For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
RegisterLoginSandbox Login
GuidesRecipesAPI Reference
GuidesRecipesAPI Reference
  • Product Overview
    • Products & Features
    • Key Concepts
  • Getting Started
    • Account Setup
    • Quickstart
  • Checkout
    • Settlement Locations
  • Payouts
    • Payout Overview
    • What is a Payout
  • Subscriptions
    • Subscriptions Overview
  • Marketplaces
    • Marketplace Overview
    • How Marketplaces Work
    • Marketplaces Webhooks
    • Marketplaces Implementation
  • Developer Resources
    • Custom Branding
    • Checkout Implementation
    • Webhooks
  • Merchant Dashboard
    • Login & Account Access
    • Users and Roles
    • Rate Limits
    • Developer Contact
LogoLogo
RegisterLoginSandbox Login
On this page
  • Part 1 — Card Checkout
  • Step 1 — Get a session key
  • Step 2 — Get a checkout JWT
  • Step 3 — Render the checkout component
  • Part 2 — Payout to a Bank Account
  • Step 1 — Get a session key
  • Step 2 — Embed the Bank Authentication UI
  • Step 3 — Get the withdrawer
  • Step 4 — Initiate the payout
  • What’s next
Getting Started

Quickstart

Take your first card payment with Coinflow’s pre-built UI SDK and send your first payout — both against the sandbox environment.

Was this page helpful?
Previous

How Checkout Works

An end-to-end look at how Coinflow Checkout collects payment from your customer, runs fraud and compliance checks, and settles funds to your destination of choice.

Next
Built with

This guide walks through two end-to-end flows against the sandbox environment — a card checkout and a payout to a bank account.

Before you start: Make sure you’ve completed Account Setup and have your sandbox API key and merchant ID ready.

Prefer Postman? Import the Card Checkout + Merchant Payouts collection to run every request in this guide with pre-wired variables. Set apiKey, merchantId, and userId in the collection variables and you’re ready to go.

Part 1 — Card Checkout

Three steps to take your first card payment:

  1. Get a session key — authorize the payer to your server (server-side)
  2. Get a checkout JWT — sign the cart details (server-side)
  3. Render the CoinflowPurchase component — display the card form (client-side)

Coinflow’s pre-built UI handles card capture, PCI-compliant tokenization, 3DS challenges, and fraud signals automatically. You don’t tokenize cards yourself unless you have your own PCI DSS AOC.

Step 1 — Get a session key

A session key is a short-lived JWT that ties the checkout to a specific payer. Generate it on your server using your internal user ID, then pass it to the front-end.

GET
/api/auth/session-key
1curl https://api-sandbox.coinflow.cash/api/auth/session-key \
2     -H "x-coinflow-auth-user-id: <apiKey>" \
3     -H "Content-Type: application/json"
Try it
Response
1{
2  "key": "a1b2c3d4e5f67890abcdef1234567890"
3}

Session keys are valid for 24 hours. Refresh when expired.

Step 2 — Get a checkout JWT

The checkout JWT signs the cart payload (amount, customer email, chargeback-protection data) so the front-end can’t tamper with it. Generate it on your server right before rendering the checkout component.

POST
/api/checkout/jwt-token
1curl -X POST https://api-sandbox.coinflow.cash/api/checkout/jwt-token \
2     -H "Authorization: <apiKey>" \
3     -H "Content-Type: application/json" \
4     -d '{}'
Try it
Response
1{
2  "checkoutJwtToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
3}

Send key (from Step 1) and checkoutJwtToken (from Step 2) to your front-end.

Step 3 — Render the checkout component

Install the React SDK and render CoinflowPurchase with the two tokens. Coinflow handles the rest — card entry UI, validation, PCI-compliant tokenization, 3DS, fraud scoring, and settlement to your Coinflow Wallet.

$npm install @coinflowlabs/react
Checkout.tsx
1import { CoinflowPurchase, Currency } from '@coinflowlabs/react';
2
3export function Checkout({ sessionKey, jwtToken }: { sessionKey: string; jwtToken: string }) {
4  return (
5    <CoinflowPurchase
6      merchantId="YOUR_MERCHANT_ID"
7      env="sandbox" // switch to "prod" when going live
8      sessionKey={sessionKey}
9      jwtToken={jwtToken}
10      subtotal={{ cents: 100, currency: Currency.USD }}
11      email="payer@example.com"
12      onSuccess={(paymentId) => {
13        console.log('Payment successful:', paymentId);
14        // Redirect to your success page
15      }}
16    />
17  );
18}

That’s a payment. When onSuccess fires, funds have settled to your Coinflow Wallet. Coinflow’s chargeback protection and 3DS are layered in by default — see Adding Chargeback Protection and About 3D Secure to tune them.

Sandbox test cards: 5204247750001471 (Mastercard) or any card from the testing guide.

Alternative: Direct API integration (PCI-compliant merchants only)

If you hold your own PCI DSS AOC and want a fully custom UI, you can tokenize and charge cards via the API directly without rendering the CoinflowPurchase component. Contact support@coinflowlabs.app to provision the tokenization credentials your requests need.

Tokenize the card:

POST
/api/tokenize
1curl -X POST https://api-sandbox.coinflow.cash/api/tokenize \
2     -H "tx-token-scheme: sixANTOKENfour" \
3     -H "tx-tokenex-id: tx-tokenex-id" \
4     -H "tx-apikey: tx-apikey" \
5     -H "Authorization: <apiKey>" \
6     -H "Content-Type: application/json" \
7     -d '{}'
Try it
Response
1{
2  "token": "tok_1a2b3c4d5e6f7g8h9i0j",
3  "firstSix": "411111",
4  "lastFour": "1111",
5  "referenceNumber": "REF123456789",
6  "success": true,
7  "error": "",
8  "message": "Tokenization successful"
9}

Submit the payment with the returned token as card.cardToken:

POST
/api/checkout/card/:merchantId
1curl -X POST https://api-sandbox.coinflow.cash/api/checkout/card/merchantId \
2     -H "x-coinflow-auth-session-key: <apiKey>" \
3     -H "Content-Type: application/json" \
4     -d '{
5  "subtotal": {
6    "cents": 1,
7    "currency": "USD"
8  },
9  "card": {
10    "cardToken": "string",
11    "expYear": "string",
12    "expMonth": "string",
13    "email": "string",
14    "firstName": "string",
15    "lastName": "string",
16    "address1": "string",
17    "city": "string",
18    "country": "string"
19  }
20}'
Try it
Response
1{
2  "paymentId": "string",
3  "authorizationExpiration": "string"
4}

Fetch full payment details any time:

GET
/api/merchant/payments/enhanced/:paymentId
1curl https://api-sandbox.coinflow.cash/api/merchant/payments/enhanced/paymentId \
2     -H "Authorization: <apiKey>"
Try it

Part 2 — Payout to a Bank Account

Four steps to pay a user out from your Coinflow Wallet:

  1. Get a session key for the withdrawer (server-side)
  2. Embed the Bank Authentication UI — Coinflow’s hosted UI handles KYC and bank linking in one flow (client-side)
  3. Get the withdrawer to retrieve the linked bank account token (server-side)
  4. Initiate the payout (server-side)

Step 1 — Get a session key

Generate a session key tied to your internal user ID. You’ll pass it into the bank-link URL in the next step.

GET
/api/auth/session-key
1curl https://api-sandbox.coinflow.cash/api/auth/session-key \
2     -H "x-coinflow-auth-user-id: <apiKey>" \
3     -H "Content-Type: application/json"
Try it
Response
1{
2  "key": "a1b2c3d4e5f67890abcdef1234567890"
3}

Step 2 — Embed the Bank Authentication UI

Coinflow’s hosted UI handles KYC verification and bank/card linking end-to-end — you don’t have to build any of it. Drop the URL below into an iframe, replacing YOUR_MERCHANT_ID and SESSION_KEY_FROM_STEP_1 with your own values.

iframe
1<iframe
2  src="https://sandbox.coinflow.cash/user/withdraw/YOUR_MERCHANT_ID?sessionKey=SESSION_KEY_FROM_STEP_1&bankAccountLinkRedirect=https%3A%2F%2Fyourapp.com%2Fpayout-complete"
3  allow="payment"
4  style="width:100%;height:600px;border:none;"
5/>
ParameterDescription
sessionKeyThe JWT from Step 1.
bankAccountLinkRedirectURL-encoded URL Coinflow redirects to once the user finishes linking.

When the user completes linking, the iframe emits a postMessage with method: "accountLinked". Listen for it on your page so you know when to advance the flow. See Listen for Successful Account Link Messages for a complete example.

Production URL: swap sandbox.coinflow.cash for coinflow.cash when going live. See the full Bank Authentication UI guide for show-only-cards/show-only-banks options and iframe origin configuration.

Step 3 — Get the withdrawer

After the user finishes linking, fetch the withdrawer record to retrieve the linked bank account’s token. You’ll pass this token into the payout request in Step 4.

GET
/api/withdraw
1curl https://api-sandbox.coinflow.cash/api/withdraw \
2     -H "x-coinflow-auth-wallet: <apiKey>"
Try it
Response
1{
2  "withdrawer": {
3    "_id": "string",
4    "wallet": "string",
5    "blockchain": "solana",
6    "wallets": [
7      {
8        "wallet": "string",
9        "blockchain": "solana"
10      }
11    ],
12    "email": "string",
13    "availability": {
14      "status": "Functional",
15      "reason": "string",
16      "editor": "string",
17      "updatedAt": "2024-01-15T09:30:00Z"
18    },
19    "currency": "USD",
20    "merchant": "string",
21    "verification": {
22      "reference": "string",
23      "status": "pending",
24      "vendor": "middesk",
25      "name": "string",
26      "attested": true,
27      "shareToken": "string",
28      "shareTokenStatus": "string",
29      "sessionToken": "string"
30    },
31    "riskScoreOverride": true,
32    "country": "string",
33    "bankAccounts": [
34      {
35        "last4": "string",
36        "accountHash": "string",
37        "alias": "string",
38        "token": "string",
39        "reference": "string",
40        "accountNumberOnlyHash": "string",
41        "isDeleted": true,
42        "isTokenized": true,
43        "accountNumber": "string"
44      }
45    ],
46    "cards": [
47      {
48        "last4": "string",
49        "token": "string",
50        "type": "VISA",
51        "disbursementStatus": "Immediate",
52        "createdAt": "2024-01-15T09:30:00Z",
53        "isDeleted": true,
54        "currency": "USD",
55        "nameOnCard": "string",
56        "expMonth": "string",
57        "expYear": "string"
58      }
59    ],
60    "ibans": [
61      {
62        "last4": "string",
63        "accountHash": "string",
64        "alias": "string",
65        "token": "string",
66        "reference": "string",
67        "sortCode": "string",
68        "bic": "string"
69      }
70    ],
71    "pixes": [
72      {
73        "key": "string",
74        "accountHash": "string",
75        "token": "string"
76      }
77    ],
78    "efts": [
79      {
80        "accountHash": "string",
81        "alias": "string",
82        "token": "string",
83        "reference": "string",
84        "mask": "string",
85        "isDeleted": true,
86        "accountNumber": "string",
87        "institutionId": "string",
88        "institution": "string",
89        "transit_number": "string"
90      }
91    ],
92    "p2cAvailable": true,
93    "applePayAvailable": true,
94    "bankCurrencyOptions": [
95      "USD"
96    ],
97    "originalCurrency": "USD",
98    "geoBlockOverride": {
99      "reason": "string",
100      "setBy": "string",
101      "setAt": "2024-01-15T09:30:00Z",
102      "expiresAt": "2024-01-15T09:30:00Z"
103    },
104    "createdAt": "2024-01-15T09:30:00Z",
105    "venmo": {
106      "alias": "string",
107      "token": "string",
108      "type": "venmo",
109      "isDeleted": true
110    },
111    "paypal": {
112      "alias": "string",
113      "token": "string",
114      "type": "paypal",
115      "isDeleted": true
116    },
117    "interac": {
118      "alias": "string",
119      "token": "string",
120      "type": "interac",
121      "isDeleted": true
122    }
123  }
124}

The response includes bankAccounts[] (and/or cards[], ibans[], pixes[] depending on what the user linked). Grab bankAccounts[0].token — that’s the account identifier you’ll use next.

Step 4 — Initiate the payout

Send the payout from your Coinflow Wallet to the withdrawer’s linked bank account. This example sends $3.00 via the fastest available rail.

POST
/api/merchant/withdraws/payout/delegated
1curl -X POST https://api-sandbox.coinflow.cash/api/merchant/withdraws/payout/delegated \
2     -H "Authorization: <apiKey>" \
3     -H "Content-Type: application/json" \
4     -d '{
5  "speed": "same_day",
6  "account": "card_4f3a2b1c9d8e7f6a",
7  "userId": "user_1234567890",
8  "idempotencyKey": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
9  "amount": {
10    "cents": 25000
11  }
12}'
Try it
Response
1{
2  "signature": "3045022100dff9a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789ab02207c9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e",
3  "effectiveSpeed": "same_day"
4}

Use the withdrawalId to check status at any time:

GET
/api/merchant/withdraws/:withdrawalId
1curl https://api-sandbox.coinflow.cash/api/merchant/withdraws/withdrawalId \
2     -H "Authorization: <apiKey>"
Try it

That’s a payout. Funds are on their way to the withdrawer’s bank account. The asap speed uses RTP for instant delivery where available, falling back to Same-Day ACH. Learn about payout speeds →

What’s next

Testing Guide

Test card numbers, bank accounts, and edge cases for sandbox testing.

Webhooks

Receive real-time notifications when payments and payouts change status.

Chargeback Protection

Add fraud scoring and chargeback coverage to card payments.

Payout Speeds

Understand RTP, Same-Day ACH, and standard ACH options and fees.