Bankexpress4 API Documentation
Welcome to the Bankexpress4 API documentation. This guide explains how to integrate Bankexpress4’s payment services into your application using simple, REST-style endpoints.
Quickstart
Before you begin: contact the Bankexpress4 team to obtain your API Key and API Secret, configure your callback URLs, and whitelist your server IP addresses.
- Callback URLs for transactions and withdrawals
/bank endpoints to list supported banks and their limits before creating transactions.
POST /transaction, redirect your customer to the provided
checkout_url, and wait for callbacks.
Authentication
All requests to the Bankexpress4 API must be made over HTTPS and include a bearer token in the
Authorization header. Each site has its own unique API token, generated and managed
by the Bankexpress4 admin panel.
Bearer token
Example headers:
GET /api/v1/bank HTTP/1.1 Host: bankexpress4.com Authorization: Bearer YOUR_API_TOKEN Accept: application/json
The token value is provided by the Bankexpress4 team and must match the configured API token on the server.
If the header is missing, empty, or invalid, the API returns a 401 Unauthorized response.
Optional HMAC Signature
For additional security, requests and callbacks can be signed using an HMAC built from your API Secret and the payload.
Authorization: Bearer YOUR_API_TOKEN X-Signature: HMAC_SIGNATURE_HERE
The exact signing algorithm and string-to-sign format will be provided during integration.
Available Banks
Use these endpoints to retrieve the list of banks that are currently available for processing deposit and withdrawal transactions.
List banks for deposit
Both endpoints return the same response and are suitable for deposit flows.
{
"success": true,
"message": "Banks retrieved successfully",
"code": 200,
"total": 1,
"data": [
{
"id": 1,
"name": "Bank A",
"image": "https://example.com/bank-a.png",
"transaction_status": 1,
"withdrawal_status": 1,
"status": 1
}
]
}
List banks for withdrawal
{
"success": true,
"message": "Banks retrieved successfully",
"code": 200,
"total": 1,
"data": [
{
"id": 5,
"name": "Bank W",
"image": "https://example.com/bank-w.png",
"transaction_status": 1,
"withdrawal_status": 1,
"status": 1
}
]
}
Transactions (Deposit)
Deposit transactions allow you to accept payments from your customers.
Create transaction
| Field | Type | Required | Description |
|---|---|---|---|
first_name |
string | yes | Customer first name. |
last_name |
string | yes | Customer last name. |
phone |
string | yes | Customer phone number. |
amount |
number | yes | Payment amount. |
bank_id |
integer | yes | Bank identifier obtained from the banks endpoint. |
client_ip |
string | yes | Client IP address of the user initiating the payment. |
order_id |
integer | yes | Your internal order reference. |
user_id |
integer | yes | Your internal user identifier. |
site_id, site_name, transaction_fee |
mixed | set by Bankexpress4 | These values are injected by Bankexpress4 based on your API token; you do not need to send them. |
{
"first_name": "John",
"last_name": "Doe",
"phone": "+905551112233",
"amount": 250.0,
"bank_id": 1,
"client_ip": "203.0.113.10",
"order_id": 12345,
"user_id": 42
}
{
"success": true,
"code": 200,
"message": "Transaction created",
"data": {
"transaction_uuid": "d3a6b9f0-1234-5678-9abc-def012345678",
"receiver_iban": "TR000000000000000000000000",
"receiver_name": "Bankexpress4 Payment Account"
}
}
Redirect the customer to checkout_url to complete the payment.
Update transaction
Use this endpoint to update an existing transaction, for example to cancel it.
{
"status": "canceled",
"reason": "Customer canceled the payment"
}
Get transaction status
{
"success": true,
"code": 201,
"message": "Transaction details",
"data": {
"id": 1,
"uuid": "d3a6b9f0-1234-5678-9abc-def012345678",
"user_id": 42,
"first_name": "John",
"last_name": "Doe",
"sender": "John Doe",
"phone": "+905551112233",
"amount": 250.0,
"currency": "TRY",
"order_id": 12345,
"receiver_iban": "TR000000000000000000000000",
"receiver_name": "Bankexpress4 Payment Account",
"receiver": "Bankexpress4 Payment Account",
"bank_id": 1,
"bank_name": "Bank A",
"status": "success",
"paid_status": true,
"client_ip": "203.0.113.10",
"created_at": "2026-02-24T12:34:56Z",
"updated_at": "2026-02-24T12:35:56Z"
}
}
Withdrawals
Withdrawal endpoints are used to send funds to a customer or payout account.
Create withdrawal
{
"user_id": 42,
"first_name": "John",
"last_name": "Doe",
"iban": "TR000000000000000000000000",
"bank_id": 5,
"amount": 1000.0,
"order_id": "WITHDRAW-98765"
}
{
"success": true,
"code": 201,
"message": "Withdrawal created successfully",
"data": {
"id": 10,
"uuid": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
"first_name": "John",
"last_name": "Doe",
"receiver": "John Doe",
"iban": "TR000000000000000000000000",
"bank_id": 5,
"bank_name": "Bank W",
"amount": 1000.0,
"order_id": "WITHDRAW-98765",
"site_id": 1,
"site_name": "Bankexpress4",
"sender_name": null,
"sender_iban": null,
"status": 0,
"paid_status": false,
"created_at": "2026-02-24T13:40:00Z",
"updated_at": "2026-02-24T13:40:00Z"
}
}
Get withdrawal status
{
"success": true,
"code": 201,
"message": "Withdrawal created successfully",
"data": {
"id": 10,
"uuid": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
"first_name": "John",
"last_name": "Doe",
"receiver": "John Doe",
"iban": "TR000000000000000000000000",
"bank_id": 5,
"bank_name": "Bank W",
"amount": 1000.0,
"order_id": "WITHDRAW-98765",
"site_id": 1,
"site_name": "Bankexpress4",
"sender_name": "Bankexpress4",
"sender_iban": "TR000000000000000000000000",
"status": 1,
"paid_status": true,
"created_at": "2026-02-24T13:40:00Z",
"updated_at": "2026-02-24T13:45:00Z"
}
}
Wallets
Wallet endpoints allow you to view your Bankexpress4 balances.
Get wallet
{
"success": true,
"message": "Account retrieved successfully",
"code": 200,
"data": {
"id": 1,
"name": "Main Wallet",
"iban": "TR000000000000000000000000"
}
}
Callbacks
Bankexpress4 sends webhook callbacks when a transaction’s paid_status becomes true.
Callbacks are sent to one or more URLs configured on your side.
Configuring webhook URLs & secret
In your Bankexpress4 environment, the following variables control webhook delivery:
TRANSACTION_WEBHOOK_URL– single callback URL (backwards compatible)TRANSACTION_WEBHOOK_URLS– comma‑separated list of URLs (e.g.https://a.com/hook,https://b.com/hook)TRANSACTION_WEBHOOK_SECRET_KEY– shared HMAC secret used to sign payloadsTRANSACTION_WEBHOOK_ENABLED– enable / disable callbacks (default:true)
HTTP request
For each successful transaction update, Bankexpress4 will perform an HTTP POST request to every configured URL.
POST /your/webhook/endpoint HTTP/1.1 Host: merchant.example.com Content-Type: application/json X-Signature: <HMAC_SHA256_SIGNATURE> X-Timestamp: 1737654321
Transaction webhook payload
{
"transaction_id": 1,
"uuid": "d3a6b9f0-1234-5678-9abc-def012345678",
"user_id": 42,
"amount": 250.0,
"currency": "TRY",
"status": "success",
"paid_status": true,
"first_name": "John",
"last_name": "Doe",
"phone": "+905551112233",
"receiver_iban": "TR000000000000000000000000",
"receiver_name": "Bankexpress4 Payment Account",
"bank_id": 1,
"bank_name": "Bank A",
"wallet_id": 10,
"site_id": 1,
"site_name": "Bankexpress4",
"order_id": 12345,
"payment_method": "manual",
"created_at": "2026-02-24T12:34:56Z",
"updated_at": "2026-02-24T12:35:10Z",
"accepted_at": "2026-02-24T12:35:00Z",
"timestamp": 1737654321
}
How the HMAC signature is generated
Bankexpress4 signs each callback using HMAC‑SHA256 with your secret key.
- Sort the JSON payload by keys (ascending).
- Build the signature string:
signature_string = timestamp + json_encode(sorted_payload) + secret_key - Compute the signature:
signature = HMAC_SHA256(signature_string, secret_key). - Send this value in the
X-Signatureheader and the Unix timestamp inX-Timestamp.
// payload is the JSON body as an object/array sortedPayload = sortKeysAscending(payload) jsonPayload = jsonEncode(sortedPayload, withoutEscapingSlashes) signatureStr = payload["timestamp"] + jsonPayload + SECRET_KEY signature = HMAC_SHA256(signatureStr, SECRET_KEY)
Verifying the webhook on your server
On your side you should recompute the signature and compare it to the X-Signature header.
$secret = 'YOUR_TRANSACTION_WEBHOOK_SECRET_KEY';
$body = file_get_contents('php://input'); // raw JSON
$payload = json_decode($body, true); // associative array
$timestamp = $_SERVER['HTTP_X_TIMESTAMP'] ?? null;
$received = $_SERVER['HTTP_X_SIGNATURE'] ?? null;
ksort($payload);
$jsonPayload = json_encode($payload, JSON_UNESCAPED_SLASHES);
$signatureStr = $timestamp . $jsonPayload . $secret;
$expected = hash_hmac('sha256', $signatureStr, $secret);
if (!hash_equals($expected, $received)) {
http_response_code(401);
exit('Invalid signature');
}
// Signature is valid – process the webhook safely.
Errors
Bankexpress4 uses standard HTTP status codes and a consistent JSON structure for error responses.
| Status | Meaning |
|---|---|
200, 201 |
Successful request / resource created. |
400 |
Bad request (invalid parameters). |
401 |
Unauthorized (missing or invalid bearer token). |
403 |
Forbidden (e.g. blacklisted). |
404 |
Resource not found. |
422 |
Validation error. |
500 |
Internal server error. |
Error response format
{
"success": false,
"code": 400,
"message": "Minimum amount is 2000",
"data": []
}