Documentation Index
Fetch the complete documentation index at: https://docs.algovoi.co.uk/llms.txt
Use this file to discover all available pages before exploring further.
The AlgoVoi Payment Gateway is the canonical public API entry point for all payment protocol traffic on the platform. Every payment verification request, checkout link creation, protocol handshake, and discovery query passes through this service. It is the outward-facing surface of a production multi-chain stablecoin payment infrastructure that settles directly wallet-to-wallet — AlgoVoi never holds, custodies, or pools merchant funds.
The gateway runs at api.algovoi.co.uk and exposes 123 or more routes across seven distinct protocol namespaces. Compliance enforcement — sanctions screening, audit chain insertion, Object Lock archival, signed webhook delivery — is applied synchronously on every payment, without exception.
Overview
| Property | Value |
|---|
| Base URL | https://api.algovoi.co.uk |
| Route count | 123+ |
| Settlement model | Direct wallet-to-wallet; no custody |
| Supported chains | Algorand, VOI, Hedera, Stellar, Base, Solana, Tempo |
| Protocol surface | x402, MPP, AP2, A2A, Solana Actions, hosted checkout, xChain |
| Compliance posture | SAMLA 2018 s.20, OFSI/OFAC/EU screening, B2 Object Lock 7-year retention |
| Authentication | Bearer API key, algv_ prefix, tenant ID header |
| Rate limit | 300 req/min, burst 60 |
Payment verification flow
The core payment primitive is a verification request that confirms whether a given on-chain transaction constitutes valid settlement of a checkout. The flow proceeds in six steps.
Step 1 — Customer pays on-chain.
The customer sends a stablecoin (or accepted native asset) transfer from their wallet to the merchant’s receiving wallet on the relevant chain. The transaction produces a chain-native transaction identifier.
Step 2 — Client submits to /v1/verify.
The merchant’s integration layer (browser SDK, server webhook, or MCP tool) submits a POST /v1/verify request carrying the transaction ID, checkout token, chain identifier, and optionally the declared sender address.
Step 3 — Gateway dispatches to facilitator cluster.
The gateway forwards a verification sub-request to the stateless facilitator cluster. The sub-request carries: tx_id, chain, asset_id, expected_amount_microunits, expected_receiver, and network_id. The gateway holds no chain RPC keys itself — all on-chain queries are delegated to the facilitator.
Step 4 — Facilitator returns a verdict.
The facilitator queries the appropriate RPC endpoint or indexer for the given chain, extracts the transaction’s actual settled amount, asset, sender, and receiver, compares them against expected values, and returns a structured verdict containing: settled (boolean), amount_microunits, asset_id, sender_address, block_height, and finality_status.
Step 5 — Gateway executes the compliance and audit pipeline.
On a positive verdict (settled: true), the gateway runs four synchronous operations before responding to the caller:
- Payer wallet screened against OFSI, OFAC SDN, and EU Consolidated lists (daily refresh cadence). If a hit is recorded, the payment is blocked, the hit is appended to the
screening_hits hash chain, and the tenant receives a compliance notification.
- Payment row inserted into the
payment_ledger hash chain. Each row carries chain_position, content_hash, and prev_hash to form a tamper-evident append-only ledger.
- Audit row shipped to Backblaze B2 Object Lock bucket in COMPLIANCE mode, 7-year retention horizon.
- Signed webhook dispatched to the tenant’s registered endpoint. Signature uses HMAC-SHA256 with the tenant’s webhook secret; the
X-AlgoVoi-Signature header carries the algvw_ prefixed value.
Step 6 — Verification response returned.
The gateway returns a verification response to the original caller. The response mirrors the facilitator verdict and includes additional gateway-level metadata: compliance_cleared, audit_chain_position, webhook_dispatched, and verified_at.
Verification request schema
POST /v1/verify
| Field | Type | Required | Description |
|---|
| tx_id | string | Yes | Chain-native transaction identifier |
| token | string | Yes | Checkout token from payment link creation |
| chain | enum | Yes | One of: algorand, voi, hedera, stellar, base, solana, tempo |
| sender_address | string | No | Declared payer wallet; used as a hint for faster indexer lookup |
| network_id | enum | No | mainnet (default) or testnet |
Verification response schema
| Field | Type | Description |
|---|
| verified | boolean | True if transaction settled and passed compliance |
| settled | boolean | Facilitator verdict: transaction confirmed on-chain |
| amount_microunits | bigint | Actual settled amount in millionths of the asset unit |
| asset_id | string | CAIP-19 asset identifier |
| sender_address | string | Confirmed payer wallet address |
| receiver_address | string | Confirmed receiver wallet address |
| block_height | integer | Block height at which transaction was finalised |
| finality_status | enum | confirmed or pending_finality |
| compliance_cleared | boolean | True if payer wallet passed sanctions screening |
| audit_chain_position | integer | Position of this payment in the payment_ledger hash chain |
| webhook_dispatched | boolean | True if tenant webhook was successfully enqueued |
| verified_at | string | ISO-8601 timestamp of gateway-side verification |
| checkout_token | string | Echo of the input token |
Hosted checkout
The hosted checkout system allows merchants to create multi-chain payment links without building any frontend. A link is created via a single API call; the resulting token resolves to a hosted page at dash.algovoi.co.uk/pay/{token} where the customer selects a chain, sees the correct wallet address, and submits their transaction ID for verification.
Creating a checkout link
POST /v1/payment-links
| Field | Type | Required | Description |
|---|
| amount_usd | integer | Yes | Payment amount in USD cents (e.g. 1000 = $10.00) |
| chain | enum | No | Lock to a specific chain; omit to allow all 7 chains |
| asset_id | string | No | Lock to a specific asset; omit to accept any supported stablecoin |
| redirect_url | string | No | URL to redirect customer to after successful payment |
| webhook_url | string | No | Per-link webhook override; uses tenant default if omitted |
| memo | string | No | On-chain memo / reference string to include in payment instructions |
| metadata | object | No | Arbitrary key-value pairs attached to the checkout object |
| expires_at | string | No | ISO-8601 expiry; defaults to 24 hours if omitted |
| idempotency_key | string | No | Client-supplied deduplication key; honoured for 24 hours |
Checkout response
| Field | Type | Description |
|---|
| id | uuid | Internal checkout identifier |
| token | string | URL-safe token; used in hosted page URL and verify calls |
| hosted_url | string | Full URL to the hosted checkout page |
| status | enum | open, paid, expired, cancelled |
| amount_usd | integer | Amount in USD cents as submitted |
| chains_accepted | array of enum | Chains available on this link |
| expires_at | string | ISO-8601 expiry timestamp |
| created_at | string | ISO-8601 creation timestamp |
Status lifecycle
| Status | Description |
|---|
| open | Checkout created; awaiting customer payment |
| paid | On-chain payment verified and compliance cleared |
| expired | Reached expires_at without a verified payment |
| cancelled | Explicitly cancelled by tenant via DELETE /v1/payment-links/{token} |
paid status it is immutable. Subsequent verify calls against a paid token return the original verification response with a duplicate: true flag.
Checkout retrieval
GET /v1/payment-links/{token} returns the full checkout object in its current state. GET /v1/payment-links returns a paginated list of all checkouts for the authenticated tenant, sortable by created_at or status.
Protocol handlers
The gateway handles seven distinct payment and discovery protocols from a single base URL. Each protocol occupies its own endpoint namespace.
| Protocol | Endpoint prefix | Standard | Description |
|---|
| x402 | /x402/* | x402 v1 (Coinbase) | HTTP 402 payment-required flow; proof-of-payment header verification; supports USDC on all seven chains |
| MPP | /mpp/* | paymentauth.org/mpp | WWW-Authenticate: Payment mandate challenge and response; receipt verification; subscription mandate management |
| AP2 | /ap2/* | Google AP2 v0.1 | PaymentMandate object generation, mandate verification, open_mandate_hash anchor |
| A2A | /.well-known/agent.json, /message:send | Google A2A v1.0 | Agent card publication; skill invocation; 402 pay-and-retry loop for autonomous agent payments |
| Solana Actions | /actions/* | Solana Actions / Blinks | GET action metadata (label, icon, links); POST serialised transaction for wallet signing |
| Hosted checkout | /v1/payment-links/* | AlgoVoi native | Multi-chain hosted checkout link creation, retrieval, and status polling |
| xChain | /xchain/* | Allbridge / CCTP V2 | Cross-chain source-to-destination routing; EVM-to-Solana via Allbridge; CCTP V2 for Circle-native USDC bridging |
x402 handler
The x402 handler implements the HTTP 402 facilitator role as specified in the x402 v1 standard. When an x402-protected resource is accessed without payment proof, the gateway issues a 402 Payment Required response with a structured X-Payment-Required header. Upon receiving payment proof in X-Payment headers, the gateway verifies the proof, runs the compliance pipeline, and returns a 200 OK with an X-Payment-Receipt header containing a signed compliance receipt under the urn:x402:canonicalisation:jcs-rfc8785-v1 canonicalisation pin.
MPP handler
The MPP handler implements the Merchant Payment Protocol as defined at paymentauth.org/mpp. It issues WWW-Authenticate: Payment challenges, verifies mandate signatures, and emits MPP subscription receipts. Subscription mandates are stored in the control plane and evaluated at each pull cycle by the Recurr service. The gateway exposes a subscription demo fixture at /mpp/sub/demo/mpp-sub-test-daily-base for integration testing without tenant credentials.
AP2 handler
The AP2 handler implements Google’s Agent Payment Protocol v0.1. It generates PaymentMandate objects with structured capability declarations, verifies mandate signatures against on-chain wallet proofs, and anchors open_mandate_hash values for cross-implementation validation. AP2 #265 is the upstream issue tracking the open_mandate_hash extension proposal authored by AlgoVoi.
A2A handler
The A2A handler implements the Google Agent-to-Agent v1.0 protocol. The /.well-known/agent.json endpoint publishes the AlgoVoi agent card declaring three skills: verify-payment, create-checkout, and check-status. The /message:send endpoint accepts A2A task envelopes and returns task results. Autonomous agents that trigger a 402 during A2A skill invocation receive a payment-required envelope and can retry with proof attached — the gateway handles the pay-and-retry loop transparently.
Solana Actions handler
The Solana Actions handler follows the Solana Actions and Blinks standard. GET /actions/checkout/{token} returns action metadata including label, description, icon URL, and a links.actions array with the POST endpoint. POST /actions/checkout/{token} accepts a { account } body carrying the payer public key and returns a serialised, unsigned transaction for the Blinks wallet UI to present for signing. The checkout token is embedded in the transaction memo field to enable automatic post-sign verification.
xChain handler
The xChain handler routes cross-chain payments from a source chain (any EVM or Solana) to any AlgoVoi-supported destination chain. It co-ordinates with Allbridge for non-CCTP routes and with Circle CCTP V2 for Circle-native USDC bridging (approximately 50-second finality on Solana). A private key never leaves the browser extension; the handler receives a signed intent and returns bridge calldata for the extension to submit. Bridge state is tracked on dedicated cross-chain bridge infrastructure.
Bazaar and discovery
The Bazaar integration makes AlgoVoi the first compliance-aware Bazaar facilitator. Every payable resource published through the gateway carries embedded compliance metadata — tenant risk tier, KYC status flag, and a compliance_posture summary — so that Bazaar consumers can make admission decisions before initiating payment.
Public endpoints
GET /discovery/resources returns the public Bazaar catalog. No authentication is required. The response is a paginated list of resource objects, each containing:
| Field | Type | Description |
|---|
| resource_id | string | Stable resource identifier |
| tenant_short_id | string | Publishing tenant’s URL-safe short ID |
| resource_type | enum | api_endpoint, data_feed, agent_skill, payment_link |
| title | string | Human-readable resource title |
| description | string | Resource description |
| endpoint_url | string | URL at which the resource is accessible |
| payment_required | boolean | True if payment is required to access |
| accepted_protocols | array of enum | Protocols this resource accepts (x402, mpp, ap2, a2a) |
| chains_accepted | array of enum | Chains the resource will accept payment on |
| amount_usd | integer | Access price in USD cents, if applicable |
| compliance_posture | object | Tenant risk_tier, kyc_status, last_screened_at |
| created_at | string | ISO-8601 creation timestamp |
Publishing a resource
POST /v1/resources registers a new payable resource. The tenant must be mainnet-active (KYC approved). The endpoint URL is screened against SSRF guards and threat-intel feeds at registration time.
| Field | Type | Required | Description |
|---|
| title | string | Yes | Resource title |
| description | string | No | Human-readable description |
| endpoint_url | string | Yes | Accessible URL for this resource |
| resource_type | enum | Yes | api_endpoint, data_feed, agent_skill, or payment_link |
| payment_required | boolean | Yes | |
| accepted_protocols | array of enum | Yes | At least one of: x402, mpp, ap2, a2a |
| chains_accepted | array of enum | No | Defaults to all supported chains |
| amount_usd | integer | No | Required if payment_required is true |
| metadata | object | No | Arbitrary key-value pairs |
Compliance enforcement
Compliance runs synchronously on every payment. The pipeline cannot be bypassed, deferred, or disabled at the tenant level. It consists of five sequential operations.
Sanctions screening. The payer wallet address is matched against three consolidated sanctions lists maintained on the gateway: OFSI (UK), OFAC SDN (US), and EU Consolidated List. List data is refreshed daily from authoritative sources. Matching uses both exact-address and fuzzy-address normalisation to catch checksummed variants. Verdicts are returned in SAMLA 2018 s.20 compliant form — generic outcome categories only, never naming the specific list that produced a hit.
Hit recording. If a sanctions hit is found, the payment is blocked unconditionally. The hit is appended to the screening_hits hash chain with payer_address, list_code (a generic category, not the list name), outcome (BLOCKED or CLEAR), and screened_at. The tenant receives a payment.blocked.compliance webhook event carrying only the generic outcome.
Audit chain insertion. Every payment that clears sanctions is inserted into the payment_ledger hash chain. Each row carries:
| Field | Type | Description |
|---|
| chain_position | integer | Monotonically increasing position in the ledger |
| payment_id | uuid | Payment record identifier |
| content_hash | string | SHA-256 of the canonical payment row JSON |
| prev_hash | string | content_hash of the preceding row |
| committed_at | string | ISO-8601 timestamp |
payment.verified webhook is dispatched to the tenant’s registered endpoint. The HMAC-SHA256 signature is computed over the raw request body using the tenant’s webhook secret. The X-AlgoVoi-Signature header carries the signature prefixed with algvw_.
Pre-payment screening endpoint
POST /compliance/screen is a public endpoint that accepts a wallet address and returns a SAMLA-compliant screening result without creating a payment. This allows merchants to pre-screen payers before generating a checkout link.
| Request field | Type | Description |
|---|
| address | string | Wallet address to screen |
| chain | enum | Chain the address belongs to |
| Response field | Type | Description |
|---|
| outcome | enum | CLEAR or BLOCKED |
| screened_at | string | ISO-8601 timestamp |
| list_code | string | Generic category code if blocked; null if clear |
Compliance attestation endpoint
GET /compliance/attestation is a public endpoint returning the operator’s current compliance posture. It carries:
| Field | Type | Description |
|---|
| operator | string | AlgoVoi operator identifier |
| audit_chain_head | object | Latest payment_ledger chain_position and content_hash |
| screening_hits_head | object | Latest screening_hits chain_position and content_hash |
| object_lock_bucket | string | B2 bucket name |
| object_lock_mode | string | COMPLIANCE |
| retention_years | integer | 7 |
| retention_until | string | ISO-8601 end-of-retention date |
| samla_compliance | string | SAMLA 2018 s.20 |
| last_attested_at | string | ISO-8601 timestamp |
draft-hopley-x402-composite-trust-query Internet-Draft, enabling downstream verifier consumers to parse the attestation in a protocol-standard form.
MCP integration
The gateway exposes a Model Context Protocol surface at /mcp/*, mirroring the 28-tool inventory of the algovoi-mcp server available on PyPI as algovoi-mcp and on npm as @algovoi/mcp-server. AI agents and LLM tool-use integrations can call these tools directly over MCP without managing API keys in prompt context.
| Category | Tools |
|---|
| Payment links | create_payment_link, get_payment_link, list_payment_links, cancel_payment_link |
| Verification | verify_payment, get_verification_status |
| Compliance | screen_recipient, get_compliance_attestation |
| x402 | generate_x402_challenge, verify_x402_proof |
| MPP | generate_mpp_challenge, verify_mpp_receipt, get_mpp_subscription |
| AP2 | generate_ap2_mandate, verify_ap2_mandate |
| A2A | fetch_agent_card, send_a2a_message, get_a2a_task_status |
| Solana Actions | get_action_metadata, build_action_transaction |
| xChain | get_xchain_quote, submit_xchain_transfer, get_xchain_status |
| Discovery | list_resources, get_resource |
| Account | get_tenant_status, get_trial_balance |
Authentication
All authenticated endpoints require two headers:
| Header | Format | Description |
|---|
| Authorization | Bearer | Tenant API key |
| X-Tenant-Id | Tenant UUID | |
algv_ (standard), algv_admin_ (admin, 14 scopes), or algv_ro_ (read-only). Keys are never stored in plaintext; only a SHA-256 hash is retained after creation. Multi-key rotation is supported: an old key remains valid during the transition window while a new key is active.
The Idempotency-Key header is supported on all POST endpoints that create resources. Idempotency windows are 24 hours. Duplicate requests within the window return the original response with an X-Idempotency-Replay: true header.
Public endpoints (no authentication required)
| Endpoint | Method | Description |
|---|
| /health | GET | Service liveness check |
| /compliance/attestation | GET | Operator compliance posture and audit chain heads |
| /compliance/screen | POST | Pre-payment SAMLA-compliant sanctions screen |
| /discovery/resources | GET | Public Bazaar catalog |
| /.well-known/agent.json | GET | A2A agent card |
| /.well-known/pay-skills.json | GET | pay.sh skills catalog |
| /actions/checkout/ | GET | Solana Actions metadata |
| /mpp/sub/demo/mpp-sub-test-daily-base | GET | MPP subscription demo fixture |
Chain and asset support
| Chain | Native token | USDC asset | Notes |
|---|
| Algorand | ALGO | USDC (ASA 31566704) | ARC-4 asset transfers, memo field |
| VOI | VOI | USDC (ARC-200) | AVM-compatible, ARC-200 token standard |
| Hedera | HBAR | USDC (HTS) | Mirror node verification, topic memo |
| Stellar | XLM | USDC (GA5ZSEJ…) | Horizon REST, classic USDC (not Soroban) |
| Base | ETH | USDC (ERC-20) | Alchemy EVM RPC, receipt confirmations |
| Solana | SOL | USDC (SPL) | Token program, memo program, Blinks |
| Tempo | TEMPO | USDCe (ERC-20) | EVM-compatible, similar verification path to Base |
Rate limits and error codes
The gateway enforces a rate limit of 300 requests per minute per API key, with a burst allowance of 60 requests. Exceeding the limit returns 429 Too Many Requests with a Retry-After header indicating the earliest retry time.
| HTTP status | Meaning |
|---|
| 200 | Success |
| 201 | Resource created |
| 400 | Validation error — response body contains field-level error array |
| 401 | Missing or invalid API key |
| 403 | Insufficient scope for the requested operation |
| 404 | Resource not found |
| 409 | Conflict — idempotency key collision or duplicate resource |
| 422 | Unprocessable entity — logically invalid request |
| 429 | Rate limit exceeded |
| 500 | Internal server error |
| 503 | Facilitator or chain RPC temporarily unavailable |
error_code (snake_case string), message (human-readable), and an optional field_errors array for validation failures.
Webhook events
The gateway delivers signed webhook events to tenant-registered endpoints for all significant payment and compliance lifecycle events.
| Event type | Trigger |
|---|
| payment.verified | On-chain payment verified and compliance cleared |
| payment.pending_finality | Payment seen on-chain; awaiting confirmation depth |
| payment.blocked.compliance | Payment blocked by sanctions screening |
| payment.expired | Checkout reached expiry without verified payment |
| checkout.created | New checkout link created |
| checkout.cancelled | Checkout explicitly cancelled |
| mandate.created | New payment mandate created |
| mandate.activated | Mandate confirmed via on-chain wallet signature |
| mandate.paused | Mandate pulls suspended |
| mandate.resumed | Mandate pulls reinstated |
| mandate.revoked | Mandate revoked on-chain |
| mandate.expired | Mandate reached cancel_at |
| mandate.cancelled | Mandate cancelled by operator |
| recurring.pull_executed | Recurring pull completed successfully |
| recurring.pull_failed | Recurring pull failed (insufficient balance, RPC error) |
| kyc.approved | Tenant KYC approved |
| kyc.rejected | Tenant KYC rejected |
| compliance.sanctions_hit | Payer address matched sanctions list |
X-AlgoVoi-Signature, X-AlgoVoi-Event, X-AlgoVoi-Delivery (unique delivery ID), and X-AlgoVoi-Timestamp headers. The delivery ID is stable across retries; the timestamp is the original dispatch time.
