creation, whichever comes first.

Bodyapplication/jsonrequired

Payment token resource.

methodstringrequired

Payment method of the token.

Value"payment-card"
Discriminator
paymentInstrumentobjectrequired

Payment card instrument details.

paymentInstrument.panstringwrite-only

Primary Account Number (PAN) of the payment card. This value is required to perform a payment.

paymentInstrument.cvvstringwrite-only

Card Verification Value (CVV/CVC) of the payment card.

paymentInstrument.expMonthintegerrequired

Expiration month of the payment card.

paymentInstrument.expYearintegerrequired

Expiration year of the payment card.

billingAddressobject(ContactObject)

Contact's information.

riskMetadataRisk metadata (object) or null
One of:

Risk metadata used for 3D Secure and risk scoring.

leadSourceobject(LeadSource)write-only

Lead source information.

curl -i -X POST \
  https://www.rebilly.com/_mock/docs/dev-docs/api/tokens \
  -H 'Authorization: YOUR_API_KEY_HERE' \
  -H 'Content-Type: application/json' \
  -d '{
    "method": "payment-card",
    "paymentInstrument": {
      "pan": "string",
      "cvv": "string",
      "expMonth": 0,
      "expYear": 0
    },
    "billingAddress": {
      "firstName": "Benjamin",
      "lastName": "Franklin",
      "organization": "Rebilly",
      "address": "36 Craven St",
      "address2": "string",
      "city": "Austin",
      "region": "Texas",
      "country": "GB",
      "postalCode": "WC2N 5NF",
      "phoneNumbers": [
        {
          "label": "main",
          "value": "512-710-1640",
          "primary": true
        }
      ],
      "emails": [
        {
          "label": "main",
          "value": "rebilly@example.com",
          "primary": true
        }
      ],
      "dob": "1980-04-01",
      "jobTitle": "CEO"
    },
    "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
    "riskMetadata": {
      "ipAddress": "93.92.91.90",
      "fingerprint": "pIUt3xbgX3l9g3YDiLbx",
      "httpHeaders": {
        "Content-Type": "application/json",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
      },
      "browserData": {
        "colorDepth": 24,
        "isJavaEnabled": true,
        "language": "en-US",
        "screenWidth": 1920,
        "screenHeight": 1080,
        "timeZoneOffset": 300,
        "isAdBlockEnabled": true
      },
      "extraData": {
        "kountFraudSessionId": "abcdefg12345abababab123456789012",
        "payPalMerchantSessionId": "dd65ratxc5qv15iph3vyoq7l6davuowa",
        "threatMetrixSessionId": "dd65ratxc5qv15iph3vyoq7l6davuowadd65ratxc5qv15iph3vyoq7l6davuowa"
      }
    },
    "leadSource": {
      "medium": "string",
      "source": "string",
      "campaign": "string",
      "term": "string",
      "content": "string",
      "affiliate": "string",
      "subAffiliate": "string",
      "salesAgent": "string",
      "clickId": "string",
      "path": "string",
      "referrer": "string"
    }
  }'
Experience it firsthand in the API Explorer!

Responses

Token created.

Headers
Locationstring(uri)

Location of the related resource.

Example:

"https://api.rebilly.com/example"

X-RateLimit-Limitinteger

Total number of rate limit tokens for this request within a rate limit period. For more information, see Rate limits.

Example:

3600

X-RateLimit-Remaininginteger

Remaining number of rate limit tokens for this request within the rate limit period. For example, in the sandbox environment, rate limits for non-GET endpoints are set at 3000 requests per 10 minutes.

Example:

3600

Bodyapplication/json
methodstringrequired

Payment method of the token.

Value"payment-card"
Discriminator
paymentInstrumentobjectrequired

Payment card instrument details.

paymentInstrument.expMonthintegerrequired

Expiration month of the payment card.

paymentInstrument.expYearintegerrequired

Expiration year of the payment card.

paymentInstrument.binstring or null(bin)read-only

Bank Identification Number (BIN) of the payment card. This value is the first 6 digits of the payment card number.

paymentInstrument.last4string or nullread-only

Last 4 digits of the Primary Account Number (PAN) of the payment card.

paymentInstrument.brandstringread-only

Brand of payment card.

Enum"Visa""MasterCard""American Express""Discover""Maestro""Solo""Electron""JCB""Voyager""Diners Club"
billingAddressobject(ContactObject)

Contact's information.

idstring(ResourceId)<= 50 charactersread-only

Unique resource ID.

isUsedbooleanread-only

Specifies if the token has been used.

Default false
riskMetadataRisk metadata (object) or null
One of:

Risk metadata used for 3D Secure and risk scoring.

createdTimestring(date-time)(CreatedTime)read-only

Date and time which is set automatically when the resource is created.

updatedTimestring(date-time)(UpdatedTime)read-only

Date and time which updates automatically when the resource is updated.

usageTimestring or null(date-time)read-only

Date and time when the token is used.

expirationTimestring or null(date-time)read-only

Date and time when the token expired.

_linksArray of objects(SelfLink)read-only

Related links.

Response
application/json
{ "method": "payment-card", "paymentInstrument": { "expMonth": 0, "expYear": 0, "bin": "string", "last4": "string", "brand": "Visa" }, "billingAddress": { "firstName": "Benjamin", "lastName": "Franklin", "organization": "Rebilly", "address": "36 Craven St", "address2": "string", "city": "Austin", "region": "Texas", "country": "GB", "postalCode": "WC2N 5NF", "phoneNumbers": [], "emails": [], "dob": "1980-04-01", "jobTitle": "CEO", "hash": "056ae6d97c788b9e98b049ebafd7b229bf852221" }, "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21", "isUsed": false, "riskMetadata": { "ipAddress": "93.92.91.90", "fingerprint": "pIUt3xbgX3l9g3YDiLbx", "httpHeaders": {}, "browserData": {}, "extraData": {}, "isProxy": true, "isVpn": true, "isTor": true, "isHosting": true, "hostingName": "string", "isp": "string", "country": "US", "region": "NY", "city": "New York", "latitude": 0.1, "longitude": 0, "postalCode": "string", "timeZone": "America/New_York", "accuracyRadius": 0, "distance": 0, "hasMismatchedBillingAddressCountry": true, "hasMismatchedBankCountry": true, "hasMismatchedTimeZone": true, "hasMismatchedHolderName": true, "hasFakeName": true, "isHighRiskCountry": true, "paymentInstrumentVelocity": 0, "declinedPaymentInstrumentVelocity": 0, "deviceVelocity": 0, "ipVelocity": 0, "emailVelocity": 0, "billingAddressVelocity": 0, "paymentInstrumentApprovedTransactionCount": 0, "score": 0 }, "createdTime": "2019-08-24T14:15:22Z", "updatedTime": "2019-08-24T14:15:22Z", "usageTime": "2019-08-24T14:15:22Z", "expirationTime": "2019-08-24T14:15:22Z", "_links": [ {} ] }

Retrieve tokens

Request

Retrieve a list of tokens.

Query
limitinteger[ 0 .. 1000 ]

Limits the number of collection items to be returned.

offsetinteger[ 0 .. 1000 ]

Specifies the starting point within the collection of items to be returned.

curl -i -X GET \
  'https://www.rebilly.com/_mock/docs/dev-docs/api/tokens?limit=1000&offset=1000' \
  -H 'REB-APIKEY: YOUR_API_KEY_HERE'
Experience it firsthand in the API Explorer!

Responses

List of tokens retrieved.

Headers
Pagination-Totalinteger

Total number of items.

Example:

332

Pagination-Limitinteger

Maximum number of items per page.

Example:

100

Pagination-Offsetinteger

Specifies the starting point within the collection of resource results. For example, a request with limit=20 retrieves and displays the first 20 results on a page. A following request with limit=20 and offset=20, retrieves the next page of 20 results.

Example:

2

Bodyapplication/jsonArray [
methodstringrequired

Payment method of the token.

Value"payment-card"
Discriminator
paymentInstrumentobjectrequired

Payment card instrument details.

paymentInstrument.expMonthintegerrequired

Expiration month of the payment card.

paymentInstrument.expYearintegerrequired

Expiration year of the payment card.

paymentInstrument.binstring or null(bin)read-only

Bank Identification Number (BIN) of the payment card. This value is the first 6 digits of the payment card number.

paymentInstrument.last4string or nullread-only

Last 4 digits of the Primary Account Number (PAN) of the payment card.

paymentInstrument.brandstringread-only

Brand of payment card.

Enum"Visa""MasterCard""American Express""Discover""Maestro""Solo""Electron""JCB""Voyager""Diners Club"
billingAddressobject(ContactObject)

Contact's information.

idstring(ResourceId)<= 50 charactersread-only

Unique resource ID.

isUsedbooleanread-only

Specifies if the token has been used.

Default false
riskMetadataRisk metadata (object) or null
One of:

Risk metadata used for 3D Secure and risk scoring.

createdTimestring(date-time)(CreatedTime)read-only

Date and time which is set automatically when the resource is created.

updatedTimestring(date-time)(UpdatedTime)read-only

Date and time which updates automatically when the resource is updated.

usageTimestring or null(date-time)read-only

Date and time when the token is used.

expirationTimestring or null(date-time)read-only

Date and time when the token expired.

_linksArray of objects(SelfLink)read-only

Related links.

]
Response
application/json
[ { "method": "payment-card", "paymentInstrument": {}, "billingAddress": {}, "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21", "isUsed": false, "riskMetadata": {}, "createdTime": "2019-08-24T14:15:22Z", "updatedTime": "2019-08-24T14:15:22Z", "usageTime": "2019-08-24T14:15:22Z", "expirationTime": "2019-08-24T14:15:22Z", "_links": [] } ]

Retrieve a token

Request

Retrieves a token with a specified ID.

Path
tokenstringrequired

ID of the token.

curl -i -X GET \
  'https://www.rebilly.com/_mock/docs/dev-docs/api/tokens/{token}' \
  -H 'Authorization: YOUR_API_KEY_HERE'
Experience it firsthand in the API Explorer!

Responses

Token retrieved.

Bodyapplication/json
methodstringrequired

Payment method of the token.

Value"payment-card"
Discriminator
paymentInstrumentobjectrequired

Payment card instrument details.

paymentInstrument.expMonthintegerrequired

Expiration month of the payment card.

paymentInstrument.expYearintegerrequired

Expiration year of the payment card.

paymentInstrument.binstring or null(bin)read-only

Bank Identification Number (BIN) of the payment card. This value is the first 6 digits of the payment card number.

paymentInstrument.last4string or nullread-only

Last 4 digits of the Primary Account Number (PAN) of the payment card.

paymentInstrument.brandstringread-only

Brand of payment card.

Enum"Visa""MasterCard""American Express""Discover""Maestro""Solo""Electron""JCB""Voyager""Diners Club"
billingAddressobject(ContactObject)

Contact's information.

idstring(ResourceId)<= 50 charactersread-only

Unique resource ID.

isUsedbooleanread-only

Specifies if the token has been used.

Default false
riskMetadataRisk metadata (object) or null
One of:

Risk metadata used for 3D Secure and risk scoring.

createdTimestring(date-time)(CreatedTime)read-only

Date and time which is set automatically when the resource is created.

updatedTimestring(date-time)(UpdatedTime)read-only

Date and time which updates automatically when the resource is updated.

usageTimestring or null(date-time)read-only

Date and time when the token is used.

expirationTimestring or null(date-time)read-only

Date and time when the token expired.

_linksArray of objects(SelfLink)read-only

Related links.

Response
application/json
{ "method": "payment-card", "paymentInstrument": { "expMonth": 0, "expYear": 0, "bin": "string", "last4": "string", "brand": "Visa" }, "billingAddress": { "firstName": "Benjamin", "lastName": "Franklin", "organization": "Rebilly", "address": "36 Craven St", "address2": "string", "city": "Austin", "region": "Texas", "country": "GB", "postalCode": "WC2N 5NF", "phoneNumbers": [], "emails": [], "dob": "1980-04-01", "jobTitle": "CEO", "hash": "056ae6d97c788b9e98b049ebafd7b229bf852221" }, "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21", "isUsed": false, "riskMetadata": { "ipAddress": "93.92.91.90", "fingerprint": "pIUt3xbgX3l9g3YDiLbx", "httpHeaders": {}, "browserData": {}, "extraData": {}, "isProxy": true, "isVpn": true, "isTor": true, "isHosting": true, "hostingName": "string", "isp": "string", "country": "US", "region": "NY", "city": "New York", "latitude": 0.1, "longitude": 0, "postalCode": "string", "timeZone": "America/New_York", "accuracyRadius": 0, "distance": 0, "hasMismatchedBillingAddressCountry": true, "hasMismatchedBankCountry": true, "hasMismatchedTimeZone": true, "hasMismatchedHolderName": true, "hasFakeName": true, "isHighRiskCountry": true, "paymentInstrumentVelocity": 0, "declinedPaymentInstrumentVelocity": 0, "deviceVelocity": 0, "ipVelocity": 0, "emailVelocity": 0, "billingAddressVelocity": 0, "paymentInstrumentApprovedTransactionCount": 0, "score": 0 }, "createdTime": "2019-08-24T14:15:22Z", "updatedTime": "2019-08-24T14:15:22Z", "usageTime": "2019-08-24T14:15:22Z", "expirationTime": "2019-08-24T14:15:22Z", "_links": [ {} ] }

Validate a digital wallet session

Request

Validates a digital wallet session.

We recommend using FramePay to validate a digital wallet session.

Bodyapplication/jsonrequired

Digital wallet validation request.

typestringrequired

Type of digital wallet to validate.

Value"Apple Pay"
Discriminator
validationRequestobjectwrite-onlyrequired

Validation request.

validationRequest.validationUrlstring

Apple Pay SDK URL that is used to perform validation.

validationRequest.domainNamestring
Example:

"www.example.com"

validationRequest.displayNamestring

Display name of your store.

Example:

"My Store"

curl -i -X POST \
  https://www.rebilly.com/_mock/docs/dev-docs/api/digital-wallets/validation \
  -H 'Authorization: YOUR_API_KEY_HERE' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "Apple Pay",
    "validationRequest": {
      "validationUrl": "string",
      "domainName": "www.example.com",
      "displayName": "My Store"
    }
  }'
Experience it firsthand in the API Explorer!

Responses

Digital wallet validation complete.

Headers
Locationstring(uri)

Location of the related resource.

Example:

"https://api.rebilly.com/example"

X-RateLimit-Limitinteger

Total number of rate limit tokens for this request within a rate limit period. For more information, see Rate limits.

Example:

3600

X-RateLimit-Remaininginteger

Remaining number of rate limit tokens for this request within the rate limit period. For example, in the sandbox environment, rate limits for non-GET endpoints are set at 3000 requests per 10 minutes.

Example:

3600

Bodyapplication/json
typestringrequired

Type of digital wallet to validate.

Value"Apple Pay"
Discriminator
validationResponseobjectread-only

Apple Pay SDK validation response.

Response
application/json
{ "type": "Apple Pay", "validationResponse": {} }

Transactions

Use these operations to:

  • set up payment instruments for payments
  • authorize and hold funds
  • capture funds
  • make payments
  • make payouts
  • refund transactions.
Operations

Disputes

Use these operations to manage disputes. A dispute occurs when a customer contests a charge to their account. The dispute and related information is made available to the merchant by the bank or credit card company. The merchant then has the option to represent the charge and win the case. This process is called dispute resolution. If the merchant is unable to represent the charge, the card issuer typically reverses the sale and adds fees on top of the charge. This process is called a chargeback.

OperationsWebhooks

Fees

Use fees to reconcile transactions with applicable fees and discount rates. Fees are not applied directly to transaction amounts, they do not modify the transaction amount. Fees help to describe each part of the transaction amount.

Important: These operations are experimental and may change.

Operations