API Endpoints & Authentication
All requests to the 株式会社ITO-Japan API are sent via HTTP to our endpoints.
- HTTP Methods : GET / POST / PATCH / PUT
- Base URL : https://dev.ito-japan.jp
- Content-Type : application/json
Sandbox payment can be also initiated while merchant set the service mode as test in merchant dashboard. It will be live while the mode will be set as active mode.
API Access Key
Register as a merchant in our system. In your merchant dashboard you will find the option for API access key.
Example access key : 51a4bd18-5bc1-4eaa-97b0-c09323398883
Payment Transaction Initiate
The following example code enables you to initiate a payment,depending on how you structure it. The perameter details are also below.
| Param Name | Param Type | Description |
|---|---|---|
| custom | string | Identification of your end Required |
| amount | decimal | The amount you want to transaction Required |
| details | string | Purchase details String Max 255 |
| web_hook | string | Instant payment notification url Required |
| cancel_url | string | Payment cancel return url Required |
| success_url | string | Payment success return url Required |
| customer_email | string | Customer email address Required |
| access_key | string | Send access_key as bearer token with header Required |
<?php
$parameters = [
'custom' => 'DFU80XZIKS',
'currency_code' => 'USD',
'amount' => 280.00,
'details' => 'Digital Product',
'web_hook' => 'https://yoursite.com/web_hook.php',
'cancel_url' => 'https://yoursite.com/cancel_url.php',
'success_url' => 'https://yoursite.com/success_url.php',
'customer_email' => '[email protected]',
];
$url = 'https://dev.ito-japan.jp/payment/process';
$timestamp = time();
$body = json_encode($parameters);
$signature = hash_hmac('sha256', $timestamp . '.' . $body, $secret_key);
$headers = [
"Accept: application/json",
"Authorization: Bearer access_key",
"X-Timestamp: $timestamp",
"X-Signature: $signature",
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($parameters));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
?>
Example Response after initiating payment
//Success Response.
{
"code": 200,
"status": "ok",
"payment_id": "AIYmQIOAz0GlmsjfhgiOeu304",
"message": "Your payment has been processed. Please follow the URL to complete the payment.",
"url":"https://dev.ito-japan.jp/process-checkout?payment_id=AIYmQIOAz0GlmsjfhgiOeu304"
}
//Error Response.
{
"code": 401,
"status": "error",
"message": "Invalid API credentials."
}
Response after successful payment
//WEBHOOK HEADER
"X-Timestamp: $timestamp",
"X-Signature: $signature",
//Client Can verify our webhook.
$timestamp = $_SERVER['HTTP_X_TIMESTAMP'];
$signature = $_SERVER['HTTP_X_SIGNATURE'];
$body = file_get_contents('php://input');
$secret_key = 'merchant側で事前共有したシークレット';
$expected_signature = 'sha256=' . hash_hmac('sha256', $timestamp . '.' . $body, $secret_key);
if (!hash_equals($expected_signature, $signature)) {
http_response_code(403);
exit('Invalid signature');
}
//Success Response.
{
"code": 200,
"status": "ok",
"payment_id": "AIYmQIOAz0GlmsjfhgiOeu304",
"transaction": "AIYmQIOAz0G",
"amount": 100.00,
"charge": 5.00,
"currency": "USD",
"custom": "BVSUZ545XCS",
"date" : "22-05-2022"
}
Verify Payment
You can verify the payment whether it is valid or not. After successful payment transaction you will have the response where you find the Payment ID. With this payment id and your access key you need make a request to our server for verify the payment. Example code is below.
Payment verify end point : https://dev.ito-japan.jp/payment/check-validity
<?php
$parameters = [
'payment_id' => 'AIYmQIOAz0GlmsjfhgiOeu304',
]
$url = 'https://dev.ito-japan.jp/payment/check-validity';
$headers = [
"Accept: application/json",
"Authorization: Bearer access_key",
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $parameters);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
?>
Validity Response
//Success Response.
{
"code": 200,
"status": "ok",
"message": "Transaction is valid",
}
//Error Response.
{
"code": 401,
"status": "error",
"message": "Invalid API credentials."
}
//or
{
"code": 404,
"status": "error",
"message": "Transaction not found"
}
Merchant OAuth (Client Credentials)
Use this flow for server-to-server communication from the merchant backend.
The merchant obtains an access token and uses it as Bearer token for /oauth/merchant/* endpoints.
| Item | Value |
|---|---|
| Token Endpoint | https://dev.ito-japan.jp/oauth/token |
| Grant Type | client_credentials |
| Auth Header | Authorization: Bearer {access_token} |
curl -X POST "https://dev.ito-japan.jp/oauth/token" \
-H "Accept: application/json" \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_MERCHANT_CLIENT_ID" \
-d "client_secret=YOUR_MERCHANT_CLIENT_SECRET" \
-d "scope="
Example: Call merchant endpoints with the token:
curl -X GET "https://dev.ito-japan.jp/api/oauth/merchant/users/123/balance" \
-H "Accept: application/json" \
-H "Authorization: Bearer {access_token}"
Merchant OAuth API Endpoints
All endpoints below require a Merchant OAuth access token (client_credentials).
| Method | Path | Description |
|---|---|---|
| POST | /api/oauth/merchant/users | Create User (belongs to this merchant) |
| PATCH | /api/oauth/merchant/users/{user}/profile | Update user profile (partial) |
| GET | /api/oauth/merchant/users/{user}/balance | Get user balance |
| GET | /api/oauth/merchant/users/{user}/transactions | Get user transactions |
| GET | /api/oauth/merchant/users/{user}/cards | List user cards |
| GET | /api/oauth/merchant/users/{user}/kyc | Get KYC form schema + existing values |
| PATCH | /api/oauth/merchant/users/{user}/kyc | Save KYC draft (partial) |
| PUT | /api/oauth/merchant/users/{user}/kyc | Save KYC full state (completeness check) |
| POST | /api/oauth/merchant/users/{user}/kyc/submit | Submit KYC (lock status) |
Security All /oauth/merchant/users/{user} routes must verify ownership by created_by_client_id == client_id.
User OAuth (Authorization Code + PKCE)
Use this flow when the end-user authorizes access from an app.
Recommended
Use PKCE (no client_secret in mobile apps).
| Item | Value |
|---|---|
| Authorize Endpoint | https://dev.ito-japan.jp/oauth/authorize |
| Token Endpoint | https://dev.ito-japan.jp/oauth/token |
| Grant Type | authorization_code |
Step 1: Redirect user to authorize
https://dev.ito-japan.jp/oauth/authorize?
response_type=code&
client_id=YOUR_PUBLIC_CLIENT_ID&
redirect_uri=YOUR_REDIRECT_URI&
scope=&
state=RANDOM_STATE&
code_challenge=CODE_CHALLENGE&
code_challenge_method=S256
Step 2: Exchange code for token
curl -X POST "https://dev.ito-japan.jp/oauth/token" \
-H "Accept: application/json" \
-d "grant_type=authorization_code" \
-d "client_id=YOUR_PUBLIC_CLIENT_ID" \
-d "redirect_uri=YOUR_REDIRECT_URI" \
-d "code=AUTH_CODE_FROM_STEP1" \
-d "code_verifier=CODE_VERIFIER"
After obtaining access_token, call /oauth/user/* endpoints using Bearer token.
User OAuth API Endpoints
All endpoints below require a User OAuth access token (auth:passport_api).
| Method | Path | Description |
|---|---|---|
| GET | /api/oauth/user/me | Get current user |
| GET | /api/oauth/user/balance | Get my balance |
| GET | /api/oauth/user/transactions | Get my transactions |
| GET | /api/oauth/user/cards | List my cards |
| GET | /api/oauth/user/kyc | Get my KYC schema + values |
| PATCH | /api/oauth/user/kyc | Save my KYC draft (partial) |
| PUT | /api/oauth/user/kyc | Save my KYC full state |
| POST | /api/oauth/user/kyc/submit | Submit my KYC |
| POST | /api/oauth/user/cards/issue | Issue card |
| POST | /api/oauth/user/cards/sensitive | Get sensitive card info (recommended: last4 only) |
Additional API Catalog
This section lists additional APIs that are safe to disclose publicly. Internal administration APIs, secret keys, card sensitive data, and private operational endpoints are intentionally not listed.
| Category | Purpose | Authentication |
|---|---|---|
| TMA Tenant | Merchant branding and public Mini App configuration | No login required |
| TMA Auth | Telegram Mini App login, account link, registration, logout | Telegram initData / user token |
| TMA User | Profile, KYC, wallet, card, subscription and marketplace features | TMA user token |
| Merchant API | Payment, marketplace, settlement and wallet integration | Merchant Bearer token |
| Webhook | Payment result notification and signature verification | Signed server-to-server request |
TMA Public API
These endpoints are used before the user is fully logged in. They do not expose private wallet, card, or transaction information.
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/tma/tenant?merchant_id={merchant_id} | Get public tenant branding such as service name, logo, colors, terms URL and privacy URL. |
| POST | /api/tma/auth/login | Login with Telegram Mini App initData. |
| POST | /api/tma/auth/register | Create a new user from Telegram Mini App registration. |
| POST | /api/tma/auth/link | Link an existing account to Telegram. |
| POST | /api/tma/auth/logout | Logout from the Mini App session. |
| POST | /api/tma/auth/agree-terms | Record terms and privacy agreement. |
curl -X GET "https://dev.ito-japan.jp/api/tma/tenant?merchant_id=8" \
-H "Accept: application/json"TMA User API
These endpoints require a valid TMA user session token. Sensitive card number / CVV disclosure endpoints are not included in this public documentation.
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/tma/profile | Get current TMA user profile. |
| POST | /api/tma/profile | Update profile information. |
| GET | /api/tma/kyc/form | Get KYC form definition and current values. |
| POST | /api/tma/kyc/submit | Submit KYC information and documents. |
| GET | /api/tma/wallet/balances | Get wallet balances. |
| GET | /api/tma/wallet/deposits | Get deposit history. |
| GET | /api/tma/wallet/transfers | Get transfer history. |
| GET | /api/tma/cards | List user cards. |
| POST | /api/tma/cards/issue | Issue a virtual card after KYC and subscription payment checks. |
| GET | /api/tma/cards/{cardId}/transactions | Get card transaction history. |
| GET | /api/tma/export/card/{cardId}/csv | Export card transactions as CSV. |
| GET | /api/tma/export/card/{cardId}/pdf | Export card transactions as PDF. |
| GET | /api/tma/export/wallet/csv | Export wallet transactions as CSV. |
| GET | /api/tma/export/wallet/pdf | Export wallet transactions as PDF. |
TMA Subscription Billing API
Subscription APIs are used by the Mini App billing screen. Payment completion is processed server-side with duplicate protection.
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/tma/subscription/status | Get current subscription status, amount due, billing month and next billing date. |
| GET | /api/tma/subscription/history | Get completed, refunded, failed or cancelled billing history. Pending attempts are not shown as payment history. |
{
"ok": true,
"subscription": {
"status": "active",
"billing_month": "2026-05",
"amount_due": 1277,
"currency": "JPY",
"formatted_amount": "¥1,277",
"next_billing_date": "2026-06-01"
}
}TMA Marketplace API
Mini App users can browse listings and send inquiries. Merchant management endpoints are documented separately in the Marketplace API section.
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/tma/marketplace/listings | List marketplace items available in the Mini App. |
| POST | /api/tma/marketplace/listings/{id}/inquiry | Send a product inquiry to the merchant. |
TMA Custom Token API
These endpoints expose public token information and user-visible token history. Private keys and signing material are never returned.
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/tma/custom-token/info | Get token display information and balance summary. |
| GET | /api/tma/custom-token/history | Get token transaction history. |
| POST | /api/tma/custom-token/transfer | Transfer custom token where enabled. |
Security Notes for Published APIs
- Never publish access keys, client secrets, production webhook IDs, private keys, mnemonic phrases, or card CVV data in documentation examples.
- Public documentation should show endpoint purpose, authentication type, and safe sample payloads only.
- Card sensitive information endpoints, administrator endpoints, and internal reconciliation endpoints should remain unpublished.
- For merchant APIs, always verify that the requested user, order, listing, or settlement belongs to the authenticated merchant.
- For webhooks, verify signatures and make payment completion idempotent to prevent duplicate processing.
Supported Currencies
Following currencies are currently supported in our system. It may update furthur.
| Currency Name | Currency Symbol | Currency Code |
|---|---|---|
| United State Dollar | $ | USD |
| Japanese Yen | ¥ | JPY |
| SAKURAGUAMPOINT-USD | $ | SGP-USD |
Marketplace API
マーケットプレイスAPIを使用して、出品管理・注文管理・問い合わせ・精算履歴にアクセスできます。 全てのリクエストに Bearer Token 認証が必要です。
| Method | Endpoint | 説明 |
|---|---|---|
| GET | /api/merchant/listings | 出品一覧 |
| GET | /api/merchant/listings/{id} | 出品詳細 |
| POST | /api/merchant/listings | 出品作成 |
| PATCH | /api/merchant/listings/{id} | 出品更新 |
| GET | /api/merchant/orders | 注文一覧 |
| GET | /api/merchant/orders/{number} | 注文詳細 |
| POST | /api/merchant/orders/{number}/ship | 発送登録 |
| GET | /api/merchant/inquiries | 問い合わせ一覧 |
| GET | /api/merchant/inquiries/{id} | 問い合わせ詳細 |
| POST | /api/merchant/inquiries/{id}/reply | 返信送信 |
| GET | /api/merchant/settlements | 精算履歴 |
Listings(出品管理)
GET /api/merchant/listings
自分の出品一覧を取得します。per_page パラメータでページサイズを指定できます(デフォルト: 20)。
curl -X GET "https://dev.ito-japan.jp/api/merchant/listings?per_page=10" \
-H "Authorization: Bearer {access_key}" \
-H "Accept: application/json"POST /api/merchant/listings — 出品作成リクエストパラメータ
| Param | Type | 説明 |
|---|---|---|
| title | string | 出品タイトル Required |
| description | string | 商品説明 Required |
| category_code | string | カテゴリコード Required |
| price | numeric | 価格 Required |
| currency_id | integer | 通貨ID Required |
| sku | string | SKU(任意) |
| stock | integer | 在庫数(任意) |
| is_shippable | boolean | 物理配送が必要か |
| weight_g | integer | 重量(g) is_shippable=true の場合必須 |
curl -X POST "https://dev.ito-japan.jp/api/merchant/listings" \
-H "Authorization: Bearer {access_key}" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{
"title": "商品名",
"description": "商品の説明文",
"category_code": "digital_content_creator",
"price": 1000,
"currency_id": 1,
"stock": 100
}'Orders(注文管理)
GET /api/merchant/orders
注文一覧を取得します。status・escrow_status でフィルタ可能です。
| status の値 | escrow_status の値 |
|---|---|
| pending / paid / cancelled / refunded | holding / shipped / delivered / released / disputed |
## 発送登録
curl -X POST "https://dev.ito-japan.jp/api/merchant/orders/ORD-XXXXXXXX/ship" \
-H "Authorization: Bearer {access_key}" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{
"tracking_number": "1234567890",
"carrier": "DHL"
}'Inquiries(問い合わせ)
購入前の顧客からの問い合わせを管理します。 返信内容はAIによる規約違反チェックが行われます。 外部決済・銀行情報などの規約違反コンテンツはブロックされます。
## 問い合わせ返信
curl -X POST "https://dev.ito-japan.jp/api/merchant/inquiries/1/reply" \
-H "Authorization: Bearer {access_key}" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"message": "お問い合わせありがとうございます。こちらの商品は..."}'Crypto Wallet API(USDT / SGP-USD)
USDTウォレットの残高・入金履歴を取得します。 秘密鍵・ニーモニック・暗号化キーはAPIで返却されません。 ガスレス送金はセキュリティ上の理由からAPIでは提供しておらず、Webインターフェースのみで行えます。
| Method | Endpoint | 説明 |
|---|---|---|
| GET | /api/merchant/wallet/usdt-balance | USDT残高(オンチェーン) |
| GET | /api/merchant/wallet/deposits | USDT入金履歴 |
## USDT残高取得
curl -X GET "https://dev.ito-japan.jp/api/merchant/wallet/usdt-balance" \
-H "Authorization: Bearer {access_key}" \
-H "Accept: application/json"
## レスポンス例
{
"code": 200,
"status": "success",
"data": {
"address": "0x07fd8aba...",
"wallet_version": 5,
"usdt_balance": 10.50,
"daily_transfers_remaining": 4
}
}GET /api/merchant/wallet/deposits — 入金履歴レスポンス項目
| フィールド | 型 | 説明 |
|---|---|---|
| tx_hash | string | Ethereumトランザクションハッシュ |
| from_address | string | 送金元アドレス |
| to_address | string | 受取アドレス |
| usdt_amount | float | 入金USDT額 |
| sgpusd_amount | float|null | 付与SGP-USD額(購入時のみ) |
| fee_amount | float|null | 手数料(1%) |
| status | string | pending / confirmed / granted / skipped |
| etherscan_url | string | Etherscanリンク |
| confirmed_at | ISO8601|null | ブロック確認日時 |
HMAC 署名(オプション)
セキュリティを強化するために X-Timestamp と X-Signature ヘッダーを追加できます。 署名を付与する場合、タイムスタンプは5分以内のリクエストのみ受け付けます(Replay攻撃防止)。
<?php
$accessKey = 'your_access_key';
$secretKey = 'your_secret_key';
$timestamp = time();
$body = json_encode(['tracking_number' => '1234567890', 'carrier' => 'DHL']);
$signature = hash_hmac('sha256', $timestamp . '.' . $body, $secretKey);
$response = file_get_contents('https://dev.ito-japan.jp/api/merchant/orders/ORD-XXXXXXXX/ship', false,
stream_context_create(['http' => [
'method' => 'POST',
'header' => implode("\r\n", [
'Content-Type: application/json',
'Authorization: Bearer ' . $accessKey,
'X-Timestamp: ' . $timestamp,
'X-Signature: ' . $signature,
]),
'content' => $body,
]])
);
echo $response;