The Fyber API.

REST, JSON, predictable. The same primitives every payment integration needs — without the surprises.

Read the full reference →Try the sandbox

Authentication

Every request authenticates with a Bearer token. Use a secret key for server-side calls and a publishable key for client-side tokenization.

Authorization: Bearer sk_live_...

Test mode keys start with sk_test_.... Test mode is isolated from live data — feel free to break things.

Base URLs

Live: https://api.fyber.one/v1
Sandbox: https://api.sandbox.fyber.one/v1

Idempotency keys

Every POST accepts an Idempotency-Key header (max 255 chars, unique per intended operation). If you retry a request with the same key, we return the same response — even if the original request actually succeeded. Safe to retry indefinitely.

POST /v1/charges
Idempotency-Key: a1b2c3d4-...
Authorization: Bearer sk_live_...

Pagination

All list endpoints use cursor-based pagination. Pass limit (default 20, max 100) and starting_after / ending_before. Responses include has_more and next_cursor.

Error format

Errors are JSON with a stable type and a human-readable message. HTTP status codes are meaningful: 4xx for caller errors, 5xx for our problems.

{
  "error": {
    "type": "card_declined",
    "message": "Your card was declined.",
    "code": "do_not_honor",
    "decline_code": "generic_decline",
    "param": "source"
  }
}

Rate limits

Limits are per-key, per-endpoint, with separate buckets for read vs write. When throttled you get a 429 Too Many Requests with a Retry-After header. We email you well before you hit the limit.

Webhook signing

Every webhook delivery includes an X-Fyber-Signature header containing an HMAC-SHA256 over the request body, signed with your endpoint's signing secret. Verify the signature before trusting the payload.

X-Fyber-Signature: t=1700000000,v1=abc123...
X-Fyber-Event: payment.succeeded

Versioning

The API version is in the URL: /v1. Breaking changes ship as new versions (/v2, etc.). Old versions are supported for at least 12 months after a successor is published. We notify all merchants 90 days before any deprecation.

Where next

Full API reference — every endpoint, every parameter, copy-paste examples.
Sandbox — try-it-now with test cards.
SDKs — install commands for JS, PHP, .NET, Flutter.
Changelog — keep tabs on breaking changes.

Read the full docs.

Every endpoint, with curl + SDK examples and runnable code.

Open docs.fyber.one Get a test API key