Skip to main content
POST
/
gateway
/
verify--retail
curl --request POST \
  --url https://payapi-sandbox.ingo.money/gateway/verify--retail \
  --header 'Authorization: <api-key>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "participant_id": 12345,
  "account_type": "CA",
  "amount": 101,
  "recipient_first_name": "Alex",
  "recipient_last_name": "Rivera",
  "account": "411111XXXXXXXXXX",
  "expiration_date": "2612",
  "cvv": "123",
  "recipient_address1": "100 Innovation Way",
  "recipient_address2": "Apt 3",
  "recipient_city": "Anytown",
  "recipient_state": "GA",
  "recipient_zip": "00000",
  "recipient_phone": "1231231234",
  "store_id": "STORE-001",
  "terminal_id": "TERM-042",
  "clerk_id": "CLK-007",
  "participant_unique_id1": "fb746578-c4c3-498f-b398-1ff07b4fe2ff",
  "participant_unique_id2": "77d6b010-eab4-44dc-9a27-6ffa4838c9f2",
  "timestamp": 1579832224,
  "version": 11
}
'
{
  "status": 100,
  "client_message": "Success",
  "data": {
    "customer_account_token": "715b9903-7bcd-45ae-bc92-4092c8186d9f",
    "last_4": "1111",
    "request_timestamp": 1579832224,
    "issuers": [
      {
        "payee_id": "526263",
        "payee_name": "Bank of America - Platinum MasterCard and Visa",
        "payee_address": "PO Box 15019",
        "payee_city": "Wilmington",
        "payee_state": "DE",
        "payee_zip": "19850-5019",
        "credit_info": {
          "min": "0.05",
          "max": "1500.00",
          "card_type": "Debit",
          "estimated_posting_time": "Payment will post Next Business Day",
          "estimated_posting_date": "04/22/2026"
        },
        "issuing_network": "Visa",
        "credit_enabled": 1,
        "debit_enabled": 0
      }
    ],
    "participant_unique_id1": "fb746578-c4c3-498f-b398-1ff07b4fe2ff",
    "participant_unique_id2": "77d6b010-eab4-44dc-9a27-6ffa4838c9f2",
    "expiration_date": "2612",
    "count": 1
  },
  "time": "4.0146"
}

Documentation Index

Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

All requests must be authenticated using an HMAC-signed Authorization header. Ingo Money requires HMAC-SHA512 for all new integrations. SHA-512 provides a significantly larger internal state and output length than SHA-256, making it substantially more resistant to length-extension attacks and brute-force preimage attempts — properties that matter for financial API traffic where each request authorizes a real money movement.

Legacy integrations using HMAC-SHA256 remain supported but are encouraged to upgrade. SHA-256 continues to meet the current minimum security bar; however, upgrading to SHA-512 eliminates an entire class of potential vulnerabilities before they become exploitable, and aligns with NIST guidance recommending SHA-2 family algorithms with 256-bit security strength or greater for long-term use. Contact your Ingo integration manager to coordinate an algorithm upgrade.

MD5 and SHA-1 are not accepted under any circumstances. Requests signed with either algorithm will be rejected.

Authorization header format:

Authorization: hmac username="YOUR_HMAC_USERNAME", algorithm="hmac-sha512", headers="request-line x-date content-type content-length content-sha512", signature="BASE64_SIGNATURE"

Credentials provisioned by your Ingo integration manager:

  • HMAC username — identifies your integration in the Authorization header username field. Distinct from your participant identifier.

  • HMAC secret — provisioned by your Ingo integration manager. The private key used to compute the signature. Never transmit this value — store it in a secrets manager or environment variable, never in source code.

  • Participant identifier — a separate value used to identify your account within the API request payload. The name and placement differs by product family. Both the HMAC username and participant identifier are provisioned at onboarding — do not substitute one for the other.

  • API key — required for select product families as an additional per-request credential. See product-specific documentation for applicability.

See the Ingo API Authentication Guide for the complete string-to-sign construction, body hashing requirements, and timestamp validation rules.

Body

application/json

Provide either customer_account_token or raw account fields. For BP account type, also provide payee_id. store_id, clerk_id, and terminal_id are required when the client is configured as a retail participant — confirmed via client-level backend configuration.

participant_id
integer
required

Unique participant identifier assigned by Ingo.

Example:

12345

account_type
enum<string>
required

CA = card-present (debit or credit), BP = bill payment card-present.

Available options:
CA,
BP
Minimum string length: 1
Example:

"CA"

participant_unique_id1
string
required

Participant assigned ID to be associated with customer_account_token creation. Should correlate to participant assigned values affiliated with future process requests for tracking purposes. Must not contain NPI data.

Required string length: 1 - 255
Example:

"fb746578-c4c3-498f-b398-1ff07b4fe2ff"

timestamp
integer<int64>
required

Unix timestamp of the request.

Example:

1579832224

version
integer
required

API version of the request. Current version is 11.

Example:

11

payee_id
string

Ingo assigned payee ID for the selected biller. Required for BP account type. Obtain from the Biller Payments Search API prior to calling Verify.

Maximum string length: 40
Example:

"123457"

customer_account_token
string | null

Alternative to raw account data when the account was previously tokenized. If provided, raw account fields (account, expiration_date, recipient_first_name, recipient_last_name, recipient_address1, recipient_city, recipient_state, recipient_zip) are not required and should be omitted.

Required string length: 1 - 255
Example:

"ca875cce-58c0-46a0-8f14-676190cc7df6"

amount
number<float> | null

Dollar amount of disbursement. Max value determined by participant velocity limits.

Required range: x >= 0.01
Example:

101

recipient_first_name
string

Customer first name. Required unless customer_account_token is provided.

Required string length: 1 - 255
Example:

"Johnny"

recipient_last_name
string

Customer last name. Required unless customer_account_token is provided.

Required string length: 1 - 255
Example:

"Rockets"

recipient_business_name
string | null

Optional recipient business name.

Maximum string length: 150
Example:

null

account
string

Card or bill payment account number. Required unless customer_account_token is provided.

Required string length: 1 - 255
Example:

"411111XXXXXXXXXX"

expiration_date
string | null

Card expiration date in YYMM format. Conditionally required for CA based on client configuration (expiration_date_enabled flag). Not required for BP account type or if customer_account_token is provided.

Maximum string length: 4
Pattern: ^[0-9]{2}(0[1-9]|1[0-2])$
Example:

"2612"

cvv
string | null

CVV value (3–4 digits depending on card type). Conditionally required for CA based on client configuration (cvv_enabled flag). Never required for BP account type or if customer_account_token is provided.

Pattern: ^[0-9]{3,4}$
Example:

"123"

recipient_address1
string

Customer billing address line 1. Required unless customer_account_token is provided.

Required string length: 1 - 255
Example:

"123 Main St."

recipient_address2
string | null

Customer billing address line 2.

Maximum string length: 255
Example:

"Apt 3"

recipient_city
string

Customer billing city. Required unless customer_account_token is provided.

Required string length: 1 - 255
Example:

"Atlanta"

recipient_state
string

Customer billing state (standard US postal abbreviation). Required unless customer_account_token is provided.

Required string length: 2
Pattern: ^(?:A[LKSZRAEP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])$
Example:

"GA"

recipient_zip
string | null

Customer billing zip code. 5-digit zip or zip+4 in xxxxx-xxxx format. Required unless customer_account_token is provided.

Maximum string length: 10
Pattern: ^[0-9]{5}(?:-[0-9]{4})?$
Example:

"30313"

recipient_phone
string | null

10-digit recipient phone number.

Maximum string length: 10
Example:

"1231231234"

store_id
string

Client assigned store ID. Required when the client is configured as a retail participant (retail flag enabled in client configuration).

Required string length: 1 - 255
Example:

"STORE-001"

terminal_id
string

Client assigned terminal ID. Required when the client is configured as a retail participant (retail flag enabled in client configuration).

Required string length: 1 - 255
Example:

"TERM-042"

clerk_id
string

Client assigned clerk ID. Required when the client is configured as a retail participant (retail flag enabled in client configuration).

Required string length: 1 - 255
Example:

"CLK-007"

participant_unique_id2
string | null

Optional second participant assigned ID. Should be carried forward to future process requests for tracking purposes. Must not contain NPI data.

Maximum string length: 255
Example:

"77d6b010-eab4-44dc-9a27-6ffa4838c9f2"

Response

Verification successful — token returned

status
integer

Numeric code describing the status of the API request. 100 = Success.

Example:

100

client_message
string

Text description associated with the status code.

Example:

"Success"

data
object
time
string

Time in seconds to complete the request.

Example:

"4.0146"