Environments
PayerScan API currently operates in a Production environment for live transactions.
Base URL
All API requests must be sent to:
https://api.payerscan.com
Available Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /payment/crypto | Create a new payment invoice. |
GET | /invoice/:trans_id | Check invoice status and details. |
HTTPS Requirement
All API requests must be sent over HTTPS.
Callback URLs (callback_url, completed_url, expired_url) must use HTTPS in production. When PayerScan sends webhooks for completed or expired invoices, it validates all callback URLs before sending — URLs using HTTP or pointing to private/internal addresses will be rejected, and the webhook will not be delivered.
SSRF Protection
When delivering webhooks, PayerScan validates callback URLs to prevent Server-Side Request Forgery (SSRF) attacks. Webhooks will not be sent to:
- Localhost —
127.0.0.0/8,localhost,::1 - Private networks —
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - Link-local —
169.254.0.0/16 - Domains resolving to private IPs — DNS resolution is checked
Always use a publicly accessible HTTPS URL for callback_url to ensure webhook delivery.
CORS
The API supports Cross-Origin Resource Sharing (CORS). However, you should never call the API directly from client-side code — always route through your backend server. See Authentication for details.
Response Format
Success Response
{
"status": "success",
"data": { ... }
}
Error Response
{
"status": "error",
"message": "Error description",
"error_code": "ERROR_CODE"
}
For rate limiting details, see Rate Limits. For authentication error codes, see Authentication.