API overview
The merchant API is a set of REST endpoints (GodaPay-compatible). Every request carries a signature field in the body, using MD5 sorted signature authentication.
Basics
Base URL
https://api.168tonpay.xyz/api/v1/compat/godapay # collect
https://apply.168tonpay.xyz/api/v1/compat/godapay # payout
Authentication
All endpoints use the request-body MD5 sorted signature. See Authentication.
Request example
POST /api/v1/compat/godapay/pay/order/create HTTP/1.1
Host: api.168tonpay.xyz
Content-Type: application/json
{
"merchantId": "0b8a4f32-1c1e-4a1c-9b25-3a9c2e0f7d5b",
"orderNo": "ORD-001",
"returnUrl": "https://your-server.example/webhook",
"playerPhone": "01711000000",
"playerRef": "player_1",
"signature": "<md5-sorted>"
}
Response format
Success (code: 0):
{ "code": 0, "data": { /* endpoint fields */ } }
Error (non-zero code):
{ "code": 1103, "message": "Amount must be between 10 and 1000000" }
See Error codes.
Endpoints
| Endpoint (relative to Base URL) | Method | Purpose |
|---|---|---|
/pay/order/create | POST | Create a deposit |
/pay/order/query | POST | Query an order |
/pay/order/status/:platformOrderNo | GET | hosted-page status polling |
/apply/create | POST | Create a payout |
/apply/query | POST | query a payout |
/pay/balance | POST | Check balance |
Supported channels
| Code | Name |
|---|---|
bkash | bKash |
nagad | Nagad |
rocket | Rocket |
Rate limits
60 requests / minute per merchant. See Rate limits.
HTTP status codes
| Code | Meaning |
|---|---|
| 200 | Success (business result in the code field) |
| 400 | Bad request |
| 401 | Unauthorized / invalid signature |
| 404 | Not found |
| 429 | Rate limited |
| 500 | Server error |
Webhook
When an order reaches a terminal state, the platform POSTs a form-urlencoded callback to your returnUrl (status "1"=paid / "0"=unpaid); respond with the literal SUCCESS. See Webhooks.