API Reference
REST API v1 — authenticate with Bearer secret key.
Authentication
Authorization: Bearer elyto_sk_live_...
Endpoints
POST
/api/v1/projectsCreate a project (requires secret key)
POST
/api/v1/ordersCreate order and get checkout URL
GET
/api/v1/orders/:orderIdGet order status
POST
/api/v1/orders/:orderId/verifySubmit UTR for verification
GET
/api/v1/transactionsList parsed transactions
GET
/api/v1/analyticsGet analytics summary
Webhook events
order.createdorder.utr_submittedorder.verifiedorder.failed
Webhook verification examples
Node.js / Express
const crypto = require("crypto");
app.post("/webhooks/elyto", express.raw({ type: "application/json" }), (req, res) => {
const payload = req.body.toString();
const ts = req.headers["elyto-timestamp"];
const sig = req.headers["elyto-signature"];
const expected = "v1=" + crypto.createHmac("sha256", SECRET).update(ts + "." + payload).digest("hex");
if (sig !== expected) return res.status(401).end();
res.json({ received: true });
});Python (Flask)
import hmac, hashlib
@app.route("/webhooks/elyto", methods=["POST"])
def elyto_webhook():
payload = request.get_data(as_text=True)
ts = request.headers.get("Elyto-Timestamp")
sig = request.headers.get("Elyto-Signature")
expected = "v1=" + hmac.new(SECRET.encode(), f"{ts}.{payload}".encode(), hashlib.sha256).hexdigest()
if sig != expected: return ("", 401)
return {"received": True}PHP
$payload = file_get_contents("php://input");
$ts = $_SERVER["HTTP_ELYTO_TIMESTAMP"];
$sig = $_SERVER["HTTP_ELYTO_SIGNATURE"];
$expected = "v1=" . hash_hmac("sha256", "$ts.$payload", $secret);
if (!hash_equals($expected, $sig)) { http_response_code(401); exit; }
echo json_encode(["received" => true]);