CHIP Send API

The CHIP Send API allows you to send funds programmatically via a REST API. Additionally, it provides functionality for registering and validating recipient bank accounts.

Prerequisites

For integration, you will need credentials provided upon the creation of your CHIP Send Account by the CHIP Admin. If you haven’t received your credentials, please reach out to your CHIP Account Manager and provide the following details:

  1. Primary email address.
  2. List of approvers’ email addresses. If two approvals are required, include both email addresses.

Basic Integration Flow

Follow these four steps to test the full integration flow:

  1. Call the Accounts API.
  2. Call the Increase Send Limit API.
  3. Call the Add Bank Account API.
  4. Call the Create Send Instruction API.

Endpoints

Ensure you select the appropriate endpoint based on the environment you are working in:

  1. Staging: https://staging-api.chip-in.asia/api/
  2. Production: https://api.chip-in.asia/api/

Credentials

For integration with CHIP Send, you’ll require two pieces of information:

  1. API Key: Used to construct a signing string and Authorization Header.

  2. API Secret: Used to sign the signing string.

Obtain your API Key and API Secret from the CHIP Control Applications or contact our sales team. Use this key as a bearer token in the Authorization header for every request: Authorization: Bearer <API Key>.

Given the sensitive nature of the API, which enables tasks such as sending payments, added security measures are crucial. Thus, you also need the API Secret to sign the requests you make. This key should never leave your server and must be stored securely. Each request should include both an epoch (containing Unix time) and a checksum (a hash for epoch signed with the API Secret) in the header.

Epoch value

The epoch is the current Unix timestamp, presented in seconds and consisting of 10 digits. For example, an epoch value might be 1689826456. In PHP, you can obtain the epoch value using the time() function.

Checksum calculation

Generating a checksum requires the current Unix timestamp (epoch), api_key, and api_secret.

Note: The epoch time should be no more than 30 seconds from the current request and always greater than the current time.

Given the values:

  • epoch: 1689826456
  • api_key: e0645c9e-fcf2-4f29-a327-202f7ed3d969
  • api_secret: a118729e-4243-4145-83b3-0b8cb213fe8e

Concatenate the epoch and api_key, then sign it using HMAC SHA512.

Checksum example:

45bee62dba8087ab1e7e767d92f8d6e26f8bd19ee5fd2fef6386bb9425976498a86ffdbddb7a49919998e993c20626196ea652320f438a9528d2b8c9d19ec266

Postman Pre-Request Script:

var epoch = (new Date).getTime();
var epochSecs = Math.floor( epoch / 1000 );
pm.collectionVariables.set("epoch", epochSecs);
var data = epochSecs.toString() + environment["api_key"];
var hmacDigest = CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA512(data, environment["api_secret"]));
pm.collectionVariables.set("checksum", hmacDigest);

Note: JavaScript getTime() is in miliseconds while the unix timestamp is in seconds. Hence, it is required to divide it by 1000.

Example Ruby code:

epoch = Time.current.to_i
application = Application.find_by(slug: "aaa")
OpenSSL::HMAC.hexdigest OpenSSL::Digest.new('sha512'), application.api_secret, "#{epoch}#{application.api_key}"

Example PHP code:

<?php

$str = '1689826456e0645c9e-fcf2-4f29-a327-202f7ed3d969';
$hmac = hash_hmac( 'sha512', $str, 'a118729e-4243-4145-83b3-0b8cb213fe8e' );

Approving CHIP Send Budget Allocation requests

Every approver will receive an email notification. To approve, click the “Approve” button within the email. Once all approvals are collected, the updated balance will be reflected in the Accounts API response.

Token used in the Authorization is the API Key mentioned in the Credentials section above.