Overview
The Global Business Pay Merchant API enables businesses and developers to integrate world-class payment processing capabilities directly into their applications, websites, and platforms. Built on RESTful principles with JSON data interchange, our API provides secure, scalable, and compliant payment infrastructure backed by over a decade of financial services expertise.
Whether you are processing one-time payments, setting up recurring billing, tokenizing cards for future use, or managing cross-border transfers — the GBP API provides the comprehensive toolkit you need with bank-grade security at every layer.
Bank-Grade Security
256-bit SSL encryption, 3D Secure v2, tokenized card storage, and real-time fraud monitoring powered by machine learning.
Sub-Second Processing
Average API response time of 180ms globally. Process thousands of transactions per second with 99.99% uptime SLA.
180+ Countries
Accept payments from customers in 180+ countries, supporting 135+ currencies with real-time FX conversion.
API Architecture
Your Application
Merchant website or mobile app initiates payment request
GBP API Gateway
Authenticated request validated, tokenized, and encrypted
Processing Network
Visa, Mastercard, SEPA, SWIFT, or blockchain settlement
Confirmation
Real-time webhook + API response with transaction details
Authentication
All API requests must be authenticated using your unique Merchant API Key and Secret Key. These credentials are generated when your merchant account is approved and can be rotated at any time through the Merchant Dashboard.
Authentication is performed via HTTP Basic Auth. Include your API Key as the username and Secret Key as the password in the Authorization header of every request. Requests without valid authentication will return a 401 Unauthorized error.
Authorization: Basic <base64(api_key:secret_key)> X-GBP-API-Version: 2024-01-15 X-GBP-Request-ID: req_8f3a2b7c1d4e5f6a Content-Type: application/json
curl -X GET "https://api.globalbusinesspay.io/v2/account" \\ -u "gbp_live_sk_abc123def456ghi789":"" \\ -H "X-GBP-API-Version: 2024-01-15" \\ -H "X-GBP-Request-ID: req_$(uuidgen)"
API Key Security Best Practices
- Never expose Secret Keys in client-side code, public repositories, or browser-based applications. Secret Keys should only be used in server-to-server communication.
- Use environment variables to store API credentials. Never hardcode keys into your application source code.
- Rotate keys regularly — we recommend rotating Secret Keys every 90 days. Old keys remain valid for a 24-hour grace period.
- IP Whitelisting: Configure allowed IP addresses in your Merchant Dashboard to restrict API access to your servers only.
Base URLs & Environments
GBP provides separate environments for development/testing and production. All environments are globally distributed with automatic failover and maintain the same API contract.
| Environment | Base URL | Purpose |
|---|---|---|
| Sandbox | https://api.globalbusinesspay.io/v2 | Development, testing, integration validation. No real money. |
| Production | https://api.globalbusinesspay.io/v2 | Live transactions with real funds. Requires verified merchant status. |
| Webhook Test | https://webhook-test.globalbusinesspay.io | Simulate webhook events for local development. |
Sandbox vs Production
The Sandbox environment mirrors Production exactly but processes simulated transactions. Sandbox API Keys are prefixed with gbp_test_ while Production Keys use gbp_live_. Attempting to use a Sandbox key on the Production endpoint (or vice versa) will result in a 403 Forbidden response.
Create Payment
Initiate a new payment transaction. This endpoint supports one-time card payments, tokenized card charges, bank transfers (SEPA/SWIFT), and cryptocurrency payments. The response includes a unique transaction ID for tracking.
pending and transition to completed, failed, or requires_action (for 3D Secure).Request Parameters
| Parameter | Type | Description |
|---|---|---|
| amount Required | integer | Payment amount in smallest currency unit (cents). e.g. 5000 for $50.00 |
| currency Required | string (3) | ISO 4217 currency code. e.g. "USD", "EUR", "GBP" |
| source Required | object | Payment source: card object, token ID, or bank_transfer object |
| description Optional | string (255) | Human-readable description displayed on customer statements |
| customer_id Optional | string | Existing customer ID for repeat payments. Creates new customer if omitted. |
| metadata Optional | object | Key-value pairs (max 20 keys, 500 chars each) attached to the transaction |
| webhook_url Optional | string | Override default webhook URL for this transaction only |
| idempotency_key Optional | string (100) | Prevents duplicate charges. Same key + params = same response for 24h |
| 3d_secure Optional | boolean | Force 3D Secure authentication. Default: true for EU cards |
| capture Optional | boolean | If false, creates authorized hold only. Capture later via separate call. Default: true |
{
"amount": 25500000,
"currency": "USD",
"source": {
"type": "card",
"number": "4228567890123456",
"exp_month": 8,
"exp_year": 2029,
"cvc": "987",
"holder_name": "JOHN DOE"
},
"description": "World Card Activation - GBP Merchant",
"idempotency_key": "world_card_001_johndoe_20250424",
"3d_secure": true,
"metadata": {
"card_type": "world",
"customer_tier": "premium_merchant"
}
}
{
"id": "pay_9xK2mNpQr5sT7uVw",
"object": "payment",
"amount": 25500000,
"currency": "USD",
"status": "completed",
"source_type": "card",
"card_brand": "visa",
"card_last4": "3456",
"description": "World Card Activation - GBP Merchant",
"fee_amount": 38250,
"net_amount": 25461750,
"exchange_rate": 1.0000,
"3d_secure_status": "authenticated",
"risk_score": 12,
"metadata": { "card_type": "world" },
"created_at": "2026-04-24T14:32:18Z",
"receipt_url": "https://portal.globalbusinesspay.io/receipts/pay_9xK2mNpQr5sT7uVw"
}
Retrieve Payment
Fetch the details of an existing payment transaction using its unique ID. Use this endpoint to check payment status, view fee breakdowns, access receipt URLs, and verify metadata.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| payment_id Required | string | The unique payment ID returned from the Create Payment call. Format: pay_xxxxxxxxxxxxxxxx |
curl -X GET "https://api.globalbusinesspay.io/v2/payments/pay_9xK2mNpQr5sT7uVw" \\ -u "gbp_live_sk_abc123def456ghi789":"" \\ -H "X-GBP-API-Version: 2024-01-15"
Process Refund
Refund a previously completed payment either partially or in full. Refunds are processed to the original payment source and typically settle within 5-10 business days for card payments, 1-2 days for bank transfers.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| amount Optional | integer | Refund amount in cents. If omitted, full payment amount is refunded. |
| reason Optional | string | Refund reason: "requested_by_customer", "duplicate", "fraudulent", "other" |
| metadata Optional | object | Additional key-value data attached to the refund record |
{
"amount": 500000,
"reason": "requested_by_customer",
"metadata": { "ticket_id": "SUPPORT-1024" }
}
List Transactions
Retrieve a paginated list of all transactions associated with your merchant account. Supports filtering by date range, status, amount, currency, and payment method.
Query Parameters
| Parameter | Type | Description |
|---|---|---|
| limit Optional | integer | Number of results per page. Default: 25, Max: 100 |
| starting_after Optional | string | Cursor for pagination. Pass the last object ID for the next page |
| status Optional | string | Filter: pending, requires_action, completed, failed, refunded, disputed |
| from Optional | string (date) | Start date filter (YYYY-MM-DD) |
| to Optional | string (date) | End date filter (YYYY-MM-DD) |
| currency Optional | string | Filter by ISO currency code |
| min_amount Optional | integer | Filter transactions with amount >= value (in cents) |
| max_amount Optional | integer | Filter transactions with amount <= value (in cents) |
Tokenize Card
Securely store card details by converting them into a reusable token. Tokenized cards can be charged later without re-entering card details. GBP is PCI-DSS Level 1 certified — card data never touches your servers.
{
"card": {
"number": "4228567890123456",
"exp_month": 8,
"exp_year": 2029,
"cvc": "987",
"holder_name": "JOHN DOE",
"address_line1": "123 Financial District",
"address_city": "London",
"address_postal_code": "EC2N 1AR",
"address_country": "GB"
},
"validate_card": true
}
{
"id": "tok_3bN5pQr7sT9uVxYz",
"object": "token",
"type": "card",
"card": {
"brand": "visa",
"last4": "3456",
"exp_month": 8,
"exp_year": 2029,
"holder_name": "JOHN DOE",
"funding": "debit",
"issuer_country": "GB",
"checks": {
"cvc_check": "pass",
"address_line1_check": "pass",
"postal_code_check": "pass"
}
},
"created_at": "2026-04-24T14:32:18Z"
}
Charge Token
Charge a previously created card token. This enables one-click payments, subscription billing, and saved card workflows without storing sensitive card data on your servers.
{
"amount": 50000,
"currency": "USD",
"source": "tok_3bN5pQr7sT9uVxYz",
"description": "Monthly subscription - Premium Plan",
"customer_id": "cus_7aB3cDe4fGh5iJk6"
}
Verify Card
Perform a zero-amount authorization to validate card details without charging the customer. This is useful for account verification, card validity checks before storing tokens, and KYC compliance workflows.
Merchant Account Info
Retrieve details about your merchant account including business profile, verification status, enabled features, API permissions, and compliance status.
{
"id": "mer_2cD4eFg6hIj8kLm0",
"object": "merchant",
"business_name": "Acme Technologies Ltd",
"status": "active",
"verification_status": "verified",
"merchant_tier": "enterprise",
"email": "finance@acmetech.com",
"default_currency": "USD",
"supported_currencies": ["USD", "EUR", "GBP", "JPY"],
"api_permissions": [
"payments:read", "payments:write",
"refunds:write", "tokens:write",
"webhooks:read", "webhooks:write"
],
"processing_fees": {
"domestic_card": "1.5% + $0.25",
"international_card": "2.9% + $0.25",
"bank_transfer_sepa": "0.5%",
"bank_transfer_swift": "1.0% + $15"
},
"compliance": {
"kyc_status": "approved",
"aml_screening": "passed",
"pci_compliance": "level_1",
"sanctions_check": "cleared"
},
"created_at": "2020-03-15T09:22:00Z"
}
Check Balance
Retrieve real-time balance information for your merchant account across all supported currencies. Returns available balance, pending balance (funds in clearing), and reserved balance (held for disputes/chargebacks).
{
"object": "balance",
"balances": [
{
"currency": "USD",
"available": 125489500,
"pending": 1842000,
"reserved": 250000
},
{
"currency": "EUR",
"available": 89245000,
"pending": 756000,
"reserved": 120000
}
],
"livemode": true,
"updated_at": "2026-04-24T14:32:18Z"
}
Note: All balance amounts are in the smallest currency unit (cents). Divide by 100 for display values. Available balance = Total - Pending - Reserved.
Withdraw Funds
Transfer available balance from your GBP merchant account to an external bank account. Supports SEPA transfers (EUR, 1-2 business days), SWIFT transfers (global, 2-5 business days), and same-day wire for USD to US-based accounts.
| Parameter | Type | Description |
|---|---|---|
| amount Required | integer | Withdrawal amount in smallest currency unit |
| currency Required | string (3) | Currency code. Must match available balance currency |
| destination Required | object | Bank account object: account_number, routing_number/swift_bic, bank_name, country |
| reference Optional | string | Internal reference visible on bank statement |
| schedule Optional | string | "immediate" or "next_business_day". Default: immediate |
Webhook Events
GBP sends webhook events to your configured endpoint URL to notify your application of real-time payment status changes, refunds, disputes, and account updates. All webhooks are delivered via HTTPS POST with a JSON payload and include a signature header for verification.
Event Types
| Event Type | Description | When Triggered |
|---|---|---|
payment.created | Payment initiated | Immediately after Create Payment API call |
payment.pending | Awaiting processing | Payment queued for processing (high volume periods) |
payment.requires_action | 3D Secure required | When customer must complete additional authentication |
payment.completed | Payment successful | Funds captured and confirmed by acquiring bank |
payment.failed | Payment declined | Card declined, insufficient funds, or fraud block |
payment.refunded | Refund processed | Full or partial refund completed successfully |
payment.disputed | Chargeback filed | Customer initiated chargeback with issuing bank |
token.created | Card tokenized | New card token successfully created |
transfer.completed | Payout sent | Withdrawal transfer confirmed by receiving bank |
account.updated | Account change | Merchant account settings or limits modified |
{
"id": "evt_7wX4yZv2bC6dE8fA",
"object": "event",
"type": "payment.completed",
"created_at": "2026-04-24T14:32:22Z",
"data": {
"object": {
"id": "pay_9xK2mNpQr5sT7uVw",
"status": "completed",
"amount": 25500000,
"currency": "USD",
"fee_amount": 38250,
"net_amount": 25461750,
"receipt_url": "https://portal.globalbusinesspay.io/receipts/pay_9xK2mNpQr5sT7uVw"
}
}
}
Webhook Signature Verification
To ensure webhook payloads are genuinely from Global Business Pay and have not been tampered with in transit, every webhook includes a cryptographic signature in the X-GBP-Signature header. You must verify this signature before processing the payload.
Verification Steps
- Extract the timestamp from
X-GBP-Timestampheader. Reject if older than 5 minutes (replay attack protection). - Concatenate:
timestamp + "." + raw_request_body - Compute HMAC-SHA256 using your webhook signing secret (found in Merchant Dashboard).
- Compare with the
X-GBP-Signatureheader using constant-time comparison.
const crypto = require('crypto'); function verifyWebhook(payload, signature, timestamp, secret) { // Replay protection: reject webhooks older than 5 minutes const now = Math.floor(Date.now() / 1000); if (now - parseInt(timestamp) > 300) { throw new Error('Webhook timestamp too old — possible replay attack'); } // Build signed payload const signedPayload = timestamp + '.' + payload; // Compute expected signature const expected = crypto .createHmac('sha256', secret) .update(signedPayload) .digest('hex'); // Constant-time comparison return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expected) ); }
Error Codes
GBP uses conventional HTTP response codes and returns detailed error objects to help you diagnose issues programmatically. All error responses follow a consistent format with a human-readable message and machine-processable error code.
{
"error": {
"code": "card_declined",
"message": "The card was declined by the issuing bank.",
"decline_code": "insufficient_funds",
"param": "source[number]",
"request_id": "req_8f3a2b7c1d4e5f6a",
"documentation_url": "https://docs.globalbusinesspay.io/errors/card_declined"
}
}
Supported Currencies
GBP supports 135+ currencies for payment processing and settlement. Multi-currency transactions are automatically converted at real-time mid-market rates with transparent FX fee disclosure. You can hold balances in multiple currencies and withdraw to local bank accounts.
- USD — US Dollar
- EUR — Euro
- GBP — British Pound
- JPY — Japanese Yen
- AUD — Australian Dollar
- CAD — Canadian Dollar
- CHF — Swiss Franc
- CNY — Chinese Yuan
- KRW — South Korean Won
- INR — Indian Rupee
- TRY — Turkish Lira
- ILS — Israeli Shekel
And 120+ additional currencies supported. Full list available via GET /v2/currencies endpoint.
Country Codes
GBP uses ISO 3166-1 alpha-2 country codes throughout the API. Country codes are required for billing addresses, bank account destinations, compliance screening, and regional feature availability. All endpoints validate country codes against the official ISO standard.
US — United States GB — United Kingdom DE — Germany FR — France CA — Canada AU — Australia JP — Japan SG — Singapore AE — UAE IN — India BR — Brazil NG — Nigeria ZA — South Africa HK — Hong Kong CH — Switzerland SE — Sweden NL — Netherlands IE — Ireland
Rate Limits
To ensure platform stability and fair usage, API requests are rate-limited per merchant account. Limits vary by endpoint type and merchant tier. All rate limit responses include Retry-After header indicating seconds until the limit resets.
| Endpoint Category | Starter | Growth | Enterprise |
|---|---|---|---|
| Read Operations (GET) | 100/min | 500/min | 5,000/min |
| Write Operations (POST/PUT) | 50/min | 300/min | 3,000/min |
| Tokenize Card | 30/min | 200/min | 2,000/min |
| Webhook Delivery | 60/min | 600/min | 10,000/min |
| Concurrent Connections | 10 | 50 | 500 |
Rate Limit Headers
Every API response includes these headers to help you manage request pacing:
- X-RateLimit-Limit — Maximum requests allowed per window
- X-RateLimit-Remaining — Requests remaining in current window
- X-RateLimit-Reset — Unix timestamp when limit resets
- Retry-After — Seconds to wait before retry (on 429 only)
Terms & Conditions
Merchant API Agreement — Legally Binding
By integrating with, accessing, or using the Global Business Pay Merchant API, you agree to be bound by these terms. This agreement is between your business entity and Global Business Pay Financial Services Ltd., a company registered in England & Wales (Company No. 08472910), authorized by the Financial Conduct Authority (FCA Ref: FCA-PA-8847291).
- API License Grant: GBP grants you a limited, non-exclusive, non-transferable, revocable license to access and use the API solely for legitimate payment processing purposes related to your business operations. You may not sublicense, resell, or white-label API access without express written consent.
- Acceptable Use: You may not use the API for any unlawful purpose including money laundering, terrorist financing, sanctions evasion, gambling without proper licensing, or sale of prohibited goods/services. GBP actively monitors transactions for suspicious activity.
- Data Security: You are solely responsible for securing API credentials on your systems. Any breach originating from your infrastructure is your financial responsibility. You must notify GBP within 4 hours of any suspected credential compromise.
- PCI-DSS Obligations: If you collect card data directly (not recommended), you must maintain PCI-DSS Level 1 compliance and provide quarterly Attestation of Compliance (AOC). Using GBP tokenization removes PCI scope from your environment.
- Service Availability: GBP targets 99.99% monthly uptime. Scheduled maintenance occurs during low-traffic windows with 72-hour advance notice. Force majeure events (war, natural disaster, acts of government) exempt GBP from SLA obligations.
- Intellectual Property: All API documentation, SDKs, code examples, and integration guides remain the exclusive property of Global Business Pay. You may not redistribute, modify, or create derivative works from our API documentation.
- Termination: Either party may terminate with 30 days written notice. GBP may suspend access immediately for security threats, regulatory requirements, or material breach. Upon termination, all API keys are revoked and data is retained per regulatory requirements.
- Liability Limitation: GBP's aggregate liability shall not exceed the total fees paid by merchant in the 12 months preceding the claim. GBP is not liable for indirect, consequential, or punitive damages. This limitation survives termination.
- Governing Law: This agreement is governed by the laws of England & Wales. Disputes shall be resolved by binding arbitration under LCIA Rules, seated in London, conducted in English.
- Amendments: GBP may update these terms with 30 days notice via email and dashboard notification. Continued API usage after the effective date constitutes acceptance of amended terms.
Data Protection & GDPR Compliance
Global Business Pay is fully committed to data protection and privacy. As a Data Controller under GDPR and equivalent regulations worldwide, we implement technical and organizational measures to protect personal data processed through our API.
GDPR Commitments
- Lawful Basis: All data processing is conducted under lawful basis of contract performance (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR) for financial compliance.
- Data Minimization: We collect only the data necessary for payment processing and regulatory compliance. Unused data fields are automatically purged after 90 days.
- Encryption: All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed in FIPS 140-2 Level 3 HSMs.
- Retention: Transaction data is retained for 7 years per AML regulations. After retention period, data is cryptographically shredded (irreversible deletion).
- Subject Rights: You may exercise GDPR rights (access, rectification, erasure, portability, objection) by contacting support@globalbusinesspay.io with subject line "GDPR Request".
- Breach Notification: In the unlikely event of a data breach, affected merchants and relevant supervisory authorities will be notified within 72 hours as required by GDPR Article 33.
- International Transfers: Data transfers outside the EEA use Standard Contractual Clauses (SCCs) with additional technical safeguards. Our US operations are Privacy Shield certified.
Liability, Disputes & Chargebacks
Understanding liability allocation and dispute resolution is essential for merchants integrating payment processing. This section outlines responsibilities, chargeback procedures, and dispute management workflows.
Liability Framework
- Fraud Liability: For fully authenticated 3D Secure transactions, liability shifts to the issuing bank. Non-3DS transactions carry merchant liability for fraudulent chargebacks. GBP provides AI-powered fraud scoring but ultimate liability rests with the party specified by card network rules.
- Chargeback Process: When a cardholder disputes a transaction, GBP notifies the merchant via webhook within 24 hours. Merchants have 10 calendar days to submit compelling evidence. GBP handles representation to the acquiring bank.
- Chargeback Fee: Each chargeback incurs a $25 administrative fee regardless of outcome. Excessive chargebacks (above 1% of monthly volume) may result in account review, increased reserves, or suspension.
- Reserve Requirements: GBP may hold a rolling reserve (typically 5-10% of monthly volume for 90 days) to mitigate chargeback risk. Reserve percentages decrease as merchant history and low chargeback rates are established.
- Pre-arbitration: If a chargeback is reversed and the cardholder re-disputes, merchants may incur pre-arbitration fees of $250-500 depending on card network. GBP provides legal support for Enterprise tier merchants.
- Dispute Resolution: All disputes between GBP and merchant shall first undergo mandatory mediation (30 days). If unresolved, binding arbitration under LCIA Rules in London. Neither party may initiate class action proceedings.
- Indemnification: Merchant indemnifies GBP against all claims arising from merchant's products/services, fraudulent transactions originating from merchant's systems, or breach of these terms.
Ready to Integrate GBP Payments?
Apply for a merchant account to receive your API keys, sandbox access, and integration support from our dedicated technical team.
Apply for Merchant Account