Skip to content

API Reference

The OwnPay REST API allows developers to integrate payment collection directly into their applications, websites, or backend services.

Base URL

https://your-ownpay-domain.com/api/v1

All API responses are JSON. All requests must include the Content-Type: application/json header.

Authentication

All API endpoints require Bearer token authentication using an op_ prefixed API key:

http
Authorization: Bearer op_<your-api-key>

Generate API keys from the Developer Hub in the admin panel.

Rate Limiting

API requests are rate-limited per key. Rate limit headers are returned with every response:

HeaderDescription
X-RateLimit-LimitMaximum requests per window
X-RateLimit-RemainingRequests remaining in current window
X-RateLimit-ResetUnix timestamp when the window resets

A 429 Too Many Requests response is returned when the limit is exceeded.

Error Format

All errors follow a consistent JSON format:

json
{
  "error": true,
  "message": "Human-readable error description",
  "code": "ERROR_CODE"
}

Standard HTTP Status Codes

CodeMeaning
200Success
201Resource created
400Bad request — invalid parameters
401Unauthorized — invalid or missing API key
403Forbidden — insufficient permissions
404Resource not found
422Unprocessable — validation failed
429Rate limit exceeded
500Server error

Endpoints

Payments

Authentication

Webhooks

OwnPay sends outbound webhook notifications to your configured endpoint when payment events occur. All webhook payloads include an HMAC-SHA256 signature header:

X-OwnPay-Signature: sha256=<hmac_hex>

Always verify this signature on your server before processing the event.

php
$secret = getenv('WEBHOOK_SECRET');
$payload = file_get_contents('php://input');
$expected = 'sha256=' . hash_hmac('sha256', $payload, $secret);
$received = $_SERVER['HTTP_X_OWNPAY_SIGNATURE'] ?? '';

if (!hash_equals($expected, $received)) {
    http_response_code(401);
    exit;
}