Quickstart with Postman
Out-of-the-box Postman assets for QA and partner engineers. Import, fill in credentials, and you can hit every documented v1 endpoint with valid HMAC-signed requests.
Files
AllScale_OpenAPI.postman_collection.json
Collection β all v1 endpoints + collection-level request signer + response assertions.
AllScale_OpenAPI_Production.postman_environment.json
Production environment (https://openapi.allscale.io).
Import (Postman desktop or web)
File β Import β drop all three JSON files in at once.
Top-right environment dropdown β pick AllScale OpenAPI
Open the environment, paste your
api_keyandapi_secret, save.api_secretis stored with Postman'ssecrettype and is masked.Both values are shown once in the merchant dashboard β keep them safe.
base_url and checkout_intent_id are already wired up; you should not need to edit them.
Suggested run order
Test / GET
/v1/test/pingβ confirms keys + clock + signing.Test / POST
/v1/test/postβ confirms body hashing.Checkout Intent / Create β fiat or Create β native stable-coin β creates an intent and auto-saves
checkout_intent_idinto the environment.Fiat: send
currency(IntEnum). Server FX-converts to the resolved settlement coin (USDT or USDC); useaccepted_stable_coinsto pick which (first entry wins; defaults to USDT when omitted).Native stable-coin: send
stable_coinβ1(USDT) or2(USDC) are both accepted.amount_centsis stable-coin cents, no FX, andcurrency_ratewill benull.Send exactly one β both or neither returns
10001.
Checkout Intent / GET
/v1/checkout_intents/{id}/statusβ polls the lifecycle state.Checkout Intent / GET
/v1/checkout_intents/{id}β full detail.For a native-stable-coin intent, the fiat fields (
currency,currency_symbol,amount_cents,currency_rate) will benull; the authoritative amount lives inamount_coins.
You can also run the whole collection with Postman's Collection Runner β every request has assertions attached, so the runner report is a usable QA smoke-test.
How signing works (for the curious)
A pre-request script lives at the collection root, so it runs before every request without per-request setup. For each call it:
Reads
api_key/api_secretfrom the active environment.Builds the canonical string
METHOD\nPATH\nQUERY\nTIMESTAMP\nNONCE\nBODY_SHA256(body hash =sha256_hex(raw_body_bytes); empty body hashes the empty string).Signs it with HMAC-SHA256, base64-encoded.
Upserts the required headers:
X-API-Key,X-Timestamp,X-Nonce,X-Signature: v1=<sig>.
No need to touch the script for normal QA β but if a signature ever looks wrong, uncomment the two console.log lines at the bottom of the pre-request script to dump the canonical string and produced signature to the Postman console.
Troubleshooting
20001 missing_headers
api_key / api_secret not set in the active environment.
20002 timestamp_out_of_window
Your machine's clock is off; sync NTP (Β±5 min window).
20002 signature_mismatch on POSTs only
Body was edited after the script ran, or Content-Type isn't application/json. Re-send; the script re-hashes on every send.
20002 replay_nonce
Sending two requests with the same nonce within the replay window. The script generates a new UUID every send, so this should not happen β double-check you don't have the script disabled.
30001 ip_not_allowed
Your egress IP isn't on the merchant IP allowlist.
40001
Rate limited. Back off per the retry_after in the error details.
50001
checkout_intent_id is unset or belongs to another merchant. Re-run Create to capture a fresh id.
50002
Create rejected the request (e.g. amount must be greater than 0.1 <coin> when the order is at or below the 0.1-coin floor). Read error.details.reason for the specifics.
Updating the package
When endpoints change, edit AllScale_OpenAPI.postman_collection.json in this repo, then re-export the matching .json from Postman β or just keep editing JSON directly. Try to keep the canonical-string script in sync with thirdparty_api/auth/__init__.py::_canonical_request; they must produce byte-identical canonical strings.
Last updated