API Reference

REST API v1 — authenticate with Bearer secret key.

Authentication

Authorization: Bearer elyto_sk_live_...

Endpoints

POST/api/v1/projects

Create a project (requires secret key)

POST/api/v1/orders

Create order and get checkout URL

GET/api/v1/orders/:orderId

Get order status

POST/api/v1/orders/:orderId/verify

Submit UTR for verification

GET/api/v1/transactions

List parsed transactions

GET/api/v1/analytics

Get analytics summary

Webhook events

order.createdorder.utr_submittedorder.verifiedorder.failed

Webhook verification examples

Node.js / Express

const crypto = require("crypto");
app.post("/webhooks/elyto", express.raw({ type: "application/json" }), (req, res) => {
  const payload = req.body.toString();
  const ts = req.headers["elyto-timestamp"];
  const sig = req.headers["elyto-signature"];
  const expected = "v1=" + crypto.createHmac("sha256", SECRET).update(ts + "." + payload).digest("hex");
  if (sig !== expected) return res.status(401).end();
  res.json({ received: true });
});

Python (Flask)

import hmac, hashlib
@app.route("/webhooks/elyto", methods=["POST"])
def elyto_webhook():
    payload = request.get_data(as_text=True)
    ts = request.headers.get("Elyto-Timestamp")
    sig = request.headers.get("Elyto-Signature")
    expected = "v1=" + hmac.new(SECRET.encode(), f"{ts}.{payload}".encode(), hashlib.sha256).hexdigest()
    if sig != expected: return ("", 401)
    return {"received": True}

PHP

$payload = file_get_contents("php://input");
$ts = $_SERVER["HTTP_ELYTO_TIMESTAMP"];
$sig = $_SERVER["HTTP_ELYTO_SIGNATURE"];
$expected = "v1=" . hash_hmac("sha256", "$ts.$payload", $secret);
if (!hash_equals($expected, $sig)) { http_response_code(401); exit; }
echo json_encode(["received" => true]);