# BankiPay API — Code Snippets

Base URL: `https://bankipay.io/api/v1`
Authentication: send your API key as a Bearer token in the `Authorization` header.

## cURL

### Create a quote
```bash
curl -X POST https://bankipay.io/api/v1/quotes \
  -H "Authorization: Bearer bankipay_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{"from_currency":"EUR","to_currency":"NGN","amount":1000}'
```

### Create a supplier payment
```bash
curl -X POST https://bankipay.io/api/v1/payments \
  -H "Authorization: Bearer bankipay_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{"from_currency":"EUR","to_currency":"NGN","amount":1000,"beneficiary_name":"Supplier Ltd","beneficiary_country":"Nigeria","purpose":"Invoice 2026-001"}'
```

### Retrieve a payment
```bash
curl https://bankipay.io/api/v1/payments/pay_test_xxx \
  -H "Authorization: Bearer bankipay_test_xxx"
```

### Wallet balance
```bash
curl https://bankipay.io/api/v1/balance \
  -H "Authorization: Bearer bankipay_test_xxx"
```

### Transactions
```bash
curl "https://bankipay.io/api/v1/transactions?per_page=20" \
  -H "Authorization: Bearer bankipay_test_xxx"
```

## PHP (Guzzle)

```php
<?php
use GuzzleHttp\Client;

$client = new Client([
    'base_uri' => 'https://bankipay.io/api/v1/',
    'headers'  => [
        'Authorization' => 'Bearer bankipay_test_xxx',
        'Content-Type'  => 'application/json',
    ],
]);

$response = $client->post('payments', [
    'json' => [
        'from_currency'    => 'EUR',
        'to_currency'      => 'NGN',
        'amount'           => 1000,
        'beneficiary_name' => 'Supplier Ltd',
        'purpose'          => 'Invoice 2026-001',
    ],
]);
$payment = json_decode($response->getBody(), true);
echo $payment['data']['id'];
```

## Python (requests)

```python
import requests

BASE = "https://bankipay.io/api/v1"
HEADERS = {
    "Authorization": "Bearer bankipay_test_xxx",
    "Content-Type": "application/json",
}

r = requests.post(f"{BASE}/payments", json={
    "from_currency": "EUR",
    "to_currency": "NGN",
    "amount": 1000,
    "beneficiary_name": "Supplier Ltd",
    "purpose": "Invoice 2026-001",
}, headers=HEADERS)
print(r.json()["data"]["id"])
```

## Verifying webhook signatures

Each webhook body is signed with HMAC-SHA256 using your webhook signing secret.
The signature is in the `X-BankiPay-Signature` header.

### PHP
```php
<?php
$payload   = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_BANKIPAY_SIGNATURE'] ?? '';
$expected  = hash_hmac('sha256', $payload, 'whsec_your_secret');

if (hash_equals($expected, $signature)) {
    http_response_code(200);
} else {
    http_response_code(401);
}
```

### Python (Flask)
```python
import hmac, hashlib
from flask import request, abort

SECRET = "whsec_your_secret"
payload = request.get_data()
signature = request.headers.get("X-BankiPay-Signature", "")
expected = hmac.new(SECRET.encode(), payload, hashlib.sha256).hexdigest()
if not hmac.compare_digest(expected, signature):
    abort(401)
```

### Node.js (Express)
```javascript
const crypto = require("crypto");
const SECRET = "whsec_your_secret";

const expected = crypto.createHmac("sha256", SECRET).update(req.body).digest("hex");
const signature = req.header("X-BankiPay-Signature") || "";
if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))) {
  return res.sendStatus(401);
}
```