Skip to main content
POST
/
api
/
v1
/
sessions
/
point-in-time
/
plugin
Create Session
curl --request POST \
  --url https://iip-session-management-uat.ingo.money/api/v1/sessions/point-in-time/plugin \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Length: <content-length>' \
  --header 'Content-Type: <content-type>' \
  --header 'Content-sha512: <content-sha512>' \
  --header 'X-Date: <x-date>' \
  --data '
{
  "participant_unique_id1": "70646041-01ea-4cd6-b657-18ff88e465c7",
  "host_uri": "https://digitalpay-test.ingo.money",
  "language_locale_code": "en-US",
  "recipient_information": {
    "first_name": "Alex",
    "last_name": "Rivera",
    "business_name": "Acme Limited",
    "address_line1": "100 Innovation Way",
    "city": "Anytown",
    "state": "GA",
    "zip_code": "37233",
    "email_address": "jack.frost@example.com",
    "phone_number": "1231231234",
    "mobile_number": "1231231234",
    "open_banking": {
      "mobus_customer_id": "9999"
    }
  }
}
'
{
  "status": 100,
  "client_message": "Success",
  "data": {
    "session_identifier": "7830227a-ba47-4d28-9416-cad41a446db7",
    "authorized_url": "https://iip-webplugin-ingo.money/session/7830227a-ba47-4d28-9416-cad41a446db7?t=637126733246949906&h=rpSb%2f%2fAeOAKjX7%2fhhOQvj9zpvwf4xeg97TuPCMtpUg0%3d",
    "authorized_url_expiration_utc": "2019-12-10T20:14:19.763941Z",
    "participant_unique_id1": "1f271ff6-5b79-45b6-a71e-aa9d1b86c0d8",
    "participant_unique_id2": ""
  },
  "time": 0.8
}

Documentation Index

Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt

Use this file to discover all available pages before exploring further.

Headers

Authorization
string
required

HMAC-SHA512 signed authorization header built from the request line, X-Date, Content-Type, Content-Length, and SHA-512 body digest. HMAC-SHA256 is accepted for legacy integrations only.

Example:

"hmac username=\"YOUR_HMAC_USERNAME\", algorithm=\"hmac-sha512\", headers=\"request-line x-date content-type content-length content-sha512\", signature=\"BASE64_SIGNATURE\""

X-Date
string
required

RFC 7231 formatted UTC date and time of the request, used in HMAC signature computation.

Example:

"Tue, 01 Apr 2026 20:18:47 GMT"

Content-sha512
string
required

Base64-encoded SHA-512 hash of the raw request body. Required for all new integrations using HMAC-SHA512.

Example:

"z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+TW2kyaTeRs9mBqbH9v0w="

Content-sha256
string

Base64-encoded SHA-256 hash of the raw request body. Accepted for legacy integrations using HMAC-SHA256 only. New integrations should use Content-sha512.

Content-Length
integer
required

Byte length of the request body.

Example:

412

Content-Type
string
required
Example:

"application/json"

Idempotency-Key
string

Unique client-generated key (V4 UUID recommended) for safely retrying a session request without creating a duplicate session. Keys remain active for 2 hours. A status 101 response is returned when the same key is reused within that window.

Maximum string length: 250
Example:

"3f2a1b4c-9d8e-7f6a-5b4c-3d2e1f0a9b8c"

Body

application/json
participant_unique_id1
string
required

Participant-assigned ID for the session request. Carry this value forward to subsequent process requests for tracking.

Maximum string length: 100
Example:

"70646041-01ea-4cd6-b657-18ff88e465c7"

recipient_information
object
required

Client-provided recipient verification information.

participant_unique_id2
string

Optional second participant-assigned ID. Can also be carried forward to process requests for tracking.

Maximum string length: 100
Example:

"DEF-5678"

host_uri
string

URI of the hosting application (include protocol and hostname, e.g. https://digitalpay.ingo.money). Must be explicitly whitelisted in client configuration. Defaults to the first configured parent application host domain if omitted.

Maximum string length: 200
Example:

"https://digitalpay.ingo.money"

language_locale_code
enum<string>

IETF locale code specifying the language to use when launching the iFrame.

Available options:
ar-SA,
cs-CZ,
da-DK,
de-DE,
en-GB,
en-US,
es-ES,
es-US,
fa-IR,
fi-FI,
fr-FR,
hmn-Latn,
it-IT,
ja-JP,
km-KH,
ko-KR,
nb-NO,
nl-NL,
pl-PL,
pt-BR,
ru-RU,
sv-SE,
tl-PH,
tr-TR,
vi-VN,
zh-CN,
zh-Hans,
zh-TW
Maximum string length: 5
Example:

"en-US"

Response

Session created successfully, or idempotent response returned.

status
integer

Numeric status code. 100 = Success; 101 = Success (Idempotent — existing session returned, no new session created).

Example:

100

client_message
string

Human-readable description of the status code.

Example:

"Success"

data
object

Session identifiers and authorized launch URL.

time
number

Server-side request processing time in seconds.

Example:

0.8