Verify
Process
Webhooks
Debit Process — ACH
Pull funds from a bank account via Standard ACH or Same-Day ACH (v12 debit gateway).
curl --request POST \
--url https://payapi-sandbox.ingo.money/gateway/v12/debit/process--ach \
--header 'Authorization: <api-key>' \
--header 'Content-Type: application/json' \
--data '
{
"request": {
"participant_id": "12345",
"timestamp": "1547143063"
},
"transaction": {
"account_type": "AC",
"transaction_amount": {
"currency_code": "USD",
"amount": "101.96"
},
"participant_unique_ids": {
"participant_unique_id1": "eba1fff2-b74b-401f-957e-cc8a16c49408",
"participant_unique_id2": "cd5f2b0c-69be-458d-a3a5-5f96cf5171df"
},
"customer_account_token": "4153e416-d81d-4420-a494-9feceed4eef3",
"source_of_funds": 4,
"recipient_phone": "5555550100",
"risk_assessment_token": "36f6b449-fa29-4f9e-919f-ad1e6433f1d5",
"additional_detail": {
"source_name": "CorpDisb",
"descriptive_purpose": "Reimbursement"
}
},
"ledger": {
"api_key": "lk_live_abc123xyz",
"user_id": "usr_00456",
"entity_type": "program",
"entity_id": "ent_00789"
}
}
'{
"request": {
"participant_id": "12345",
"timestamp": "1547143063"
},
"response": {
"status": "100",
"message": "Success",
"duration": "1.1809"
},
"transaction": {
"estimated_posting_date": "04/23/2026",
"estimated_posting_time": "Payment will post 04/23/2026",
"transaction_id": "1237775",
"customer_account_token": "4153e416-d81d-4420-a494-9feceed4eef3",
"participant_unique_ids": {
"participant_unique_id1": "eba1fff2-b74b-401f-957e-cc8a16c49408",
"participant_unique_id2": "cd5f2b0c-69be-458d-a3a5-5f96cf5171df"
}
}
}Documentation Index
Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
All requests must be authenticated using an HMAC-signed Authorization header. Ingo Money requires HMAC-SHA512 for all new integrations. SHA-512 provides a significantly larger internal state and output length than SHA-256, making it substantially more resistant to length-extension attacks and brute-force preimage attempts — properties that matter for financial API traffic where each request authorizes a real money movement.
Legacy integrations using HMAC-SHA256 remain supported but are encouraged to upgrade. SHA-256 continues to meet the current minimum security bar; however, upgrading to SHA-512 eliminates an entire class of potential vulnerabilities before they become exploitable, and aligns with NIST guidance recommending SHA-2 family algorithms with 256-bit security strength or greater for long-term use. Contact your Ingo integration manager to coordinate an algorithm upgrade.
MD5 and SHA-1 are not accepted under any circumstances. Requests signed with either algorithm will be rejected.
Authorization header format:
Authorization: hmac username="YOUR_HMAC_USERNAME", algorithm="hmac-sha512", headers="request-line x-date content-type content-length content-sha512", signature="BASE64_SIGNATURE"
Credentials provisioned by your Ingo integration manager:
-
HMAC username — identifies your integration in the
Authorizationheaderusernamefield. Distinct from your participant identifier. -
HMAC secret — provisioned by your Ingo integration manager. The private key used to compute the signature. Never transmit this value — store it in a secrets manager or environment variable, never in source code.
-
Participant identifier — a separate value used to identify your account within the API request payload. The name and placement differs by product family. Both the HMAC username and participant identifier are provisioned at onboarding — do not substitute one for the other.
-
API key — required for select product families as an additional per-request credential. See product-specific documentation for applicability.
See the Ingo API Authentication Guide for the complete string-to-sign construction, body hashing requirements, and timestamp validation rules.
Body
General information associated with the API request.
General transaction information for the pull request.
Hide child attributes
Hide child attributes
Determines the payment rail. AC = Standard ACH, SD = Same-Day ACH.
AC, SD 1"AC"
Hide child attributes
Hide child attributes
3-character ISO-4217 (alpha) currency code.
3^[A-Z]{3}$"USD"
Amount in the currency indicated by currency_code. Must be greater than 0 with a maximum of 2 decimal places.
12"101.96"
Hide child attributes
Hide child attributes
Participant assigned transaction ID for the process request. Value must be unique and may not contain NPI data. Used for idempotency — a duplicate value returns an idempotent response without initiating a new pull request. Appears on daily reconciliation reports.
1 - 100"eba1fff2-b74b-401f-957e-cc8a16c49408"
Optional second participant assigned transaction ID. Does not appear on daily reconciliation reports.
100"cd5f2b0c-69be-458d-a3a5-5f96cf5171df"
Token representing the account number and customer data as provided in the response from a previous Verify API call.
1 - 254"4153e416-d81d-4420-a494-9feceed4eef3"
Funding source indicator: 1 = Cash, 2 = Check, 3 = Combo of Cash & Check, 4 = Corp Disbursement.
1, 2, 3, 4 4
10-digit recipient phone number.
^[0-9]{10}$"4045550100"
Additional transaction details specific to ACH. For ACH transactions, source_name and descriptive_purpose have a combined maximum of 21 characters.
Hide child attributes
Hide child attributes
Name of the transaction source as easily recognizable to the receiver. The first 10 characters are always accepted — additional characters may be truncated depending on the length of descriptive_purpose.
50"CorpDisb"
Description of the purpose of the transaction. The first 11 characters are always accepted — additional characters may be truncated depending on the length of source_name.
50"Reimbursement"
Associated risk assessment token returned by a prior RiskScore (/risk/riskscore/v2) response. Required when the client is configured to use the Ingo Risk API.
36"36f6b449-fa29-4f9e-919f-ad1e6433f1d5"
Retail store information. Required when the client is configured as a retail participant (retail flag enabled on client debit configuration).
Hide child attributes
Hide child attributes
Client assigned store ID.
1 - 254"STORE-001"
Client assigned clerk ID.
1 - 254"CLK-007"
Client assigned terminal ID.
1 - 254"TERM-042"
Card track data captured at point of sale. Required when the client is configured as a retail participant (retail flag enabled on client debit configuration).
Hide child attributes
Hide child attributes
URL-encoded Track 1 data from and including the beginning sentinel to and including the ending sentinel.
255^(%B)([0-9]{12,22})([/^])([\s\S]*)([/^])([0-9]{2})([0-9]{2})([0-9]*)([?])$"%B4111111111111111^ROCKETS/JOHNNY^2612101000000000000000000000000?"
Track 2 data from and including the beginning sentinel to and including the ending sentinel.
255^(;)([0-9]{12,22})(=)([0-9]{2})([0-9]{2})([0-9])*([?])$";4111111111111111=26121010000000000000?"
Client assigned retail location information. Required when the client is configured with the retail location flag (retail_object flag enabled on client debit configuration). This flag is independent of the retail flag — confirm with your Ingo integration manager.
Hide child attributes
Hide child attributes
Client assigned retail location name.
1 - 150"ABC Retail"
Client assigned retail location ID.
1 - 150"LOC-1234"
Client assigned retail location address.
1 - 150"456 Retail St."
Client assigned retail location city.
1 - 150"Atlanta"
Client assigned retail location state (standard US postal abbreviation).
2^(?:A[LKSZRAEP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])$"GA"
Client assigned retail location zip code.
1 - 10^[0-9]{5}(?:-[0-9]{4})?$"30333"
Required for clients configured for ledger service. Exclude entirely if not applicable to your integration.
Hide child attributes
Hide child attributes
API key associated with the ledger program.
1 - 100"lk_live_abc123xyz"
User ID associated with the ledger program.
1 - 100"usr_00456"
Entity type for the ledger. Accepted values: program, business, user.
program, business, user 1 - 50"program"
Entity ID associated with the ledger.
100"ent_00789"
Data about the transaction sender. Required for clients using certain sender-funded transaction configurations.
Hide child attributes
Hide child attributes
Address of the sender.
Hide child attributes
Hide child attributes
Street address line 1.
150"100 Innovation Way"
City.
150"Anytown"
State (standard two-letter postal abbreviation).
2"GA"
ZIP code (5-digit or zip+4 format).
10"00000"
Street address line 2 (optional).
150Telecommunications contact points for the sender.
Hide child attributes
Hide child attributes
Email address.
150"sender@example.com"
Home phone number. Digits only.
10"5555550100"
Mobile phone number. Digits only.
10"5555550101"
Retail store information. Required for clients using retail card-present configuration.
Hide child attributes
Hide child attributes
Retail location street address.
150"100 Innovation Way"
Retail location city.
150"Anytown"
Retail location state.
2"GA"
Retail location ZIP code.
10"00000"
Sender account identifier. Required for sender-funded debit transactions.
100"SENDER-ACCT-001"
Response
Pull payment accepted successfully
Outcome of the API call.
Transaction outcome data.
Hide child attributes
Hide child attributes
Provided on success. Estimated posting date.
"04/23/2026"
Provided on success. Estimated posting time narrative.
"Payment will post 04/23/2026"
Always provided on success and in certain failure conditions. Unique transaction identifier. Log this value — Ingo Payment Services will request it for support interactions.
"1237775"
Echo of value from request. Provided on success.
"4153e416-d81d-4420-a494-9feceed4eef3"
Echo of participant IDs from request.
Hide child attributes
Hide child attributes
Echo of participant_unique_id1 from request.
"eba1fff2-b74b-401f-957e-cc8a16c49408"
Echo of participant_unique_id2 from request if provided.
"cd5f2b0c-69be-458d-a3a5-5f96cf5171df"
curl --request POST \
--url https://payapi-sandbox.ingo.money/gateway/v12/debit/process--ach \
--header 'Authorization: <api-key>' \
--header 'Content-Type: application/json' \
--data '
{
"request": {
"participant_id": "12345",
"timestamp": "1547143063"
},
"transaction": {
"account_type": "AC",
"transaction_amount": {
"currency_code": "USD",
"amount": "101.96"
},
"participant_unique_ids": {
"participant_unique_id1": "eba1fff2-b74b-401f-957e-cc8a16c49408",
"participant_unique_id2": "cd5f2b0c-69be-458d-a3a5-5f96cf5171df"
},
"customer_account_token": "4153e416-d81d-4420-a494-9feceed4eef3",
"source_of_funds": 4,
"recipient_phone": "5555550100",
"risk_assessment_token": "36f6b449-fa29-4f9e-919f-ad1e6433f1d5",
"additional_detail": {
"source_name": "CorpDisb",
"descriptive_purpose": "Reimbursement"
}
},
"ledger": {
"api_key": "lk_live_abc123xyz",
"user_id": "usr_00456",
"entity_type": "program",
"entity_id": "ent_00789"
}
}
'{
"request": {
"participant_id": "12345",
"timestamp": "1547143063"
},
"response": {
"status": "100",
"message": "Success",
"duration": "1.1809"
},
"transaction": {
"estimated_posting_date": "04/23/2026",
"estimated_posting_time": "Payment will post 04/23/2026",
"transaction_id": "1237775",
"customer_account_token": "4153e416-d81d-4420-a494-9feceed4eef3",
"participant_unique_ids": {
"participant_unique_id1": "eba1fff2-b74b-401f-957e-cc8a16c49408",
"participant_unique_id2": "cd5f2b0c-69be-458d-a3a5-5f96cf5171df"
}
}
}