Developer API

REST API built for financial infrastructure.

Full programmatic access to accounts, FX, payouts, and crypto. Webhooks, SDKs, FIX 4.4. Built for developers who need production reliability.

Request API Access API Explorer
ccyfx-sdk — node index.js
99.97%
Uptime SLA
<200ms
API p95 Latency
<180ms
FX Execution
7
Payment Rails
180+
Countries
24/7
Infrastructure Support
Interactive

Live API Explorer

Select any endpoint, inspect the request schema, and simulate a live response. No API key required in the explorer.

Accounts
POST/accounts
GET/accounts/:id/balance
FX
POST/fx/quote
POST/fx/execute
Payouts
POST/payouts
POST/payouts/batch
GET/payouts/:id
Cards
POST/cards
Webhooks
GET/webhooks
POST
https://api.ccyfx.com/v1/accounts
Request Body
Response
// Click Send to see response
Security

Authentication & Access Control

Enterprise authentication primitives built to financial-institution standards. Every request is authenticated, signed, and rate-limited.

HMAC-SHA256 Request Signing
All production API requests require a cryptographically signed HMAC-SHA256 header. Signing key is derived from your API secret and a per-request timestamp — preventing replay attacks.
X-CCYFX-Signature: sha256=<digest>
OAuth 2.0 Client Credentials
Machine-to-machine authentication via OAuth 2.0 client credentials flow. Short-lived access tokens (15-minute TTL) rotated automatically. Supported alongside API key auth for institutional integrations.
POST /v1/oauth/token
IP Allowlisting
Restrict API access to a whitelist of IP ranges at the network layer. Mandatory for Institutional tier accounts. All traffic outside the allowlist is rejected at the edge before reaching application servers.
CIDR notation — up to 32 ranges
Rate Limits & Throttling
Per-key rate limits enforced at the API gateway. Burst allowance for batch operations. Limits are returned in every response header so clients can adapt in real time.
Standard1,000 req/min
Enterprise10,000 req/min
Batch endpoints50,000 rows/call
FX streamingUnlimited (WebSocket)
Sandbox Environment sandbox.ccyfx.com

Full-fidelity sandbox with simulated settlement rails, live-mirrored FX rates, webhook delivery, and synthetic KYC flows. No real funds. Sandbox keys provisioned immediately on account creation — no approval required. Production keys issued after KYB, typically within one business day.

Client Libraries

Official SDKs

Type-safe, idiomatic client libraries for every major platform. Maintained by the CCYFX engineering team. Semantic versioning with a 12-month deprecation notice policy.

JS
Node.js / TypeScript
v4.2.1
$ npm install @ccyfx/sdk
PY
Python
v3.1.0
$ pip install ccyfx
JV
Java
v2.0.0
$ mvn dependency:get -Dartifact=com.ccyfx:sdk:2.0.0
GO
Go
v2.4.0
$ go get github.com/ccyfx/ccyfx-go
PHP
PHP
v2.0.3
$ composer require ccyfx/ccyfx-php
Idempotency
Pass an Idempotency-Key header. We guarantee exactly-once execution — safe to retry on network failure without duplicate payments.
Idempotency-Key
FX Rate Streaming
WebSocket stream for institutional FX rates. 145 currency pairs updated in real time. Sub-second latency. Ideal for rate dashboards and automated hedging triggers.
WSS / WebSocket
OpenAPI Specification
Full OpenAPI 3.0 spec published at api.ccyfx.com/openapi.json. Import into Postman or Insomnia or generate your own client in any language.
OpenAPI 3.0
Infrastructure

Bank-Grade Security Architecture

Security controls implemented to PCI DSS Level 1, SOC 2 Type II, and ISO 27001 standards. Independently audited annually with findings published to enterprise clients under NDA.

TLS 1.3 in Transit
All API traffic encrypted with TLS 1.3. TLS 1.0 and 1.1 disabled across all endpoints. Forward secrecy enforced on every connection.
TLS 1.3 only
AES-256 at Rest
All financial data encrypted at rest using AES-256-GCM. Database-level encryption plus field-level encryption for PAN data and account credentials.
AES-256-GCM
HSM Key Management
Cryptographic keys stored in FIPS 140-2 Level 3 Hardware Security Modules. Key rotation automated quarterly. No key material ever stored in software or configuration.
FIPS 140-2 L3
PCI DSS Level 1
Highest tier of Payment Card Industry certification. Annual QSA assessment. Cardholder data environment is fully isolated with dedicated network segmentation.
PCI DSS L1
SOC 2 Type II
Annual SOC 2 Type II audit covering Security, Availability, and Confidentiality trust service criteria. Report available to institutional clients on request.
SOC 2 Type II
Penetration Testing
Quarterly penetration tests by independent CREST-accredited security firms. Continuous automated vulnerability scanning. Bug bounty programme for responsible disclosure.
CREST Accredited
Event-Driven

Webhooks

Register a single HTTPS endpoint to receive verified, signed events for every state change across payments, FX executions, cards, accounts, and KYC workflows. Delivery is guaranteed with automatic retry over 72 hours — exponential backoff, up to 10 attempts.

payment.completed
Funds confirmed received at destination
LIVE
payment.failed
Payment rejected — reason code and SWIFT return code included
LIVE
fx.executed
FX conversion settled at executed rate
LIVE
account.credited
Inbound funds received on a named IBAN
LIVE
account.debited
Funds debited from an account balance
LIVE
card.transaction
Card spend event with merchant data, MCC, and FX detail
LIVE
kyc.approved
Entity or beneficial owner KYC check passed
LIVE
kyc.rejected
KYC check failed — reason and required remediation included
LIVE
webhook payload — payment.completed
{ "event": "payment.completed", "id": "evt_01HZ9KPX...", "created_at": "2026-03-17T14:23:01Z", "api_version": "2026-01", "data": { "payout_id": "pyt_9X2mQv...", "amount": 250000, "currency": "EUR", "rail": "sepa_instant", "reference": "INV-2026-0847", "settled_at": "2026-03-17T14:22:58Z" } }
HMAC-SHA256 Signature Verification
X-CCYFX-Signature: sha256=<digest>
Verify every webhook payload using your webhook secret. Reject any request without a valid signature to prevent spoofing.
Reliability

Service Level Agreement

Contractual SLAs backed by financial credits for all Institutional and Enterprise tier accounts. Real-time status available at status.ccyfx.com.

99.97%
API Uptime — 30-day rolling
<200ms
API Response p95 Latency
<180ms
FX Quote Execution
24/7
Infrastructure Monitoring
Incident Response
P1 incidents acknowledged within 15 minutes. Resolution target 2 hours. Post-incident report within 48 hours for Institutional clients.
Planned Maintenance
Minimum 7-day advance notice. Scheduled outside peak trading hours (02:00–04:00 UTC Sunday). Zero-downtime deploys for all routine releases.
SLA Credits
Downtime below SLA threshold triggers automatic service credits. 10% monthly fee credit per 0.1% below target. Applied to next invoice without request.
Integration Guide

From zero to live in three steps

The CCYFX API is designed for institutional integrations that go live fast. Typical time from sandbox access to first live payment: under 4 hours.

1
Authenticate & initialise the client
Install the SDK for your language. Provide your API key from the dashboard. Point to sandbox for development, switch the base URL to production for go-live.
2
Create an account & get an FX quote
Issue a named multi-currency IBAN or sub-account. Fetch a firm FX quote with a 30-second execution window. Quotes are locked — the rate you see is the rate you get.
3
Execute a payout & receive a webhook
Submit a payout against any of the 7 supported rails. Register a webhook endpoint to receive real-time payment.completed confirmation with full settlement metadata.
Node.js — getting started
// Step 1 — Initialise const ccyfx = require('@ccyfx/sdk'); const client = new ccyfx.Client({ apiKey: process.env.CCYFX_API_KEY, environment: 'sandbox' }); // Step 2 — Get a firm FX quote const quote = await client.fx.quote({ from: 'GBP', to: 'EUR', amount: 100000, direction: 'sell' }); // quote.rate → 1.1742, locked 30s // Step 3 — Execute payout const payout = await client.payouts.create({ amount: 250000, currency: 'EUR', idempotency_key: 'inv-2026-0847', destination: { iban: 'DE89370400440532013000', bic: 'COBADEFFXXX', name: 'Meridian Holdings GmbH' }, rail: 'sepa_instant', reference: 'INV-2026-0847' }); // payout.id → pyt_9X2mQv... // payout.eta → 2026-03-17T14:23:09Z
Start Building

API access in minutes

Sandbox keys provisioned immediately. Production access after KYB — typically one business day for verified institutions. Dedicated integration engineer assigned to all Scale and Institutional accounts.

Get API Access Try the Live Explorer

PCI DSS Level 1 · SOC 2 Type II · ISO 27001