Start building in 4 steps
Step 1 — Get your credentials
Step 1 — Get your credentials
Contact your Ingo integration manager to receive your HMAC username,
HMAC secret, and participant identifier. All Ingo products use
HMAC-SHA512 request signing — the same authentication standard
across every API. See Authentication
for signature construction details.
Step 2 — Tokenize the account
Step 2 — Tokenize the account
Call
POST /gateway/verify (IngoPay API) or launch the iFrame SDK
(Embedded Account Capture) to validate and tokenize the recipient’s
payment account. Store the returned customer_account_token — you’ll
use it on every future process request for that account.Step 3 — Process the payment
Step 3 — Process the payment
Call
POST /gateway/process with the customer_account_token and
your disbursement amount. Ingo routes the payment across the
appropriate rail — card, ACH, check, PayPal, or Venmo — based on
the account_type you tokenized.Step 4 — Handle webhooks
Step 4 — Handle webhooks
Subscribe your endpoint to receive real-time event callbacks for
payment status, OFAC screening updates, tokenization results, and
more. Configure retry logic and authentication in your Ingo
integration settings. See Webhooks
for the full event reference.
Choose your starting point
Not sure which product to start with? Use this guide:I want direct API control
Start with IngoPay API — call verify, then process. Full
control over every disbursement request.
I want a drop-in UI
Start with Embedded Account Capture — drop in the iFrame SDK
and let Ingo handle PCI-compliant account tokenization.
I want Ingo to manage recipient engagement
Start with Notify — Classic — stage a disbursement and let
Ingo handle authentication, verification, and OFAC screening.
I need multi-party approval flows
Start with Notify — Managed Parties — full party orchestration
with role delegation and engagement lifecycle management.
What you’ll need
Before you begin, contact your Ingo integration manager to receive:
- HMAC username — identifies your integration in the
Authorizationheader - HMAC secret — used locally to sign requests, never transmitted
- Participant identifier — identifies your account within API requests
- Sandbox credentials — for testing before go-live