API Basics
Overview
API Basics
Authorization
All endpoints must include an Authorization header. We use the standard HTTP Authorization header to pass authentication information.
These can be found under on the Settings page. Choose the Developer tab from the menu panel and take note of the API Key and API Secret provided.
Recipients instantly receive their check via email and can choose to either deposit the check online or print for in person or mobile deposit. You can find more details about the deposit options here.
Go to the Send a Check page on Checkbook.io
API Keys by Environments
The API keys are different in each environment.You need to use your Sandbox keys in the Sandbox environment and your Production keys in the Production environment. Click on the GO TO SANDBOX button to switch to the Sandbox environment and get the API keys.
Environments
Demo
This environment lets you get started with our API before even creating an account. Head to our Demo Environment. Go to settings and grab the API Key/Secret to try a cURL post or use the following.
curl --request GET \
--url 'https://demo.checkbook.io/v3/check' \
--header "Accept: application/json" \
--header 'Authorization: d6aa2703655f4ba2af2a56202961ca86:dXbCgzYBMibj8ZwuQMd2NXr6rtvjZ8
Demo Keys
Use the following Authorization value for the "Header Auth" in the interactive docs to test the requests:
d6aa2703655f4ba2af2a56202961ca86:dXbCgzYBMibj8ZwuQMd2NXr6rtvjZ8You can also click on this link to refresh the API reference and have the Demo Keys pre-populated.
Sandbox
https://api.sandbox.checkbook.io/v3/This environment lets you get started with developing your application without having to send out any real checks or do direct deposits. To begin, login here, go to settings, and in the developer tab, switch to the sandbox environment. Now go to settings and grab the key/secret required to make calls to this environment. The URL and authorization header will be different than the demo cURL POST seen previously.
curl --request GET \
--url 'https://api.sandbox.checkbook.io/v3/check' \
--header "Accept: application/json" \
--header 'Authorization: YOUR_SANDBOX_API_KEY:YOUR_SANDBOX_SECRET_KEY
Production
https://api.checkbook.io/v3/Once you're ready to take your application live, simply remove sandbox from the request url and change your authorization keys found here.
curl --request GET \
--url 'https://api.checkbook.io/v3/check' \
--header "Accept: application/json" \
--header 'Authorization: YOUR_API_KEY:YOUR_SECRET_KEY
Error Codes
| Code | Message | Details |
|---|---|---|
400 | Bad Request | Your request is invalid |
401 | Unauthorized | Your API key is wrong |
403 | Forbidden | You do not have permission to access the requested endpoint |
404 | Not Found | The specified endpoint could not be found |
405 | Method Not Allowed | You tried to access an endpoint with an invalid method |
429 | Too Many Requests | You’re sending too many requests! Slow down! |
500 | Internal Server Error | We had a problem with our server. Try again later. |
503 | Service Unavailable | We’re temporarily offline for maintenance. Please try again later. |
Idempotent Requests
When sending data across the Internet, there are many times when the unexpected happen. For example, a check could get created in our system, but due to a network issue the API response never gets back to the originator.
Our API supports idempotency so you can safely retry your requests without having to worry about a duplicate operation. User, bank account, check and invoice creation all support the Idempotency-Key header as part of the POST request.
This should be a unique key (it can be a counter, timestamp, UUID, etc) no longer than 255 characters that will not be re-used with that particular POST endpoint. If you make the same request with the same idempotent key, no new resource will be created on our end, but you will receive the same response as the first time. However, if you re-use an idempotent key with different parameters, the idempotent key will be ignored.
For example, if you create a new user with the email address [email protected], you will receive a response containing the keys for the new user. If this request has a header of Idempotency-Key: 1 and you repeat the same request (creating a user with email address [email protected]), you will receive the same API keys as in the initial request.
However, if you create a new user, [email protected], with a header of Idempotency-Key: 1 , a new user with a new set of API keys is created, even though the idempotent key was reused.
Another important detail is that the idempotent key only lasts for 3 minutes. So if you repeat the same request and reuse the idempotent key after more than 3 minutes, then the request will be considered as a new one and the idempotent key will be ignored.
Webhooks
Status Update Notification
If you would like to receive notifications when the status of a check has been updated, you can specify a webhooks url in your developer settings. When the status of a check is updated, you will receive a POST request to the specified url containing the id of the check that has been updated and its new status.
All of the webhooks notifications are signed with your unique webhooks key (from your developer settings) allowing you to verify that the request was sent from Checkbook.io and was not tampered with.
{
'status': <check status>,
'id': <check id>,
'type': "CHECK" | "INVOICE"
}
Webhooks key by environment
The webhooks key is different in each environment. You need to use your Sandbox key in the Sandbox environment and your Production key in the Production environment.
Signature
Each webhooks POST request comes with an additional Signature field, which can be found in the HTTP headers. The signature will look something like:
Signature: nonce=1243549809,signature=4ee9758fc0bceb3ca1a2fe397fbd125364cfffdb04296fa118dab9778a4b3ce3
In order to verify the signature, you will concatenate the request body (the string value of the JSON payload) with the nonce value (i.e. 1243549809 in the above example). You will then compute a HMAC with the SHA256 hash function, where your webhooks key is the signing key, and the request body + nonce string is your message. The output of this HMAC should match the value of the signature field.
Example
For example, the signature in the example above (i.e. 4ee9758fc0bceb3ca1a2fe397 fbd125364cfffdb04296fa118dab9778a4b3ce3 ) is computed from the following values:
body: '{"status": "PAID", "id": "ed0af5fb335c47dd8eb53199ba50f5c4", "type": "CHECK"}'
nonce: 1243549809
webhooks key: '335b5728e25b47e88995fce207bff380'
Virtual Card Notification
We offer you the possibilty to allow / deny specific transactions for a virtual card in real time. You need to set a webhook for "Virtual Cards URL" in the Developer Settings, which will allow you to receive a callback when a new transaction is initiated on a virtual card. See Authorize Virtual Card Transactions for more info. The webhook you defined will receive a POST call from our servers with a payload containing the following values:
{
"amount": "the transaction amount",
"user_id": "id of the user associated with the virtual card",
"account_id": "virtual card id",
"recipient": "merchant description"
}
If the status code of the webhook response is 2XX, then it is considered that you approved the transaction. If not, the transaction is denied. For example, if your server responds with a 200 status code to the webhook request, then it means the transaction was approved. If on the other hand it responds with a 400 status code, then the transaction was denied.
IP White List
Your application must be able to reach Checkbook's domain names for it to function properly and depending on how your integration operates, you may need to whitelist them. To help your integration operate securely, it must also verify that it’s communicating with our servers through one of our IP addresses listed below.
Production (api.checkbook.io)
99.83.192.53
75.2.12.84
Sandbox (api.sandbox.checkbook.io)
76.223.87.18
13.248.217.122
If your integration also receives webhooks from Checkbook, you should ensure these events originate from one of our IP addresses (the same for Production and Sandbox).
Webhooks IP addresses
52.10.180.255
54.70.79.20
Payment Statuses
Status Update Notification
If you would like to receive notifications when the status of a check has been updated, you can specify a webhooks url in your developer settings. When the status of a check is updated, you will receive a POST request to the specified url containing the id of the check that has been updated and its new status.
Digital Payment Statuses
Direct Deposit ACH/EFT
Use Case 1 - Elected Direct Deposit ACH/EFT
ACH Direct Deposit option was selected by recipient.
| UNPAID | IN PROCESS | PAID |
|---|---|---|
| Check email was sent but no action has been taken by the recipient | Recipient elected to have funds deposited and entered their bank account information | Final status. The payment has been successfully sent to the recipient's bank account |
Use Case 2 - Direct Deposit ACH/EFT
Recipient bank information was included at the time of payment creation.
| IN PROCESS | PAID |
|---|---|
| All necessary information has been included at the time of payment creation. Payment is pending deposit | Final status. The payment has been successfully sent to the recipient's bank account |
Failed Status
Failed ACH payments will result in a notification to both the sender and recipient. In most cases ACH returns are caused by misentering or entering the wrong account information. Recipients will be able to submit a new credit destination. Once submitted the payment will reset to
IN PROCESS and attempt to credit again.
Void Process
Direct Deposit ACH payments can only be voided while IN PROCESS before settlement is run at 2pm and 5pm PST daily. For manual exceptions Checkbook can void payments.
Instant Pay (OCT)
Use Case 1 - Elected Instant Pay
Instant Pay option was selected by recipient.
| UNPAID | IN PROCESS* | PAID |
|---|---|---|
| Check email was sent but no action has been taken by the recipient | Recipient elected to have funds deposited instantly and entered their debit card information | Final status. The payment has been successfully sent to the recipient's debit account |
Use Case 2 - Direct Deposit Instant Pay
Recipient bank information was included at the time of payment creation.
| IN PROCESS* | PAID |
|---|---|
| All necessary information has been included at the time of payment creation. Payment is pending deposit | Final status. The payment has been successfully sent to the recipient's debit account |
*Instant payments are sent instantly and therefore may only be IN PROCESS for a few seconds
Failed Status
Failed Instant Payments will result in a notification to both the sender and recipient. In most cases OCT returns are caused by misentering or entering the wrong card information. Recipients will be able to submit a new credit destination. Once submitted the payment will reset to IN PROCESS and attempt to credit again.
Void Process
Due to the nature of Instant Payments, they can not be voided unless the status is UNPAID. For manual exceptions Checkbook can void Instant Payments.
Expired Status
The status of EXPIRED is an end state, expired payments can not be acted upon and must be re-issued.
Physical Payment Statuses
Mailed Checks
Use Case 1 - Elected Mail
Mailed check option was selected by recipient
| UNPAID | IN PROCESS | MAILED |
|---|---|---|
| Check email was sent but no action has been taken by the recipient | Mailed check option was selected by the recipient. The check has been added to the print queue and will be printed in the next batch to be mailed* | Final status. The check has been successfully printed and mailed |
Use Case 2 - Direct Mail
Check was entered as a mailed check i.e. physical address was supplied at the time of check creation as opposed to an email address.
| IN PROCESS | MAILED |
|---|---|
| Mailed check option was selected by the recipient. The check will now be printed in the next batch to be mailed* | Final status. The check has been successfully printed and mailed |
*Checks are printed in a window from 12-2pm PST and mailed same day via USPS First Class Mail
Void Process
Mailed checks can not be voided from the checkbook dashboard. Payors wishing to void a mailed check must place a stop payment with their bank. For records and reconciliation purposes Checkbook can change the status to void.
Printed Checks
| UNPAID | PRINTED |
|---|---|
| Check email was sent but no action has been taken by the recipient | Final status. The recipient selected to print the check and downloaded the print PDF. Print PDF's can only be viewed 5 times before getting locked. Contact Checkbook to reset counter if necessary. |
Void Process
Printed checks can not be voided from the checkbook dashboard. Payors wishing to void a printed check must place a stop payment with their bank. For records and reconciliation purposes Checkbook can change the status to VOID.
Updated 11 days ago