Stage Disbursement
Stage a disbursement notification for a single recipient via Notify v3.
curl --request POST \
--url https://payapi-sandbox.ingo.money/gateway/v3/notify \
--header 'Authorization: <api-key>' \
--header 'Content-Type: application/json' \
--data '
{
"participant_id": 12345,
"amount": "250.00",
"workflow_id": 1,
"participant_unique_id1": "a4f1b2c3-d456-789e-f012-34567890abcd",
"participant_unique_id2": "b5e2c3d4-e567-890f-a123-456789012345",
"tracer_id": "trc-20260422-001",
"recipient": {
"customer_id": "cust-001",
"first_name": "Alex",
"last_name": "Rivera",
"email": "johnny.rockets@example.com",
"mobile": "5555550100",
"address1": "100 Innovation Way",
"address2": "",
"city": "Anytown",
"state": "GA",
"zip": "00000",
"phone": "5555550100"
},
"authentication_records": [
{
"field_label": "Last 4 SSN",
"field_order": 1,
"validation_type": 1,
"match_failure_type": 1,
"value_format": "XXXX",
"client_provided_value": "1234"
}
],
"notification_records": [
{
"field_label": "Account",
"client_provided_value": "Checking Account ending 5678"
}
]
}
'{
"status": 100,
"client_message": "Success",
"data": {
"notification_id": 9876543,
"tracer_id": "trc-20260422-001"
}
}Documentation Index
Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
All requests must be authenticated using an HMAC-signed Authorization header. Ingo Money requires HMAC-SHA512 for all new integrations. SHA-512 provides a significantly larger internal state and output length than SHA-256, making it substantially more resistant to length-extension attacks and brute-force preimage attempts — properties that matter for financial API traffic where each request authorizes a real money movement.
Legacy integrations using HMAC-SHA256 remain supported but are encouraged to upgrade. SHA-256 continues to meet the current minimum security bar; however, upgrading to SHA-512 eliminates an entire class of potential vulnerabilities before they become exploitable, and aligns with NIST guidance recommending SHA-2 family algorithms with 256-bit security strength or greater for long-term use. Contact your Ingo integration manager to coordinate an algorithm upgrade.
MD5 and SHA-1 are not accepted under any circumstances. Requests signed with either algorithm will be rejected.
Authorization header format:
Authorization: hmac username="YOUR_HMAC_USERNAME", algorithm="hmac-sha512", headers="request-line x-date content-type content-length content-sha512", signature="BASE64_SIGNATURE"
Credentials provisioned by your Ingo integration manager:
-
HMAC username — identifies your integration in the
Authorizationheaderusernamefield. Distinct from your participant identifier. -
HMAC secret — provisioned by your Ingo integration manager. The private key used to compute the signature. Never transmit this value — store it in a secrets manager or environment variable, never in source code.
-
Participant identifier — a separate value used to identify your account within the API request payload. The name and placement differs by product family. Both the HMAC username and participant identifier are provisioned at onboarding — do not substitute one for the other.
-
API key — required for select product families as an additional per-request credential. See product-specific documentation for applicability.
See the Ingo API Authentication Guide for the complete string-to-sign construction, body hashing requirements, and timestamp validation rules.
Body
authentication_records[] is required by default but may be optional based on client OTAC configuration. recipient.mobile conditionality depends on OTAC configuration.
Unique participant identifier assigned by Ingo.
12345
Dollar amount of the disbursement. Must be greater than 0 with a maximum of 2 decimal places.
10"250.00"
Ingo assigned workflow ID that determines the notification and authentication flow for the recipient. Assigned during client onboarding.
1
Participant assigned transaction ID. Must be unique. Used for idempotency — a duplicate value returns an idempotent response. Appears on daily reconciliation reports.
1 - 100"a4f1b2c3-d456-789e-f012-34567890abcd"
Information about the disbursement recipient. Provide either first_name + last_name or business_name — not both. business_name requires client-level configuration. mobile conditionality depends on OTAC configuration.
Hide child attributes
Hide child attributes
Client assigned unique identifier for the customer.
100"cust-001"
Recipient email address. The disbursement notification is sent to this address.
1 - 150"johnny.rockets@example.com"
Recipient address line 1.
1 - 150"123 Main St."
Recipient city.
1 - 150"Atlanta"
Recipient state (standard US postal abbreviation).
2^(?:A[LKSZRAEP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])$"GA"
Recipient zip code. 5-digit or zip+4 in xxxxx-xxxx format.
10^[0-9]{5}(?:-[0-9]{4})?$"30313"
Recipient first name. Required unless business_name is provided.
1 - 150"Johnny"
Recipient last name. Required unless business_name is provided.
1 - 150"Rockets"
Recipient business name. Provide instead of first_name and last_name for business recipients. Requires enable_business_name client configuration.
1 - 150null
10-digit recipient mobile number. Conditionality depends on OTAC client configuration. Required when otac_enabled is true and otac_allow_same_delivery is false.
1 - 10"4045551234"
Optional recipient address line 2.
150"Apt 3"
Optional 10-digit recipient home/office phone number.
10"4045554321"
Optional second participant assigned transaction ID.
100"b5e2c3d4-e567-890f-a123-456789012345"
Optional client assigned tracer ID for tracking the request. If not provided, Ingo generates one and returns it in the response.
254"trc-20260422-001"
Optional language code for the recipient notification. Required when the client is configured for alternate language support (alternate_language_enabled).
8"es"
Optional URL to a document to be embedded in the recipient notification. Required when the client is configured for document embedding (document_embedding_enabled).
2048"https://example.com/documents/agreement.pdf"
Optional joint recipient information for joint account disbursements.
Hide child attributes
Hide child attributes
Joint recipient first name.
1 - 150"Jane"
Joint recipient last name.
1 - 150"Rockets"
Joint recipient email address.
1 - 150"jane.rockets@example.com"
10-digit joint recipient mobile number.
1 - 10"4045559876"
Joint recipient address line 1.
1 - 150"123 Main St."
Optional joint recipient address line 2.
150"Apt 3"
Joint recipient city.
1 - 150"Atlanta"
Joint recipient state (standard US postal abbreviation).
2^(?:A[LKSZRAEP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])$"GA"
Joint recipient zip code.
10^[0-9]{5}(?:-[0-9]{4})?$"30313"
10-digit joint recipient home/office phone number.
1 - 10"4045558765"
Optional approver information. When provided, the approver is notified and must approve the disbursement before it is released to the recipient.
Hide child attributes
Hide child attributes
Approver first name.
1 - 150"Bob"
Approver last name.
1 - 150"Smith"
Approver email address.
1 - 150"bob.smith@example.com"
10-digit approver mobile number.
1 - 10"4045557890"
Array of authentication challenge records used to verify the recipient's identity before releasing the disbursement. Required by default — may be optional based on client OTAC configuration. Maximum 20 records.
1 - 20 elementsHide child attributes
Hide child attributes
Display label for the authentication field shown to the recipient. Accepts letters, numbers, hyphens, forward slashes, and spaces.
1 - 50^[A-Za-z0-9\-\/ ]+$"Last 4 SSN"
Display order for the authentication field. Must be unique within the array.
1 <= x <= 991
Validation behavior type. 1 = exact match required, 2 = partial match allowed.
1, 2 1
Behavior on match failure. 1 = block disbursement, 2 = allow with flag.
1, 2 1
Mask format string defining how the value is displayed to the recipient (e.g. XXXX for last-4 masking).
250"XXXX"
The actual value the recipient must match to authenticate the disbursement.
1 - 100"1234"
Optional array of supplemental notification records displayed in the recipient notification. Certain records may be required based on client configuration.
Hide child attributes
Hide child attributes
Response
Notification submitted successfully
Numeric code describing the status of the API request. 100 = Success.
100
Text description associated with the status code.
"Success"
Hide child attributes
Hide child attributes
Ingo assigned unique identifier for the staged disbursement notification. Retain this value — it is required for cancel operations.
9876543
Tracer ID associated with the notification. Echo of the value provided on the request, or Ingo-generated if not provided.
"trc-20260422-001"
curl --request POST \
--url https://payapi-sandbox.ingo.money/gateway/v3/notify \
--header 'Authorization: <api-key>' \
--header 'Content-Type: application/json' \
--data '
{
"participant_id": 12345,
"amount": "250.00",
"workflow_id": 1,
"participant_unique_id1": "a4f1b2c3-d456-789e-f012-34567890abcd",
"participant_unique_id2": "b5e2c3d4-e567-890f-a123-456789012345",
"tracer_id": "trc-20260422-001",
"recipient": {
"customer_id": "cust-001",
"first_name": "Alex",
"last_name": "Rivera",
"email": "johnny.rockets@example.com",
"mobile": "5555550100",
"address1": "100 Innovation Way",
"address2": "",
"city": "Anytown",
"state": "GA",
"zip": "00000",
"phone": "5555550100"
},
"authentication_records": [
{
"field_label": "Last 4 SSN",
"field_order": 1,
"validation_type": 1,
"match_failure_type": 1,
"value_format": "XXXX",
"client_provided_value": "1234"
}
],
"notification_records": [
{
"field_label": "Account",
"client_provided_value": "Checking Account ending 5678"
}
]
}
'{
"status": 100,
"client_message": "Success",
"data": {
"notification_id": 9876543,
"tracer_id": "trc-20260422-001"
}
}