curl https://mapi.pockyt.io/online/v3/secure-pay \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "customerNo": "302156", "merchantNo": "200043", "storeNo": "300014", "amount": "13", "currency": "PHP", "settleCurrency": "USD", "vendor": "alipay", "ipnUrl": "http://zk-tys.yunkeguan.com/ttest/test", "callbackUrl": "http://zk-tys.yunkeguan.com/ttest/test2?status={status}", "reference": "test202001011303", "terminal": "ONLINE", "description": "test+description", "note": "test note", "osType": "IOS", "timeout": "120", "goodsInfo": "[{\"goods_name\": \"name1\", \"quantity\": \"quantity1\"}]", "verifySign": "72a2c6ce8497adc8a03a78135618e666", "vaultId": "ca_af748cc62c334c75b83844e53b76e9b3" }'
REST API
Stable, versioned, OpenAPI-described. Idempotent on every mutation. Signed webhooks. The integration path for every traditional backend.
MCP server
Hosted MCP server at docs.pockyt.io/mcp. Connect Cursor, Claude Desktop, or Windsurf and have your AI editor write Pockyt integrations against the actual schema.
SDKs
Officially supported SDKs in TypeScript / Node, Python, Go, and PHP. Lower-level HTTP clients for everything else. Same surface, idiomatic ergonomics.
Endpoint groupings above are reference-level — the canonical schema lives in the API reference. Note to integrators: the API is OpenAPI-described; generate clients directly from docs.pockyt.io/reference if your language isn't in our SDK list.
Audits & certifications
Annual independent audit covering security, availability, processing integrity, confidentiality, and privacy. Highest-tier PCI DSS compliance for card-handling operations — scope minimized for merchants via vaulting and hosted patterns. Audit reports available under NDA.
Encryption
TLS 1.3 across all external traffic. AES-256 for data at rest. Field-level encryption for sensitive data (PAN, account numbers, KYC documents). HSM-backed key custody with strict rotation. PCI scope minimization via vaulting and hosted patterns.
Access & controls
Every mutation takes an Idempotency-Key — safe retries by design. Webhooks are signed with replay protection. API keys are scoped with least-privilege defaults. Human access to production systems requires MFA plus time-bound JIT elevation.
Get a sandbox key, connect the MCP server, or talk to our team about your integration.