Verify
Process
Webhooks
Verify — BillPay
Tokenize a biller account for BillPay push disbursements.
curl --request POST \
--url https://payapi-sandbox.ingo.money/gateway/verify--billpay \
--header 'Authorization: <api-key>' \
--header 'Content-Type: application/json' \
--data '
{
"participant_id": 12345,
"payee_id": "123457",
"timestamp": 1587052132,
"version": 11,
"participant_unique_id1": "f8f68709-8e5d-4c19-8ca0-2eaffef4ec57",
"account": "12345678",
"recipient_first_name": "Alex",
"recipient_last_name": "Rivera",
"recipient_address1": "100 Innovation Way",
"recipient_address2": "Apt 2",
"recipient_city": "Anytown",
"recipient_state": "GA",
"recipient_zip": "00000",
"recipient_phone": "1231231234",
"amount": 1010.5,
"participant_unique_id2": "257b5bae-d52f-42e2-8f2c-0700d8d7a7a5",
"account_type": "BP"
}
'{
"status": 100,
"client_message": "Success",
"data": {
"customer_account_token": "a74eacf4-32e8-4081-b69c-565a89dd6cf1",
"last_4": "5678",
"request_timestamp": 1587052142,
"issuers": [
{
"payee_id": "123457",
"payee_name": "First Service Middle Jersey",
"payee_address": "PO Box 5555",
"payee_city": "Secaucus",
"payee_state": "NJ",
"payee_zip": "07032-0310",
"credit_info": {
"min": "5.00",
"max": "2000.00",
"card_type": "NA",
"estimated_posting_time": "Payment will post 04/17/2026",
"estimated_posting_date": "04/17/2026"
},
"issuing_network": "NA",
"credit_enabled": 1,
"debit_enabled": 0
}
],
"participant_unique_id1": "f8f68709-8e5d-4c19-8ca0-2eaffef4ec57",
"participant_unique_id2": "257b5bae-d52f-42e2-8f2c-0700d8d7a7a5",
"count": 1
},
"time": "1.6832"
}Documentation Index
Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
All requests must be authenticated using an HMAC-signed Authorization header. Ingo Money requires HMAC-SHA512 for all new integrations. SHA-512 provides a significantly larger internal state and output length than SHA-256, making it substantially more resistant to length-extension attacks and brute-force preimage attempts — properties that matter for financial API traffic where each request authorizes a real money movement.
Legacy integrations using HMAC-SHA256 remain supported but are encouraged to upgrade. SHA-256 continues to meet the current minimum security bar; however, upgrading to SHA-512 eliminates an entire class of potential vulnerabilities before they become exploitable, and aligns with NIST guidance recommending SHA-2 family algorithms with 256-bit security strength or greater for long-term use. Contact your Ingo integration manager to coordinate an algorithm upgrade.
MD5 and SHA-1 are not accepted under any circumstances. Requests signed with either algorithm will be rejected.
Authorization header format:
Authorization: hmac username="YOUR_HMAC_USERNAME", algorithm="hmac-sha512", headers="request-line x-date content-type content-length content-sha512", signature="BASE64_SIGNATURE"
Credentials provisioned by your Ingo integration manager:
-
HMAC username — identifies your integration in the
Authorizationheaderusernamefield. Distinct from your participant identifier. -
HMAC secret — provisioned by your Ingo integration manager. The private key used to compute the signature. Never transmit this value — store it in a secrets manager or environment variable, never in source code.
-
Participant identifier — a separate value used to identify your account within the API request payload. The name and placement differs by product family. Both the HMAC username and participant identifier are provisioned at onboarding — do not substitute one for the other.
-
API key — required for select product families as an additional per-request credential. See product-specific documentation for applicability.
See the Ingo API Authentication Guide for the complete string-to-sign construction, body hashing requirements, and timestamp validation rules.
Body
Provide either customer_account_token or the raw account fields (account, recipient_first_name, recipient_last_name, recipient_address1, recipient_city, recipient_state, recipient_zip) — never both.
Unique participant identifier assigned by Ingo.
12345
Ingo assigned payee ID for the selected biller. Obtain from the Biller Payments Search API prior to calling Verify.
40"123457"
Unix timestamp of the request.
1587052132
API version of the request. Current version is 11.
11
Participant assigned ID to be associated with customer_account_token creation. Should correlate to participant assigned values affiliated with future process requests for tracking purposes (e.g. CustomerID or AccountID). Must not contain NPI data.
1 - 255"f8f68709-8e5d-4c19-8ca0-2eaffef4ec57"
Always BP for bill payment transactions.
BP 1"BP"
Alternative to raw account data when the account was previously tokenized. If provided, the following fields are not required and should be omitted: account, recipient_first_name, recipient_last_name, recipient_address1, recipient_city, recipient_state, recipient_zip.
1 - 255"a74eacf4-32e8-4081-b69c-565a89dd6cf1"
Customer bill payment account number. Required unless a valid customer_account_token is provided.
1 - 255"12345678"
Customer first name. Required unless a valid customer_account_token is provided.
1 - 255"Johnny"
Customer last name. Required unless a valid customer_account_token is provided.
1 - 255"Rockets"
Optional recipient business name.
150"Rockets LLC"
Customer billing address line 1. Required unless a valid customer_account_token is provided.
1 - 255"123 Main St"
Customer billing city. Required unless a valid customer_account_token is provided.
1 - 255"Atlanta"
Customer billing state (standard US postal abbreviation). Required unless a valid customer_account_token is provided.
2^(?:A[LKSZRAEP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])$"GA"
Customer billing zip code. 5-digit zip or zip+4 in xxxxx-xxxx format. Required unless a valid customer_account_token is provided.
10^[0-9]{5}(?:-[0-9]{4})?$"30313"
Customer billing address line 2.
255"Apt 2"
Optional recipient email address.
255"johnny.rockets@example.com"
10-digit recipient phone number.
10"1231231234"
Optional second participant assigned ID to be associated with customer_account_token creation. Should be carried forward to future process requests for tracking purposes. Must not contain NPI data.
255"257b5bae-d52f-42e2-8f2c-0700d8d7a7a5"
Dollar amount of disbursement. Max value determined by participant velocity limits.
x >= 0.011010.5
Response
Verification successful — token returned
Numeric code describing the status of the API request. 100 = Success.
100
Text description associated with the status code.
"Success"
Hide child attributes
Hide child attributes
GUID — unique value generated based upon account and recipient data. Use this token in all subsequent Process requests for this account.
"a74eacf4-32e8-4081-b69c-565a89dd6cf1"
The last 4 digits of the account number.
"5678"
Unix timestamp of the request.
1587052142
Information about the issuer (biller).
Hide child attributes
Hide child attributes
The Ingo assigned ID for the payee.
"123457"
Name of the payee (biller).
"First Service Middle Jersey"
Payee address.
"PO Box 5555"
Payee city.
"Secaucus"
Payee state.
"NJ"
Payee zip code.
"07032-0310"
Information regarding limits for push (credit) transactions. Returned if participant is enabled for push processing.
Hide child attributes
Hide child attributes
Minimum amount accepted for a push transaction.
"5.00"
Maximum amount accepted for a push transaction.
"2000.00"
Account type identifier.
"NA"
Estimated posting time narrative.
"Payment will post 04/17/2026"
Estimated posting date.
"04/17/2026"
Issuing network identifier.
"NA"
Whether the account is enabled for push (credit) transactions. 1 = Enabled, 0 = Not enabled.
0, 1 1
Whether the account is enabled for pull (debit) transactions. 1 = Enabled, 0 = Not enabled.
0, 1 0
Echo of participant assigned ID for the verify request.
"f8f68709-8e5d-4c19-8ca0-2eaffef4ec57"
Echo of optional second participant assigned ID for the verify request.
"257b5bae-d52f-42e2-8f2c-0700d8d7a7a5"
Number of issuers returned.
1
Time in seconds to complete the request.
"1.6832"
curl --request POST \
--url https://payapi-sandbox.ingo.money/gateway/verify--billpay \
--header 'Authorization: <api-key>' \
--header 'Content-Type: application/json' \
--data '
{
"participant_id": 12345,
"payee_id": "123457",
"timestamp": 1587052132,
"version": 11,
"participant_unique_id1": "f8f68709-8e5d-4c19-8ca0-2eaffef4ec57",
"account": "12345678",
"recipient_first_name": "Alex",
"recipient_last_name": "Rivera",
"recipient_address1": "100 Innovation Way",
"recipient_address2": "Apt 2",
"recipient_city": "Anytown",
"recipient_state": "GA",
"recipient_zip": "00000",
"recipient_phone": "1231231234",
"amount": 1010.5,
"participant_unique_id2": "257b5bae-d52f-42e2-8f2c-0700d8d7a7a5",
"account_type": "BP"
}
'{
"status": 100,
"client_message": "Success",
"data": {
"customer_account_token": "a74eacf4-32e8-4081-b69c-565a89dd6cf1",
"last_4": "5678",
"request_timestamp": 1587052142,
"issuers": [
{
"payee_id": "123457",
"payee_name": "First Service Middle Jersey",
"payee_address": "PO Box 5555",
"payee_city": "Secaucus",
"payee_state": "NJ",
"payee_zip": "07032-0310",
"credit_info": {
"min": "5.00",
"max": "2000.00",
"card_type": "NA",
"estimated_posting_time": "Payment will post 04/17/2026",
"estimated_posting_date": "04/17/2026"
},
"issuing_network": "NA",
"credit_enabled": 1,
"debit_enabled": 0
}
],
"participant_unique_id1": "f8f68709-8e5d-4c19-8ca0-2eaffef4ec57",
"participant_unique_id2": "257b5bae-d52f-42e2-8f2c-0700d8d7a7a5",
"count": 1
},
"time": "1.6832"
}