.onion
API Reference
The Rebel Pay API is a RESTful API that uses JSON for request and response bodies. All endpoints are authenticated via API key.
Base URL: https://your-server.com
Authentication
Include your API key in the x-api-key header:
curl https://your-server.com/api/charges \
-H "x-api-key: rp_live_your_api_key"Charges
Create Charge
POST /api/charges
Creates a new payment charge.
Request Body:
{
"amount": 10.00, // Required: Amount in currency
"currency": "USD", // Optional: USD, EUR, GBP (default: USD)
"metadata": { // Optional: Custom data for your reference
"order_id": "12345"
}
}Response:
{
"id": "ch_abc123def456789",
"amount": 10.00,
"currency": "USD",
"amount_xmr": 0.028571,
"subaddress": "84Hv16y6x7BTie3ib5Sx...",
"subaddress_index": 7,
"status": "pending",
"metadata": {"order_id": "12345"},
"created_at": "2026-02-15T02:00:00.000Z",
"expires_at": "2026-02-15T03:00:00.000Z"
}
Note: Never expose your API key in client-facing code or URLs.
Payment pages are accessed via /pay/{charge_id} without
any authentication — they are public by design.
Example:
curl -X POST https://your-server.com/api/charges \
-H "Content-Type: application/json" \
-H "x-api-key: rp_live_abc123" \
-d '{"amount": 10.00, "currency": "USD"}'List Charges
GET /api/charges
Returns up to 100 most recent charges.
Response:
{
"charges": [
{
"id": "ch_abc123",
"amount": 10.00,
"status": "confirmed",
...
},
...
]
}Get Charge
GET /api/charges/:id
Returns a single charge by ID.
Example:
curl https://your-server.com/api/charges/ch_abc123 \
-H "x-api-key: rp_live_abc123"Link Expiration
Control how long a pay link remains valid by adding expiration params to charge creation:
expires_at— ISO 8601 timestamp (e.g.2026-03-01T00:00:00Z)expires_in— hours from creation (e.g.24)
This is separate from the payment timeout. The payment timeout controls how long a customer has to pay once they open the link. Link expiration controls how long the link itself is valid before anyone visits it.
curl -X POST https://your-server.com/api/charges \
-H "Content-Type: application/json" \
-H "x-api-key: rp_live_abc123" \
-d '{"amount": 50, "currency": "USD", "expires_in": 48}'Link Deactivation
POST /api/charges/:id/toggle-active
Toggles a charge link between active and inactive. Deactivated links return HTTP 410 (Gone).
curl -X POST https://your-server.com/api/charges/ch_abc123/toggle-active \
-H "x-api-key: rp_live_abc123"Get Charge QR Code
GET /api/charges/:id/qr
Returns QR code for the payment.
Query Parameters:
format=png- Return PNG imageformat=dataurl- Return base64 data URL (default)
Payment Buttons
Create Payment Button Charge
POST /api/charges/button
Public endpoint — no API key needed. Creates a charge using your
merchant_id (found on your Settings → API Keys page).
Designed for embedded payment buttons on external sites.
See Payment Buttons for full documentation.
Request Body:
{
"merchant_id": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6", // Required
"amount": 25.00, // Required
"currency": "USD", // Optional (default: USD)
"description": "T-shirt", // Optional
"fields": ["email", "name"], // Optional: collect buyer info (any field names)
// Custom examples: ["discord_username", "license_key", "shipping_address"]
"expires_at": "2026-03-01T00:00:00Z", // Optional
"expires_in": 24, // Optional: hours
"payment_request_id": "a1b2c3d4e5f6a7b8" // Optional: link to payment request
}
The response is the same as a standard charge creation. Redirect the customer to
/pay/{charge_id} to show the payment page.
Webhooks
Create Webhook
POST /api/webhooks
Requires JWT authentication (Bearer token).
{
"url": "https://yoursite.com/webhooks",
"events": ["charge.confirmed", "charge.expired"]
}List Webhooks
GET /api/webhooks
Delete Webhook
DELETE /api/webhooks/:id
Price
Get XMR Price
GET /api/price/xmr
Returns current XMR/USD price from Kraken. No authentication required.
{
"price": 170.25,
"changePercent24h": 2.5,
"high24h": 175.00,
"low24h": 165.00
}Swap
Get Swap Rate
GET /api/swap/rate
Query Parameters:
from- Source currency (default: xmr)to- Destination currency (e.g., usdttrc20)amount- Amount to swap (default: 1)
Example:
curl "https://your-server.com/api/swap/rate?from=xmr&to=usdttrc20&amount=2"Get Swap Quotes
GET /api/swap/quotes
Returns quotes from all enabled swap providers for comparison.
Query Parameters:
from— Source currency (default: xmr)to— Destination currency (e.g., usdttrc20)amount— Amount to swap
Example:
curl "https://your-server.com/api/swap/quotes?from=xmr&to=usdttrc20&amount=1"Response:
{
"quotes": [
{
"provider": "changenow",
"rate": 170.25,
"output_amount": 168.50,
"estimated_time": "5-30 min"
},
{
"provider": "exch",
"rate": 169.80,
"output_amount": 168.10,
"estimated_time": "10-60 min"
}
]
}Create Swap
POST /api/swap/create
Creates a swap. Now accepts an optional provider
parameter to select a specific provider from the quotes.
{
"from": "xmr",
"to": "usdttrc20",
"amount": 1.5,
"address": "TXyz123...",
"provider": "changenow" // Optional: pick a specific provider
}Account
Update Payout Address
PUT /api/account/payout
Requires JWT authentication.
{
"address": "4AbC123..."
}Regenerate API Key
POST /api/account/keys/regenerate
Requires JWT authentication.
{
"type": "production" // or "sandbox"
}Configure Auto-Convert
PUT /api/merchants/auto-swap
Requires JWT authentication. Enable or disable automatic XMR → stablecoin/BTC conversion.
{
"enabled": true,
"currency": "usdttrc20",
"address": "TXyz123..."
}See Auto-Convert for details on supported currencies and fees.
Status Codes
200- Success400- Bad request (invalid parameters)401- Unauthorized (invalid or missing API key)404- Not found429- Rate limited500- Server error
Rate Limits
- Authentication endpoints: 10 requests per 15 minutes
- Charge creation: 30 requests per minute
- General API: 500 requests per minute