Pockyt For Developers
One API across
every money movement primitive.
Pockyt exposes its entire surface — Checkouts, Payouts, Virtual Accounts, Multi-currency Treasury, Programmable Logic — through a stable REST API, a hosted MCP server, and SDKs in the languages your team already writes. Everything below is built on the same primitives.
Secure pay request for Alipay checkout in PHPPHP · Alipay · sandbox key required
curl https://mapi.pockyt.io/online/v3/secure-pay \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
    "customerNo":      "302156",
    "merchantNo":      "200043",
    "storeNo":         "300014",
    "amount":          "13",
    "currency":        "PHP",
    "settleCurrency":  "USD",
    "vendor":          "alipay",
    "ipnUrl":          "http://zk-tys.yunkeguan.com/ttest/test",
    "callbackUrl":     "http://zk-tys.yunkeguan.com/ttest/test2?status={status}",
    "reference":       "test202001011303",
    "terminal":        "ONLINE",
    "description":     "test+description",
    "note":            "test note",
    "osType":          "IOS",
    "timeout":         "120",
    "goodsInfo":       "[{\"goods_name\": \"name1\", \"quantity\": \"quantity1\"}]",
    "verifySign":      "72a2c6ce8497adc8a03a78135618e666",
    "vaultId":         "ca_af748cc62c334c75b83844e53b76e9b3"
  }'
Three Ways To Integrate
One platform. Three surfaces to build with.
Pockyt is built to enterprise infrastructure standards. The audit posture, encryption model, and operational controls below answer the questions buyer-side security teams ask before integration kickoff.

REST API

The canonical surface.

Stable, versioned, OpenAPI-described. Idempotent on every mutation. Signed webhooks. The integration path for every traditional backend.

View the API reference

MCP server

For AI-assisted development.

Hosted MCP server at docs.pockyt.io/mcp. Connect Cursor, Claude Desktop, or Windsurf and have your AI editor write Pockyt integrations against the actual schema.

Connect the MCP server

SDKs

For your language of choice.

Officially supported SDKs in TypeScript / Node, Python, Go, and PHP. Lower-level HTTP clients for everything else. Same surface, idiomatic ergonomics.

SDK quickstarts
Endpoint Surface
What the API actually exposes.
A summary view of the endpoint groups organized by primitive. Click through to the API reference for the full request and response schemas.

Checkouts

  • POST/online/v3/secure-pay
  • POST/order/v4/capture
  • POST/order/v4/process
  • POST/micropay/v3/prepay
  • POST/app-data-search/v3/refund
  • POST/app-data-search/v3/tran-query

Payouts

  • POST/v3/payouts/pay
  • POST/v3/payouts/inquiry
  • POST/v3/document/upload
  • POST/v3/payee/payout-accounts

Virtual Accounts & Treasury

  • POST/v3/transfer/internal
  • POST/v3/transfer/inquiry

Onboarding & Merchants

  • POST/v1/oauth2/token
  • POST/merchant-onboarding/submit
  • POST/merchant-onboarding/query
  • POSTmerchant-onboarding/upload/{merchantNo}

Endpoint groupings above are reference-level — the canonical schema lives in the API reference. Note to integrators: the API is OpenAPI-described; generate clients directly from docs.pockyt.io/reference if your language isn't in our SDK list.

Platform & Data
What integrators need ot know about the platform.
Pockyt is built to enterprise infrastructure standards. The audit posture, encryption model, and operational controls below answer the questions buyer-side security teams ask before integration kickoff.

Audits & certifications

SOC 2 Type II &
PCI DSS Level 1.

Annual independent audit covering security, availability, processing integrity, confidentiality, and privacy. Highest-tier PCI DSS compliance for card-handling operations — scope minimized for merchants via vaulting and hosted patterns. Audit reports available under NDA.

Request reports under NDA

Encryption

TLS 1.3 & AES-256.
HSM-backed keys.

TLS 1.3 across all external traffic. AES-256 for data at rest. Field-level encryption for sensitive data (PAN, account numbers, KYC documents). HSM-backed key custody with strict rotation. PCI scope minimization via vaulting and hosted patterns.

Security model in docs

Access & controls

Idempotent. Signed.
Scoped.

Every mutation takes an Idempotency-Key — safe retries by design. Webhooks are signed with replay protection. API keys are scoped with least-privilege defaults. Human access to production systems requires MFA plus time-bound JIT elevation.

Auth & idempotency in reference
Build with the operating layer.

Get a sandbox key, connect the MCP server, or talk to our team about your integration.