โŒ• Search docs... โŒ˜K
โ— Live

VaultPay API Reference

Accept payments, manage customers, and automate payouts with a single, unified API. Built for developers who need reliability at scale.

https://api.vaultpay.com/v2

Authentication

VaultPay uses API keys to authenticate requests. Include your secret key in the Authorization header as a Bearer token. Keep your secret keys secure. Never expose them in client-side code or public repositories.

โ„น

Use keys prefixed with sk_test_ for sandbox and sk_live_ for production. Test mode transactions never hit real payment networks.

๐Ÿ–ฅ
Your Server
โ†’
๐Ÿ”‘
API Key in Header
โ†’
๐Ÿ›ก
VaultPay Verifies
โ†’
โœ“
Response
cURL Python Node.js 
curl https://api.vaultpay.com/v2/payments \
  -H "Authorization: Bearer sk_live_YOUR_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -H "VP-Version: 2024-11-15"

SDKs & Libraries

Official client libraries for the most popular languages. Each SDK handles authentication, retries, and serialization automatically.

Python
pip install vaultpay
v3.8.1 ยท Updated 3 days ago
Node.js
npm i @vaultpay/node
v4.2.0 ยท Updated 1 week ago
Go
go get vaultpay.com/go
v2.1.3 ยท Updated 2 weeks ago
Ruby
gem install vaultpay
v5.0.0 ยท Updated 5 days ago
Java
com.vaultpay:sdk:6.3.2
v6.3.2 ยท Updated 2 weeks ago
.NET
dotnet add VaultPay.Net
v3.0.1 ยท Updated 4 days ago

Error Handling

VaultPay returns conventional HTTP status codes and a structured JSON error body. Errors include a machine-readable code, a human-readable message, and an optional param field pointing to the invalid input.

type The error category: api_error, card_error, validation_error, authentication_error
code Machine-readable error code, e.g. card_declined, insufficient_funds
message A human-friendly explanation suitable for displaying to end users
param The request parameter that caused the error (if applicable)
request_id A unique identifier for the request. Include this in support tickets.
Error Response
{
  "error": {
    "type": "card_error",
    "code": "card_declined",
    "message": "The card was declined. Please try a different payment method.",
    "param": "payment_method",
    "request_id": "req_7xK9mRtL3vN2"
  }
}

HTTP Status Codes

200OK: Request succeeded
201Created: Resource successfully created
400Bad Request: Invalid parameters or malformed JSON
401Unauthorized: Missing or invalid API key
403Forbidden: Key lacks required permissions
404Not Found: Requested resource does not exist
409Conflict: Idempotency key reused with different parameters
422Unprocessable: Parameters valid but request cannot be completed
429Too Many Requests: Rate limit exceeded
500Server Error: Something went wrong on our end
503Service Unavailable: Temporary outage, retry with backoff

Rate Limits

Rate limits are enforced per API key. When you exceed your limit, subsequent requests return 429 Too Many Requests. Use the Retry-After header to determine when to retry.

Starter
100
requests / second
Burst up to 150 req/s
10,000 req/day cap
Growth
500
requests / second
Burst up to 750 req/s
Unlimited daily
Enterprise
2,500
requests / second
Custom burst limits
Dedicated infrastructure
โš 

Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. Monitor these proactively to avoid interruptions.

Payments

POST /v2/payments Create a new payment intent โ–พ

Creates a PaymentIntent object representing your intent to collect payment from a customer. After creation, the payment can be confirmed and captured in one step, or authorized first and captured later.

Request Body

ParameterTypeRequiredDescription
amount integer Required Amount in the smallest currency unit (e.g., cents for USD). Must be โ‰ฅ 50.
currency string Required Three-letter ISO 4217 currency code. Supported: usd, eur, gbp, jpy, inr, + 30 more.
payment_method string Required ID of the payment method to charge, e.g. pm_1Nq...
customer string Optional ID of an existing Customer object to associate this payment with.
capture_method string Optional automatic (default) or manual. Manual requires a separate capture call.
description string Optional Arbitrary description for internal tracking. Max 500 characters.
metadata object Optional Up to 20 key-value pairs for storing structured data. Keys max 40 chars, values max 500 chars.
idempotency_key string Optional Unique key to prevent duplicate charges. See Idempotency.

Request Example

cURL Python Node.js 
curl -X POST https://api.vaultpay.com/v2/payments \
  -H "Authorization: Bearer sk_live_YOUR_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: order_8x7zK3mN" \
  -d '{
    "amount": 2500,
    "currency": "usd",
    "payment_method": "pm_1NqG2LC4a7DkEgks89tF6xYb",
    "customer": "cus_Rk4x7LmN2vPq",
    "capture_method": "automatic",
    "description": "Order #1042 โ€” Pro Plan Subscription",
    "metadata": {
      "order_id": "1042",
      "product": "pro_plan"
    }
  }'

Response

200 OK
{
  "id": "pay_3Mq8R7vLkN2xT9",
  "object": "payment",
  "amount": 2500,
  "amount_captured": 2500,
  "amount_refunded": 0,
  "currency": "usd",
  "status": "succeeded",
  "payment_method": "pm_1NqG2LC4a7DkEgks89tF6xYb",
  "customer": "cus_Rk4x7LmN2vPq",
  "description": "Order #1042 โ€” Pro Plan Subscription",
  "metadata": {
    "order_id": "1042",
    "product": "pro_plan"
  },
  "capture_method": "automatic",
  "created_at": "2025-02-26T14:32:07Z",
  "livemode": true
}

Response Codes

201Payment created and processed successfully
400Invalid parameters (amount too low, unsupported currency)
402Card declined or payment method failed
409Idempotency key conflict
GET /v2/payments/{payment_id} Retrieve a payment by ID โ–พ

Retrieves the details of an existing payment. Supply the unique payment ID returned from a previous create or list request.

Path Parameters

ParameterTypeRequiredDescription
payment_id string Required The unique identifier of the payment, e.g. pay_3Mq8R7vLkN2xT9
cURL
curl https://api.vaultpay.com/v2/payments/pay_3Mq8R7vLkN2xT9 \
  -H "Authorization: Bearer sk_live_YOUR_SECRET_KEY"
GET /v2/payments List all payments โ–พ

Returns a paginated list of payments you've previously created. Results are sorted by creation date, with the most recent first.

Query Parameters

ParameterTypeRequiredDescription
limit integer Optional Number of results per page (1โ€“100). Default: 20.
cursor string Optional Pagination cursor from a previous response's next_cursor field.
status string Optional Filter by status: succeeded, pending, failed, canceled.
created[gte] string Optional Return payments created on or after this ISO 8601 timestamp.
created[lte] string Optional Return payments created on or before this ISO 8601 timestamp.
customer string Optional Filter payments by customer ID.

Response

200 OK
{
  "object": "list",
  "data": [
    {
      "id": "pay_3Mq8R7vLkN2xT9",
      "amount": 2500,
      "currency": "usd",
      "status": "succeeded",
      "created_at": "2025-02-26T14:32:07Z"
    },
    // ... more payments
  ],
  "has_more": true,
  "next_cursor": "cur_xK9mRt3vN2qL"
}
POST /v2/payments/{payment_id}/capture Capture an authorized payment โ–พ

Captures a payment that was previously created with capture_method: "manual". You can capture the full amount or a partial amount. Uncaptured payments expire after 7 days.

Request Body

ParameterTypeRequiredDescription
amount integer Optional Amount to capture (must be โ‰ค authorized amount). Defaults to the full authorized amount.
โ„น

Partial captures release the remaining authorized amount back to the customer's card within 5โ€“10 business days, depending on the issuing bank.

POST /v2/payments/{payment_id}/cancel Cancel an uncaptured payment โ–พ

Cancels a payment that has not yet been captured. Once canceled, no further actions can be taken on the payment. For already-captured payments, use the Refunds API instead.

โœ•

This action is irreversible. Canceled payments cannot be re-authorized. You will need to create a new payment intent.

Refunds

POST /v2/refunds Create a refund โ–พ

Creates a refund for a previously captured payment. You can refund the full amount or a partial amount. Multiple partial refunds can be issued until the full captured amount has been returned.

Request Body

ParameterTypeRequiredDescription
payment_id string Required The ID of the payment to refund.
amount integer Optional Amount to refund in smallest currency unit. Defaults to full captured amount.
reason string Optional Reason for refund: requested_by_customer, duplicate, fraudulent
Response
{
  "id": "ref_9xT2kLm4vR7n",
  "object": "refund",
  "amount": 2500,
  "currency": "usd",
  "payment_id": "pay_3Mq8R7vLkN2xT9",
  "status": "succeeded",
  "reason": "requested_by_customer",
  "created_at": "2025-02-26T16:45:22Z"
}
GET /v2/refunds/{refund_id} Retrieve a refund โ–พ

Retrieves the details of an existing refund. Supply the unique refund ID from a previous create or webhook event.

Customers

POST /v2/customers Create a customer โ–พ

Creates a new Customer object. Customers let you store payment methods for recurring charges and track payment history across sessions.

Request Body

ParameterTypeRequiredDescription
email string Required Customer's email address. Must be unique across your account.
name string Optional Customer's full name.
phone string Optional Customer's phone number in E.164 format.
address object Optional Structured address with fields: line1, line2, city, state, postal_code, country.
metadata object Optional Up to 20 key-value pairs of custom data.
201 Created
{
  "id": "cus_Rk4x7LmN2vPq",
  "object": "customer",
  "email": "ada.lovelace@example.com",
  "name": "Ada Lovelace",
  "phone": "+14155550198",
  "created_at": "2025-02-26T09:15:33Z",
  "livemode": true
}
PATCH /v2/customers/{customer_id} Update a customer โ–พ

Updates an existing customer's properties. Only the fields you pass will be updated. Omitted fields are left unchanged.

DELETE /v2/customers/{customer_id} Delete a customer โ–พ

Permanently deletes a customer and detaches all associated payment methods. Active subscriptions must be canceled first. This operation is irreversible.

โœ•

Deleting a customer removes all stored payment methods and cannot be undone. Historical payment records are preserved for compliance purposes.

Payouts BETA

POST /v2/payouts Create a payout โ–พ

Initiates a payout to a connected bank account. Payouts are processed in batches daily at 00:00 UTC. Standard payouts arrive in 2โ€“3 business days; instant payouts (where available) arrive within 30 minutes.

โš 

The Payouts API is currently in beta. Endpoints and request formats may change. Enable beta access in your Dashboard โ†’ Developer โ†’ Beta Features.

Request Body

ParameterTypeRequiredDescription
amount integer Required Amount to pay out in smallest currency unit.
currency string Required Three-letter ISO 4217 currency code. Must match the connected bank account currency.
destination string Required ID of a verified bank account, e.g. ba_4xLm9kRt2vNq
method string Optional standard (default) or instant. Instant payouts incur an additional 1.5% fee.

Webhooks

Webhooks push real-time event notifications to your server via HTTP POST. Configure endpoints in your Dashboard or via the API. All webhook payloads include a VP-Signature header for verification.

Signature Verification

Node.js
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const [timestamp, hash] = signature.split(',');
  const expected = crypto
    .createHmac('sha256', secret)
    .update(`${timestamp}.${payload}`)
    .digest('hex');

  if (!crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(expected))) {
    throw new Error('Invalid webhook signature');
  }

  // Reject timestamps older than 5 minutes to prevent replay attacks
  const age = Date.now() / 1000 - parseInt(timestamp);
  if (age > 300) throw new Error('Webhook too old');

  return JSON.parse(payload);
}
โœ“

Always verify webhook signatures before processing events. Respond with 200 OK within 15 seconds or we'll retry with exponential backoff (up to 8 attempts over 48 hours).

Event Types

Subscribe to the events you need. Each event includes the full resource object in its data field.

payment.created A new payment has been initiated
payment.succeeded Payment was successfully captured
payment.failed Payment attempt was declined or errored
payment.canceled An uncaptured payment was canceled
refund.created A refund has been initiated
refund.succeeded Refund was processed successfully
refund.failed Refund could not be processed
customer.created A new customer record was created
customer.updated Customer details were modified
customer.deleted A customer was permanently removed
payout.created A payout was initiated (beta)
payout.completed Payout funds were deposited (beta)
dispute.created A dispute (chargeback) was opened on a payment
dispute.updated Dispute status changed (e.g. evidence submitted, under review)
dispute.closed Dispute resolved: status is now won, lost, or charge_refunded
risk.flagged Payment risk score exceeded threshold; manual review recommended
risk.cleared Previously flagged payment reviewed and cleared
customer.kyc_verified KYC identity verification completed successfully
customer.kyc_failed KYC verification failed or referred to manual compliance review
aml.alert_created NICE Actimize SAM generated a new AML alert for suspicious activity

Idempotency

Idempotency prevents duplicate operations when requests are retried. Include an Idempotency-Key header with a unique value (UUIDs work well) on any POST request. If VaultPay receives a request with an already-used key, it returns the original response without re-processing.

Example
curl -X POST https://api.vaultpay.com/v2/payments \
  -H "Authorization: Bearer sk_live_..." \
  -H "Idempotency-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
  -d '{"amount": 5000, "currency": "usd", ...}'
โ„น

Keys expire after 24 hours. Using the same key with different request parameters returns a 409 Conflict error. GET and DELETE requests are inherently idempotent and don't require keys.

Pagination

All list endpoints use cursor-based pagination for consistent results, even when new records are added between requests. The response includes a has_more boolean and a next_cursor string to pass as the cursor query parameter on the next request.

Pattern
// First page
GET /v2/payments?limit=20

// Next page (use next_cursor from previous response)
GET /v2/payments?limit=20&cursor=cur_xK9mRt3vN2qL

// Continue until has_more is false

Changelog

2025-02-27
Added
AML and Compliance: NICE Actimize Integration
New AML transaction monitoring overview, KYC verification (POST /v2/customers/{id}/kyc), sanctions screening (POST /v2/compliance/sanctions), and AML alerts (GET /v2/aml/alerts) powered by NICE Actimize SAM and CDD. Added aml.alert_created, customer.kyc_verified, and customer.kyc_failed webhook events.
2025-02-27
Added
Risk Scoring & 3D Secure / SCA
Payment responses now include a risk object (score, level, signals, outcome) powered by NICE Actimize IFM-AI. Added GET /v2/risk/assess/{payment_id} endpoint, 3DS2/SCA flow documentation with exemption table, and risk.flagged / risk.cleared webhook events.
2025-02-27
Added
Disputes API
New endpoints for listing disputes, retrieving dispute details, and submitting chargeback evidence. Added dispute lifecycle documentation and dispute.created, dispute.updated, dispute.closed webhook events.
2025-02-27
Added
Compliance & Security + Test Data sections
Documented PCI DSS Level 1, SOC 2 Type II, ISO 27001, GDPR, CCPA, BSA/AML, and PSD2 compliance status with data residency options. Added comprehensive sandbox test cards (success, decline, 3DS) and test ACH bank accounts.
2025-02-20
Added
Payouts API (Beta)
New endpoints for initiating payouts to connected bank accounts. Supports standard and instant payout methods.
2025-02-14
Added
Customer API: Create, Update, Delete
Full CRUD operations for managing customer records. Store payment methods and track cross-session history.
2025-01-28
Changed
Cursor-based pagination for all list endpoints
Replaced offset-based pagination with cursor-based for better performance and consistency. The page parameter is now deprecated.
2025-01-15
Fixed
Webhook retry timing improvements
Adjusted exponential backoff intervals to reduce unnecessary retries. Max retry window extended from 24 to 48 hours.
2025-01-02
Deprecated
Legacy /v1 endpoints
All /v1 endpoints are officially deprecated. They will continue to function until June 30, 2025. Please migrate to /v2.

Compliance & Security

VaultPay is built on a security-first foundation. Our infrastructure, processes, and APIs comply with the most stringent global standards for financial data protection, payment security, and regulatory compliance.

Certifications & Standards

StandardScopeStatus
PCI DSS Level 1 All card data transmission, storage, and processing Certified
SOC 2 Type II Security, availability, and confidentiality controls; audited annually Audited
ISO 27001 Information security management system Certified
GDPR Personal data processing for EU/EEA residents Compliant
CCPA Personal data of California residents Compliant
BSA / AML Bank Secrecy Act and Anti-Money Laundering obligations (FinCEN) Compliant
PSD2 / SCA EU Strong Customer Authentication for online card payments Compliant

Data Residency

VaultPay processes and stores data in the following regions. Specify your preferred region using the VP-Data-Region request header.

RegionCodeData Center
United States us-east-1 AWS US East (N. Virginia), default
European Union eu-west-1 AWS EU (Ireland); required for EU data residency compliance
Asia Pacific ap-southeast-1 AWS AP (Singapore)

Encryption

All data in transit is encrypted using TLS 1.2 or higher. Cardholder data at rest is encrypted with AES-256. VaultPay never stores raw card numbers. All payment methods are tokenized on receipt using HSM-backed key management, reducing your PCI DSS scope to the minimum.

โ„น

VaultPay is a PCI DSS Level 1 Service Provider. By routing card data through VaultPay, sensitive cardholder data never touches your servers, significantly reducing your compliance scope and audit burden.

Responsible Disclosure

To report security vulnerabilities, contact security@vaultpay.com. VaultPay operates a coordinated disclosure programme and commits to acknowledging reports within 24 hours.

Test Data

Use the following test cards and bank accounts in sandbox mode (sk_test_... keys). Test transactions are never processed on real networks and incur no charges.

Test Cards: Successful

Card NumberBrandScenario
4242 4242 4242 4242 Visa Always succeeds
5555 5555 5555 4444 Mastercard Always succeeds
3782 822463 10005 Amex Always succeeds
6011 1111 1111 1117 Discover Always succeeds

Test Cards: Declines and Errors

Card NumberError CodeScenario
4000 0000 0000 0002 card_declined Generic decline
4000 0000 0000 9995 insufficient_funds Insufficient funds
4000 0000 0000 0069 expired_card Card expired
4000 0000 0000 0127 incorrect_cvc CVC check fails
4100 0000 0000 0019 fraudulent Flagged as fraudulent; triggers risk.flagged webhook

Test Cards: 3D Secure

Card Number3DS OutcomeScenario
4000 0027 6000 3184 3DS Required Requires authentication; use to test the full SCA redirect flow
4000 0025 0000 3155 3DS Optional Supports but does not require authentication
4000 0000 0000 3220 3DS Failed Authentication fails; payment is declined
โ„น

Use any future expiry date, any 3-digit CVC, and any billing postal code with test cards. Test mode keys (sk_test_...) are required. Sandbox requests are rejected when using live keys.

Test Bank Accounts (ACH)

Account NumberRouting NumberScenario
000123456789 110000000 Always succeeds
000111111116 110000000 Account closed: returns account_closed
000222222227 110000000 Insufficient funds: returns insufficient_funds

Disputes

A dispute (chargeback) occurs when a cardholder questions a charge with their card issuer. VaultPay notifies you immediately via the dispute.created webhook and provides an API to retrieve disputes and submit evidence. Winning a dispute requires submitting compelling evidence before the respond_by deadline.

Dispute Lifecycle

warning_needs_responsePre-dispute inquiry: respond before it escalates to a formal chargeback
needs_responseEvidence submission window open. You must respond before respond_by.
under_reviewCard issuer is reviewing submitted evidence
charge_refundedDispute withdrawn by cardholder. No further action needed.
wonDispute resolved in your favor. Funds returned to your account.
lostDispute resolved in the cardholder's favor. Funds permanently debited.
GET /v2/disputes List all disputes โ–พ

Returns a paginated list of disputes on your account, sorted by creation date (newest first).

Query Parameters

ParameterTypeRequiredDescription
status string Optional Filter by status: needs_response, under_review, won, lost
payment_id string Optional Filter disputes linked to a specific payment ID.
limit integer Optional Results per page. 1โ€“100, default 20.
cursor string Optional Pagination cursor from a previous response's next_cursor.
cURL
curl https://api.vaultpay.com/v2/disputes?status=needs_response \
  -H "Authorization: Bearer sk_live_YOUR_SECRET_KEY"
GET /v2/disputes/{dispute_id} Retrieve a dispute โ–พ

Retrieves the full details of a dispute, including the respond_by deadline, dispute reason, and associated payment.

Path Parameters

ParameterTypeRequiredDescription
dispute_id string Required Unique identifier of the dispute, e.g. dsp_4Nq7RkLmX2vT
200 OK
{
  "id": "dsp_4Nq7RkLmX2vT",
  "object": "dispute",
  "payment_id": "pay_3Mq8R7vLkN2xT9",
  "amount": 2500,
  "currency": "usd",
  "reason": "fraudulent",
  "status": "needs_response",
  "respond_by": "2025-03-15T23:59:59Z",
  "created_at": "2025-03-01T10:22:45Z"
}
POST /v2/disputes/{dispute_id}/evidence Submit dispute evidence โ–พ

Submit evidence to contest a dispute before the respond_by deadline. Set "submit": true to send evidence to the card issuer immediately, or omit to save as a draft first.

Request Body

ParameterTypeRequiredDescription
customer_communication string Optional Email, chat, or other communication confirming the customer agreed to the charge.
receipt string Optional Transaction receipt or order confirmation.
shipping_documentation string Optional Proof of delivery, tracking number, or carrier confirmation.
service_documentation string Optional Evidence the service was rendered (screenshots, access logs, usage records).
refund_policy string Optional Your published refund or cancellation policy presented to the customer at checkout.
submit boolean Optional Set true to immediately submit to the card issuer. Default false saves as draft.
โš 

Evidence can only be submitted once per dispute. Use "submit": false to save a draft and review before final submission.

Risk Scoring

Every payment processed through VaultPay is automatically evaluated by our real-time fraud engine, powered by machine learning and integrated with NICE Actimize IFM-AI (Intelligent Fraud Management). A risk object is included in all payment responses.

Risk Object Fields

FieldTypeDescription
risk.score integer Score from 0 (lowest risk) to 100 (highest risk). Scores above 75 automatically trigger a risk.flagged webhook event.
risk.level string low (0โ€“30) ยท medium (31โ€“60) ยท high (61โ€“85) ยท critical (86โ€“100)
risk.signals array List of risk indicator codes detected during evaluation. See table below.
risk.outcome string approved, review, or blocked: determined by your configured risk rules.

Risk Signal Codes

SignalDescription
velocity_checkMultiple transactions in a short window from the same card or customer
ip_mismatchIP geolocation country does not match the card-issuing country
device_anomalyUnrecognized device fingerprint for this customer's established profile
card_testingPattern consistent with automated card testing (repeated small-value charges)
high_risk_countryTransaction originates from a FATF grey-listed or black-listed jurisdiction
bin_mismatchCard BIN country differs from the provided billing address country
unusual_amountTransaction amount is a statistical outlier relative to this customer's payment history
Payment Response with Risk Object
{
  "id": "pay_3Mq8R7vLkN2xT9",
  "object": "payment",
  "amount": 2500,
  "status": "succeeded",
  "risk": {
    "score": 22,
    "level": "low",
    "signals": [],
    "outcome": "approved"
  }
}

3D Secure / SCA

Strong Customer Authentication (SCA) is mandated by the EU's Payment Services Directive 2 (PSD2) for online card payments. VaultPay supports 3D Secure 2 (3DS2) natively. When a card issuer requires authentication, VaultPay returns a requires_action status with a redirect URL the customer must complete.

SCA Authentication Flow

Flow
// Step 1: Create payment โ€” receives requires_action if SCA needed
POST /v2/payments โ†’ status: "requires_action"
                   next_action.type: "redirect_to_url"
                   next_action.redirect_url: "https://hooks.vaultpay.com/3ds/..."

// Step 2: Redirect the customer to the 3DS URL to authenticate with their bank

// Step 3: Customer completes authentication โ€” VaultPay confirms and captures
POST /v2/payments/{id}/confirm โ†’ status: "succeeded"

SCA Exemptions

VaultPay automatically applies PSD2 exemptions where eligible to reduce customer friction:

ExemptionCondition
Low Value Transactions under โ‚ฌ30. Revoked after 5 consecutive exempted transactions or โ‚ฌ100 cumulative spend.
Transaction Risk Analysis (TRA) NICE Actimize IFM-AI risk score below threshold; acquirer and issuer fraud rates must qualify under RTS Article 18.
Trusted Beneficiary Customer has explicitly whitelisted this merchant with their bank.
MIT (Merchant-Initiated) Recurring or subscription charges following an initial authenticated customer-initiated transaction.
โ„น

SCA applies to payments initiated by customers in the EEA. Merchant-initiated transactions, one-leg-out transactions (non-EEA card or acquirer), and corporate card payments are exempt.

GET /v2/risk/assess/{payment_id} Assess payment risk โ–พ

Retrieves the full risk assessment for a payment, including NICE Actimize IFM-AI scoring details, individual rule evaluations, and recommended action. Use this endpoint to build manual review workflows for high-risk transactions.

Path Parameters

ParameterTypeRequiredDescription
payment_id string Required Payment identifier, e.g. pay_3Mq8R7vLkN2xT9
200 OK
{
  "payment_id": "pay_3Mq8R7vLkN2xT9",
  "score": 72,
  "level": "high",
  "outcome": "review",
  "signals": ["velocity_check", "ip_mismatch"],
  "rules_triggered": [
    { "rule_id": "r_vel_001", "name": "High velocity โ€” same card 5 txns/hr", "score_contribution": 40 },
    { "rule_id": "r_geo_003", "name": "IP country โ‰  card country", "score_contribution": 32 }
  ],
  "recommended_action": "review",
  "model": "nice-actimize-ifm-v3",
  "evaluated_at": "2025-02-27T14:32:11Z"
}

AML & Transaction Monitoring

VaultPay's AML framework is built on NICE Actimize SAM (Suspicious Activity Monitoring), providing real-time and batch transaction surveillance to detect money laundering, structuring, layering, and other financial crimes. All transactions are automatically screened against configurable rule sets aligned with FATF recommendations, FinCEN requirements, and EU AMLD6.

Monitoring Coverage

ScenarioDetection MethodRegulation
Structuring / Smurfing Multiple transactions just below reporting thresholds (e.g., sub-$10,000 USD) BSA / FinCEN
Layering Rapid fund movement across multiple accounts to obscure origin FATF Rec. 10
Unusual Transaction Patterns Deviation from established customer behavior baseline (NICE Actimize CDD) EU AMLD6
High-Risk Jurisdictions Transactions involving FATF grey-listed or black-listed countries FATF / OFAC
PEP Transactions Payments linked to Politically Exposed Persons requiring enhanced due diligence FATF Rec. 12
CTR Threshold Monitoring Automatic Currency Transaction Report flagging for transactions โ‰ฅ $10,000 USD BSA 31 CFR 1010
โ„น

AML alerts generated by NICE Actimize SAM are available via the /v2/aml/alerts endpoint and the aml.alert_created webhook. Alerts requiring a Suspicious Activity Report (SAR) are surfaced with sar_required: true.

POST /v2/customers/{customer_id}/kyc Submit KYC verification โ–พ

Initiates a Know Your Customer (KYC) identity verification using NICE Actimize CDD (Customer Due Diligence). KYC is required before enabling payouts and for customers flagged as PEP or high-risk. Verification typically completes within 60 seconds; a customer.kyc_verified or customer.kyc_failed webhook is dispatched on completion.

Request Body

ParameterTypeRequiredDescription
document_type string Required passport, national_id, drivers_license, or residence_permit
document_front string Required Base64-encoded image of the document front (JPEG or PNG, max 5 MB).
document_back string Optional Base64-encoded image of document back. Required for national_id and drivers_license.
selfie string Optional Base64-encoded selfie image for biometric liveness check. Strongly recommended.
date_of_birth string Optional Date of birth (YYYY-MM-DD) for cross-validation against the document.
200 OK
{
  "customer_id": "cus_Rk4x7LmN2vPq",
  "kyc_status": "pending",
  "verification_id": "kyc_9xT2mRkL4vNq",
  "created_at": "2025-02-27T15:00:00Z"
}

KYC Status Values

pendingVerification submitted and in progress
verifiedIdentity confirmed: payouts and high-value transactions unlocked
failedVerification failed: document unclear, liveness check failed, or identity mismatch
requires_reviewReferred to manual compliance review via NICE Actimize Case Management
POST /v2/compliance/sanctions Screen against sanctions lists โ–พ

Screens an individual or entity against global sanctions, watchlists, and PEP databases via NICE Actimize Sanctions. Customer creation and payout requests are automatically screened. This endpoint is available for on-demand manual screening workflows.

Screened Lists

ListAuthorityUpdate Frequency
OFAC SDNU.S. Treasury: Specially Designated Nationals and Blocked PersonsReal-time
UN ConsolidatedUnited Nations Security Council consolidated sanctionsDaily
EU AMLD6European Union consolidated sanctions and asset-freeze listDaily
HM TreasuryUK Office of Financial Sanctions Implementation (OFSI)Daily
PEP DatabaseGlobal Politically Exposed Persons, 1.4M+ entriesWeekly
Adverse MediaNegative news screening across 80,000+ global sourcesReal-time

Request Body

ParameterTypeRequiredDescription
name string Required Full name of the individual or entity to screen.
date_of_birth string Optional Date of birth (YYYY-MM-DD) to reduce false positives on common names.
country string Optional ISO 3166-1 alpha-2 country code of nationality or country of incorporation.
entity_type string Optional individual (default) or business
200 OK: Clear
{
  "screening_id": "scr_7kNq3RxT2mLv",
  "name": "Jane Smith",
  "result": "clear",
  "matches": [],
  "lists_screened": ["ofac_sdn", "un_consolidated", "eu_amld6", "pep"],
  "screened_at": "2025-02-27T15:10:00Z"
}
โ›”

A "result": "match" response indicates the subject appears on one or more sanctions or watchlists. Do not process payments or payouts for matched subjects and contact compliance@vaultpay.com immediately.

GET /v2/aml/alerts List AML alerts โ–พ

Returns AML alerts generated by NICE Actimize SAM for transactions on your account. Alerts are raised when transaction patterns match configured monitoring rules. Each alert includes a sar_required flag indicating whether a Suspicious Activity Report must be filed with FinCEN (US) or the relevant Financial Intelligence Unit.

Query Parameters

ParameterTypeRequiredDescription
status string Optional Filter by: open, under_review, closed, or sar_filed
sar_required boolean Optional Set true to return only alerts requiring SAR filing.
customer_id string Optional Filter alerts for a specific customer.
limit integer Optional Results per page. 1โ€“100, default 20.
200 OK
{
  "object": "list",
  "data": [
    {
      "id": "aml_2xK9RtLm4vNq",
      "object": "aml_alert",
      "customer_id": "cus_Rk4x7LmN2vPq",
      "alert_type": "structuring",
      "status": "open",
      "sar_required": true,
      "transactions": ["pay_aB1c2D3e4F", "pay_gH5i6J7k8L"],
      "rule_id": "sam_struct_001",
      "rule_name": "Multiple sub-threshold transactions within 24h",
      "created_at": "2025-02-27T08:45:00Z"
    }
  ],
  "has_more": false
}