Documentation Index
Fetch the complete documentation index at: https://docs.algovoi.co.uk/llms.txt
Use this file to discover all available pages before exploring further.
The AlgoVoi Control Plane is the management backend for all tenant configuration and lifecycle operations. It owns the authoritative state for every tenant, their compliance status, their API credentials, their webhook destinations, and their payment authority configuration. The control plane is not involved in the per-payment verification path — that responsibility belongs to the gateway and facilitator — but every tenant capability that the gateway exercises (API key validation, KYC gating, trial balance enforcement, mandate lookup) is sourced from state owned by the control plane.
The control plane runs co-located with the gateway and exposes 212 or more routes. It serves both the Dashboard React SPA at dash.algovoi.co.uk and a programmatic REST API available to tenants and admin operators.
Overview
| Property | Value |
|---|
| Base URL | https://api.algovoi.co.uk (shared with gateway) |
| Route count | 212+ |
| Location | Primary compute node (co-located with gateway) |
| Dashboard | dash.algovoi.co.uk (React SPA, same VM, nginx) |
| Owned state | Tenant config, KYC/KYB, API keys, webhooks, mandates, recurring authorities |
| Encryption | Three-family at-rest encryption for KYC documents, KYB documents, and operational data (separate key families, independently rotated) |
| Admin surface | /admin/* endpoints; 14 admin scopes; MLRO review queue |
Tenant onboarding flow
Tenant onboarding is a six-stage process that gates mainnet payment processing behind identity verification. The stages are sequential; each stage must complete successfully before the next becomes available.
Stage 1 — Account creation.
POST /cloud-signup/create accepts email, password, and display_name. The IP address of the signup request is synchronously screened against three threat signals: Tor exit node lists, SpamHaus blocklists, and MaxMind GeoIP country classification. If the IP fails screening, registration is rejected before any account record is created.
Stage 2 — Email verification.
A time-limited verification token is sent to the submitted email address. The account is created but remains in inactive status until POST /cloud-signup/verify-email is called with the token. Unverified accounts cannot authenticate.
Stage 3 — KYC document submission.
After email verification, the tenant submits identity documents via POST /v1/kyc/submit. Accepted document types are passport, driving_licence, and national_id. A selfie image must accompany any identity document. All uploaded files are encrypted at rest immediately on receipt using the platform’s document encryption key before being written to persistent storage. The plaintext file is never written to disk.
Stage 4 — KYC decision.
For individual and sole_trader account types, KYC is evaluated by automated document verification (OCR Tier 1) and auto-approved if document quality and consistency checks pass. For company account types, the submission lands in the MLRO review queue and requires manual review by an admin operator. The tenant receives a kyc.approved or kyc.rejected webhook event when the decision is made.
Stage 5 — Mainnet activation.
On KYC approval, mainnet_active is set to true and trial_balance_usd is credited with 100000000 microunits ($1,000.00 USD equivalent). The tenant can now process live payments on mainnet. The trial balance decrements on each verified mainnet payment; when trial_exhausted becomes true, continued live payments require a paid plan.
Stage 6 — KYB (conditional).
Company tenants or tenants whose risk scoring produces an elevated risk tier receive a KYB (Know Your Business) requirement. POST /v1/kyb/submit accepts company registration documents, beneficial owner declarations, and proof of address. KYB documents are encrypted with a separate key family, isolated from the platform key and the KYC key. KYB is evaluated by the MLRO queue regardless of company size.
Tenant data model
| Field | Type | Description |
|---|
| id | uuid | Primary key |
| tenant_short_id | string | URL-safe short identifier used in MPP subscription paths and discovery catalog entries |
| email | string | Unique; verified before activation |
| display_name | string | Merchant or platform display name |
| account_type | enum | individual, sole_trader, company |
| kyc_status | enum | pending, submitted, approved, rejected |
| kyb_status | enum | pending, submitted, approved, rejected, not_required |
| risk_tier | enum | standard, elevated, high, blocked |
| mainnet_active | boolean | True only after KYC decision is approved |
| trial_balance_usd | integer | Remaining trial credit in microunits (1 = $0.000001) |
| trial_exhausted | boolean | True when trial_balance_usd reaches zero |
| plan | enum | trial, standard, enterprise |
| signup_ip | string | IP address recorded at registration (for audit trail) |
| email_verified | boolean | |
| email_verified_at | string | ISO-8601 timestamp of email verification |
| kyc_submitted_at | string | ISO-8601 timestamp of KYC document submission |
| kyc_decided_at | string | ISO-8601 timestamp of KYC approval or rejection |
| kyb_submitted_at | string | ISO-8601 timestamp of KYB submission if applicable |
| kyb_decided_at | string | ISO-8601 timestamp of KYB decision if applicable |
| mainnet_activated_at | string | ISO-8601 timestamp of mainnet activation |
| created_at | string | ISO-8601 creation timestamp |
| updated_at | string | ISO-8601 last-update timestamp |
Risk tier effects
| risk_tier | Effect |
|---|
| standard | Default; full platform access |
| elevated | Requires completed KYB before high-value payments |
| high | Transaction velocity limits applied; manual review on large payouts |
| blocked | Account suspended; no payment processing; MLRO intervention required |
API key management
API keys authenticate tenant API calls to both the gateway and the control plane. Keys are created, scoped, and revoked through the control plane.
Key types
| Prefix | Type | Capability |
|---|
| algv_ | Standard | Full tenant-scoped access; all payment operations |
| algv_admin_ | Admin | 14 admin scopes; tenant management, MLRO queue, risk tier override |
| algv_ro_ | Read-only | GET operations only; no resource creation or modification |
Key lifecycle endpoints
| Endpoint | Method | Description |
|---|
| /v1/api-keys | POST | Create a new key |
| /v1/api-keys | GET | List all keys for the authenticated tenant |
| /v1/api-keys/ | GET | Retrieve key metadata (not the key value) |
| /v1/api-keys/ | DELETE | Revoke a key immediately |
Key creation fields
| Field | Type | Required | Description |
|---|
| name | string | Yes | Human-readable label for the key |
| scopes | array of string | No | Explicit scope list; defaults to all tenant-level scopes |
| expires_at | string | No | ISO-8601 expiry; key is auto-revoked at this time |
DELETE /v1/api-keys/{id} once migration is complete.
Admin scopes
Admin keys (algv_admin_) have access to 14 scopes not available to standard keys:
| Scope | Capability |
|---|
| read:tenants | Read all tenant records |
| write:tenants | Modify tenant fields including risk_tier and mainnet_active |
| read:kyc_queue | Read pending KYC submissions in the MLRO queue |
| write:kyc_decisions | Approve or reject KYC submissions |
| read:kyb_queue | Read pending KYB submissions |
| write:kyb_decisions | Approve or reject KYB submissions |
| read:audit_chain | Read payment_ledger and screening_hits chains |
| read:screening_hits | Read all sanctions screening hit records |
| write:risk_tier | Override tenant risk tier |
| read:mandates_all | Read all mandates across all tenants |
| write:mandate_cancel | Cancel mandates on compliance grounds |
| read:recurring_all | Read all recurring authorities across all tenants |
| write:trial_balance | Adjust trial balance credits |
| read:admin_events | Read admin action audit log |
Webhook configuration
Tenants register webhook endpoints to receive platform events. The control plane manages endpoint registration, screening, and delivery.
Endpoint registration
POST /v1/webhooks
| Field | Type | Required | Description |
|---|
| url | string | Yes | HTTPS destination URL |
| events | array of string | Yes | Event types to subscribe to; use [”*”] for all events |
| secret | string | No | Shared secret for HMAC signature; auto-generated if omitted |
| description | string | No | Human-readable label |
| active | boolean | No | Defaults to true |
- SSRF guard: private IP ranges, localhost, and link-local addresses are rejected
- 7 threat-intel feeds: same feeds used for IP screening at signup
- DNS resolution: the hostname must resolve at registration time
DNS-rebinding guard at delivery. At every webhook delivery attempt, the destination hostname is re-resolved. If the resolved IP has changed to a private range since registration, the delivery is aborted and a webhook.delivery_blocked.dns_rebinding event is recorded on the endpoint.
Delivery retry schedule
| Attempt | Delay after previous |
|---|
| 1 (immediate) | 0s |
| 2 | 30s |
| 3 | 1m |
| 4 | 5m |
| 5 | 15m |
| 6 | 30m |
| 7 | 1h |
| 8 | 4h |
| 9 | 32h |
degraded. The tenant receives a webhook.endpoint.degraded notification to the next reachable endpoint (or email if all endpoints are degraded). Endpoints can be re-activated via PATCH /v1/webhooks/{id} with { "active": true }.
Webhook event catalog
The full set of 18 subscribable event types:
| Event type | Category |
|---|
| payment.verified | Payment |
| payment.pending_finality | Payment |
| payment.blocked.compliance | Payment |
| payment.expired | Payment |
| checkout.created | Checkout |
| checkout.cancelled | Checkout |
| mandate.created | Mandate |
| mandate.activated | Mandate |
| mandate.paused | Mandate |
| mandate.resumed | Mandate |
| mandate.revoked | Mandate |
| mandate.expired | Mandate |
| mandate.cancelled | Mandate |
| recurring.pull_executed | Recurring |
| recurring.pull_failed | Recurring |
| kyc.approved | Account |
| kyc.rejected | Account |
| compliance.sanctions_hit | Compliance |
Mandate lifecycle
A mandate represents an on-chain payment authority granted by a payer to a merchant. The control plane owns the mandate record; the gateway and Recurr service read from it.
Mandate states
| State | Description |
|---|
| pending | Mandate record created; payer has not yet provided on-chain wallet signature |
| active | On-chain wallet signature confirmed; pull executions are permitted |
| paused | Pulls suspended by the tenant or the payer; mandate remains valid; can be resumed |
| revoked | Payer revoked the mandate on-chain; no further pulls possible |
| expired | Reached the cancel_at timestamp without earlier revocation |
| cancelled | Cancelled via platform API; cancel_reason set |
State transitions
| From | To | Trigger |
|---|
| pending | active | Gateway confirms on-chain wallet signature |
| active | paused | Tenant calls PATCH /v1/mandates/ with status: paused |
| paused | active | Tenant calls PATCH /v1/mandates/ with status: active |
| active | revoked | On-chain revocation detected by gateway |
| active | expired | Scheduled job detects cancel_at reached |
| active or paused | cancelled | Tenant calls DELETE /v1/mandates/ or admin invokes write:mandate_cancel |
Cancellation reasons
| cancel_reason | Source |
|---|
| user_requested | Payer initiated cancellation |
| merchant_requested | Tenant initiated cancellation |
| compliance_terminated | Admin cancelled on sanctions or risk-tier grounds |
| expired | System-generated on cancel_at breach |
Mandate data model
| Field | Type | Description |
|---|
| id | uuid | Primary key |
| tenant_id | uuid | Owning tenant |
| payer_wallet | string | On-chain wallet address of the mandate grantor |
| chain | enum | Chain the mandate operates on |
| cap_microunits | bigint | Maximum single-pull amount |
| cancel_at | string | ISO-8601 timestamp after which the mandate expires |
| status | enum | pending, active, paused, revoked, expired, cancelled |
| cancel_reason | enum | Populated on cancellation |
| on_chain_tx_id | string | Transaction ID of the wallet signature confirmation |
| created_at | string | ISO-8601 creation timestamp |
| activated_at | string | ISO-8601 activation timestamp |
| cancelled_at | string | ISO-8601 cancellation timestamp |
EMR safeguards
The following safeguards are enforced at the control plane level on all mandates, regardless of the stated cap. They cannot be overridden by tenant configuration:
| Safeguard | Value |
|---|
| Maximum per-mandate cap | £100 equivalent |
| Maximum total active mandate value per account | £300 equivalent |
| Maximum active mandates per account | 3 |
Recurring payment authorities (Tier 2)
Recurring authorities are standing payment permissions that allow AI agents or automated systems to initiate time-based pulls against a payer wallet without per-pull interaction. They are managed by the control plane and executed by the recurring payment engine.
Authority data model
| Field | Type | Description |
|---|
| id | uuid | Primary key |
| mandate_id | uuid | Parent mandate this authority operates under |
| tenant_id | uuid | Owning tenant |
| per_cycle_microunits | bigint | Amount pulled per execution cycle |
| cap_microunits | bigint | Ceiling on any single pull (may not exceed parent mandate cap) |
| period_unit | enum | day, week, month |
| period_count | integer | Number of period_unit intervals per cycle |
| status | enum | pending_signature, active, paused, cancelled, exhausted |
| total_pulled_microunits | bigint | Cumulative amount pulled since activation |
| lifetime_cap_microunits | bigint | Optional total lifetime cap; authority exhausted when reached |
| next_execution_at | string | ISO-8601 scheduled next pull time |
| on_chain_tx_id | string | Transaction ID of the on-chain authority signature |
| created_at | string | ISO-8601 creation timestamp |
| activated_at | string | ISO-8601 activation timestamp |
Authority lifecycle
POST /v1/recurring-authorities creates a new authority in pending_signature state. The on-chain wallet signature must be obtained and confirmed before the authority moves to active. Signature confirmation follows the same flow as mandate activation — the gateway detects the on-chain signature and updates the authority status.
Once active, the Recurr service executes pulls on the schedule defined by period_unit and period_count. Each pull produces a recurring.pull_executed or recurring.pull_failed webhook event.
Manual pull. POST /v1/recurring-authorities/{id}/execute triggers an immediate out-of-schedule pull. This supports catch-up after a missed cycle or proration scenarios. The manual pull respects all the same caps as a scheduled pull.
Pause and resume. PATCH /v1/recurring-authorities/{id} with { "status": "paused" } suspends scheduled pulls without requiring a new on-chain signature. { "status": "active" } resumes from the next scheduled cycle. The authority’s next_execution_at is recalculated on resume.
Exhaustion. When total_pulled_microunits reaches lifetime_cap_microunits, the authority status is set to exhausted and no further pulls are attempted. The tenant receives a recurring.pull_failed event with reason lifetime_cap_reached.
MLRO admin queue
The MLRO (Money Laundering Reporting Officer) queue is the manual review surface for KYC and KYB submissions that require human examination. It is accessible only to users authenticated with an admin-scoped key carrying the relevant admin scopes.
KYC queue
GET /admin/kyc/queue returns all pending KYC submissions sorted by submitted_at. Each queue item includes:
| Field | Type | Description |
|---|
| tenant_id | uuid | Submitting tenant |
| display_name | string | Tenant display name |
| account_type | enum | individual, sole_trader, company |
| document_type | enum | passport, driving_licence, national_id |
| submitted_at | string | ISO-8601 submission timestamp |
| ocr_result | object | OCR extraction summary (name, document_number, expiry) |
| ocr_confidence | float | 0.0–1.0 confidence score from OCR Tier 1 |
| auto_approve_eligible | boolean | True if criteria are met for auto-approval |
| risk_signals | array of string | Any pre-screening signals that flagged the submission |
POST /admin/kyc/{tenant_id}/approve approves the submission and triggers mainnet activation. POST /admin/kyc/{tenant_id}/reject rejects with a required reason field. Both actions generate the corresponding webhook event to the tenant.
KYB queue
GET /admin/kyb/queue returns pending KYB submissions. KYB submissions always require manual review regardless of company size. The queue item includes beneficial owner declarations, company registration document references, and a risk score from the KYB screening pipeline.
POST /admin/kyb/{tenant_id}/approve and POST /admin/kyb/{tenant_id}/reject follow the same pattern as KYC decisions. A KYB rejection does not affect the tenant’s mainnet_active status if it was already true; it applies a risk_tier upgrade to elevated or high depending on the rejection grounds.
Admin event log
All admin actions (KYC decisions, KYB decisions, risk tier overrides, mandate cancellations, trial balance adjustments) are appended to an immutable admin event log. GET /admin/events returns a paginated log sortable by timestamp. Each event records actor (admin key ID), action, target_tenant_id, before_state, after_state, and timestamp.
KYC and KYB encryption
All identity documents are encrypted before being written to any persistent storage layer. The encryption architecture uses three separate key families to ensure that a compromise of one key does not expose documents of a different class.
Key families
| Key family | Documents encrypted |
|---|
| Document key family 1 | KYC documents (passports, selfies, driving licences, national IDs) |
| Document key family 2 | KYB documents (company registration, beneficial owner declarations, proof of address) |
| Operational key family | At-rest operational data |
Zero-downtime key rotation
The platform supports zero-downtime key rotation. At any point a key family may have two active tokens: the current token (used for all new encryptions) and the previous token (honoured for decryption of files encrypted under the old key). Background re-encryption of existing files completes silently without any application-layer downtime. Once re-encryption is complete, the old token is retired from the decryption stack.
Key loss consequences
Loss of any document encryption key renders the associated encrypted files irrecoverable. Key material is stored outside the codebase in a secrets store isolated from the application layer.
Dashboard API surface
The control plane’s API is the backend for the Dashboard React SPA. The dashboard surfaces the following management areas:
| Dashboard area | API namespace | Description |
|---|
| Account overview | /v1/account/* | Tenant profile, KYC/KYB status, mainnet activation state |
| Payment history | /v1/payments/* | All verified payments, filterable by chain, date, status |
| Payment links | /v1/payment-links/* | Checkout creation, retrieval, status, cancellation |
| API keys | /v1/api-keys/* | Key creation, listing, revocation |
| Webhooks | /v1/webhooks/* | Endpoint registration, event log, retry status |
| Mandates | /v1/mandates/* | Mandate listing, detail, pause, cancel |
| Recurring authorities | /v1/recurring-authorities/* | Authority management, pull history, manual execute |
| Compliance | /v1/compliance/* | Screening log, audit chain position, trial balance |
| xChain | /v1/xchain/* | Cross-chain transfer history |
| Admin | /admin/* | MLRO queue, tenant management, admin event log (admin keys only) |
Trial offer
Newly mainnet-activated tenants receive a trial credit of 100000000 microunits ($1,000.00 USD equivalent). The trial balance is decremented by the USD-equivalent of each verified mainnet payment. When the balance reaches zero, trial_exhausted is set to true. Tenants on the trial plan with an exhausted balance must upgrade to standard or enterprise to continue live payment processing.
Trial balance state is read by the gateway on every payment verification request. If trial_exhausted is true and plan is trial, the gateway returns 402 Payment Required with error code trial_exhausted before dispatching to the facilitator.
The trial offer does not apply to testnet payments. Testnet payments do not consume trial balance and do not create audit chain entries.
Recurr service integration
The recurring payment engine reads recurring authority schedules from the control plane database. It is responsible for:
- Evaluating which authorities have a
next_execution_at in the past and are in active status
- Submitting pull transactions to the relevant chain
- Updating
next_execution_at and total_pulled_microunits after each successful pull
- Emitting
recurring.pull_executed or recurring.pull_failed events
The Recurr service does not expose an external HTTP API. It is triggered on a schedule and interacts with the control plane via database reads and writes. Manual pull requests from the POST /v1/recurring-authorities/{id}/execute endpoint are queued in the database and picked up by the Recurr service at its next polling interval.
The recurring payment engine operates across all 7 supported chains. Pull execution on EVM chains (Base, Tempo) requires funded hot wallets.
