REST API · v1

API Reference

The VebboPay API gives you programmatic access to accounts, payments, agents, subscriptions, and webhooks. Every endpoint is RESTful, returns JSON, and is secured with Bearer token authentication.

RESTful JSONHMAC WebhooksIdempotency KeysUK Faster PaymentsMulti-currency

Quick Start

1. Get your API key

Navigate to the Developer Portal and create a new API key. Choose only the permission scopes your integration needs.

API Key vp_live_sk_••••••••••••••••

2. Authenticate

Include your key in the Authorization header of every request.

Authorization: Bearer vp_live_sk_...

Make your first call

curl

curl -X GET \
  "https://api.vebbopay.com/api/v1/wallet/balances" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Authentication

Bearer Token Auth

All API requests must include Authorization: Bearer YOUR_API_KEY in the request headers. Requests without a valid token return 401 Unauthorized.

Accounts & Balances

Payments & Transfers

Products & Prices

Payment Links

Subscriptions

Agent Transfers

Webhooks & Events

Verifying Webhook Signatures

Every webhook delivery includes a X-VebboPay-Signature header. Verify it using your webhook secret to confirm the payload is genuine and has not been tampered with.

python

import hmac, hashlib

def verify_signature(payload: bytes, sig_header: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, sig_header)

# In your handler:
if not verify_signature(request.body, request.headers["X-VebboPay-Signature"], WEBHOOK_SECRET):
    return Response(status=401)

Error Codes

All errors return a JSON body with detail (string) and code (machine-readable slug) fields.

StatusNameDescription

400Bad RequestThe request body is malformed or missing required fields.

401UnauthorizedNo valid Bearer token provided, or the token has expired.

403ForbiddenThe token is valid but lacks the required permission scope.

404Not FoundThe resource (account, product, agent) does not exist.

409ConflictA duplicate resource was detected (e.g. duplicate webhook URL).

422Unprocessable EntitySemantic validation failed — e.g. insufficient balance.

429Too Many RequestsRate limit exceeded. Check the Retry-After header.

500Internal Server ErrorUnexpected server error. Our team is automatically alerted.

json

{
  "detail": "Insufficient balance to complete this transfer.",
  "code": "insufficient_balance",
  "request_id": "req_01HZ..."
}

Rate Limits

Rate limits are applied per API key. Exceeding a limit returns 429 Too Many Requests. Check the Retry-After header for reset timing.

TierReadWriteBatchWebhooks

Free60 / min20 / min5 / hour2 endpoints

Starter300 / min100 / min50 / hour10 endpoints

Pro1,000 / min300 / min200 / hour25 endpoints

EnterpriseUnlimitedUnlimitedUnlimitedUnlimited

Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset.

Idempotency Keys

For all POST requests, supply an Idempotency-Key header to safely retry requests without creating duplicate payments. Keys expire after 24 hours.

curl

curl -X POST "https://api.vebbopay.com/api/v1/wallet/transfer" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{"amount": 100.00, "destination_account_number": "87654321", "destination_sort_code": "20-00-00"}'

Ready to build?

Create your API key, explore the sandbox, and ship your first integration in minutes.

Open Dev Portal Create Account