API Reference

Overview

The API base URL is https://api.smspaybd.com. The API is versioned under /v1, so production requests use https://api.smspaybd.com/v1/....

API Base URL: https://api.smspaybd.com
Docs URL:     https://smspaybd.com/docs

Merchant API requests use:

X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx

Step-by-step guide

Use sandbox base URL and sandbox API key while developing.
Create a payment intent with /payments/intents.
Redirect the customer to checkoutUrl.
Send sandbox SMS events from the simulator or live SMS events from Android.
Verify webhook delivery and idempotent fulfillment.
Switch both base URL and API key to live when approved.

Authentication

Surface	Authentication
Payment intents	`X-Api-Key`
Webhooks management	`X-Api-Key`
Android SMS ingestion	`X-Api-Key` and `X-Signature`
Raw sandbox simulator	Sandbox `X-Api-Key`
Public checkout	None
Dashboard sandbox tools	Dashboard JWT session

Code example

Use a small wrapper so every server-side API call includes the correct base URL and key:

async function smsGateway(path: string, init: RequestInit = {}) {
  const response = await fetch(`https://api.smspaybd.com/v1${path}`, {
    ...init,
    headers: {
      "Content-Type": "application/json",
      "X-Api-Key": process.env.SMS_PAY_SANDBOX_KEY!,
      ...init.headers,
    },
  });

  if (!response.ok) {
    throw new Error(await response.text());
  }

  return response.json();
}

Request and response samples

The following sections show the production API shapes. Use camelCase JSON fields exactly as shown.

Payment Intents

Create

POST /v1/payments/intents
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx
Content-Type: application/json

{
  "amount": 500,
  "currency": "BDT",
  "paymentMethod": "BKASH_SEND_MONEY",
  "customerReference": "ORDER-10045",
  "idempotencyKey": "payment_intent_ORDER-10045",
  "ttlSeconds": 300,
  "successUrl": "https://smspaybd.com/payment/success",
  "failedUrl": "https://smspaybd.com/payment/failed",
  "cancelUrl": "https://smspaybd.com/checkout",
  "expiredUrl": "https://smspaybd.com/payment/expired"
}

{
  "id": "b5012f33-207e-4999-bf8d-5a1ebb10988e",
  "merchantId": "merchant_123",
  "environment": "SANDBOX",
  "amount": "500",
  "currency": "BDT",
  "status": "PENDING",
  "customerReference": "ORDER-10045",
  "receiverMsisdn": "01700000001",
  "checkoutUrl": "https://smspaybd.com/checkout/b5012f33-207e-4999-bf8d-5a1ebb10988e",
  "expiresAt": "2026-05-05T10:05:00.000Z"
}

List

GET /v1/payments/intents?status=PENDING&page=1&limit=20
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx

{
  "data": [],
  "total": 0,
  "page": 1,
  "limit": 20
}

Retrieve

GET /v1/payments/intents/:id
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx

Checkout

Public details

GET /v1/checkout/:id

{
  "id": "b5012f33-207e-4999-bf8d-5a1ebb10988e",
  "amount": "500",
  "currency": "BDT",
  "status": "PENDING",
  "environment": "SANDBOX",
  "customerReference": "ORDER-10045",
  "receiverMsisdn": "01700000001",
  "expiresAt": "2026-05-05T10:05:00.000Z"
}

Fallback transaction ID confirmation

POST /v1/checkout/:id/confirm
Content-Type: application/json

{
  "trxId": "ABCD1234"
}

SMS Events

Android incoming SMS

POST /v1/sms-events/incoming
X-Api-Key: sk_live_xxxxxxxxxxxxxxxxx
X-Signature: sha256=<hmac>
Content-Type: application/json

{
  "sender": "bKash",
  "message": "You have received payment Tk 500.00 from 01711111111. Ref ORDER-10045. Fee Tk 0.00. Balance Tk 10000.00. TrxID ABCD1234",
  "receiverMsisdn": "01700000001",
  "receivedAt": "2026-05-05T10:00:00.000Z",
  "deviceId": "merchant-phone-01"
}

{
  "id": "sms_123",
  "status": "RECEIVED",
  "queued": true,
  "duplicate": false
}

Raw sandbox SMS simulator

POST /v1/sandbox/sms-events/simulate
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx
Content-Type: application/json

{
  "message": "You have received payment Tk 500.00 from 01711111111. Ref ORDER-10045. Fee Tk 0.00. Balance Tk 10000.00. TrxID ABCD1234",
  "receiverMsisdn": "01700000001",
  "receivedAt": "2026-05-05T10:00:00.000Z"
}

Webhooks

Create endpoint

POST /v1/webhooks/endpoints
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx
Content-Type: application/json

{
  "url": "https://merchant-site.com/webhooks/sms-pay",
  "secret": "whsec_minimum_16_characters"
}

{
  "id": "wh_123",
  "url": "https://merchant-site.com/webhooks/sms-pay",
  "environment": "SANDBOX",
  "isVerified": false,
  "isActive": true,
  "createdAt": "2026-05-05T10:00:00.000Z"
}

Verify endpoint

POST /v1/webhooks/endpoints/:id/verify
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx

List deliveries

GET /v1/webhooks/deliveries
X-Api-Key: sk_test_xxxxxxxxxxxxxxxxx

{
  "data": [
    {
      "id": "delivery_123",
      "endpointId": "wh_123",
      "paymentIntentId": "b5012f33-207e-4999-bf8d-5a1ebb10988e",
      "eventType": "payment.paid",
      "status": "DELIVERED",
      "attempt": 1,
      "statusCode": 200,
      "idempotencyKey": "payment.paid:b5012f33-207e-4999-bf8d-5a1ebb10988e",
      "deliveredAt": "2026-05-05T10:01:00.000Z",
      "createdAt": "2026-05-05T10:01:00.000Z"
    }
  ],
  "total": 1
}

Dashboard-only sandbox endpoints

These endpoints are used by the dashboard UI and require a logged-in merchant admin session:

GET /v1/sandbox/test-cases
POST /v1/sandbox/test-cases/:caseId/run
POST /v1/sandbox/simulator/run
GET /v1/sandbox/test-runs/recent

Edge cases and constraints

Use camelCase JSON fields exactly as shown.
Do not use live keys on sandbox simulator endpoints.
Do not use public checkout responses as fulfillment proof.
Webhook delivery is at-least-once; process idempotently.
customerReference and idempotencyKey should be stable per order.