API Documentation

Check account balance.

Create a QRIS deposit invoice (rupiah). Redirect the customer to payment_url to complete payment. Balance is credited automatically on successful payment. Invoice valid for 30 minutes. Send a unique Idempotency-Key header to avoid duplicate invoices on retry.

Check deposit status. States: pending | success | expired | failed. Polling also drives reconciliation automatically.

List of available countries (Server 1).

List of platforms/services. Optional parameter: country_id.

List of products + pricing + stock. Parameters: platform_id, country_id, page, limit, sort.

List of available countries (Server 2).

List of services + pricing per country.

List of operators per country.

List of special services (no country/operator parameter required). These services use pre-allocated virtual numbers dedicated to specific platforms.

Suggested target sites. Suggestions only; any valid site domain can be sent to the create endpoint.

Available email domains, stock, price, activation rate, and cancellation fee preview.

Buy Email OTP. Optional fields: qty, subject, regex, or domains[] for aggregator mode.

Poll email status and messages. Returns inbox preview, extracted OTP/headline, full message timeline, and updated expires_at.

Request a new message on the same email inbox. The waiting window resets to 20 minutes and OTPZap balance is not debited again.

Cancel before any message arrives. Refund can be reduced by the system cancellation fee.

Finish an email order after a message arrives and close the activation window.

Buy an OTP number. Optional header Idempotency-Key prevents duplicate orders on retry. Use IDs from the latest catalog response. Optional service_name must match the service name for the selected ID when sent.

Check status & fetch OTP. Poll this endpoint every 5 seconds. Status flow: pending → otp_received (S1, number still active) → success. Failed orders are auto-refunded.

Key fields: otp_code is the latest/final OTP for automated integrations. otps[] is the timeline of all OTPs received (oldest first), so do not use the first array item as the main OTP. Useful when resend adds a new OTP - you can detect a new entry by array length change. resend_count = how many resends used. resend_locked_until = WIB timestamp until resend is unlocked (null if available).

Cancel a pending order. A 2-minute cooldown applies to all orders (single & multiservice). Balance is refunded automatically when system confirms cancellation. Error codes: 409 if status is not pending, 429 if cooldown not yet elapsed (check Retry-After header), 502 if system rejects.

Mark order as finished. Use after the OTP is received and the number is no longer needed.

Resend SMS. Per-OTP gating: after one resend, the next call returns HTTP 429 until a new OTP arrives through polling. Status and existing OTP are not reset - new OTP appears as an additional entry in otps[]. Not all platforms support resend.

Server 1 only. Atomically cancel the current order and buy a fresh number at the same product/price. Old balance refunded, new balance deducted in one transaction.

Fetch current webhook configuration. secret is never returned here (security - only shown once at set/update time).

Create or update webhook configuration. Method is PATCH (not POST). URL must be HTTPS and resolve to a public IP (private IPs are rejected for anti-SSRF protection).

Optional fields: secret minimum 16 characters (if not provided or shorter, OTPZap auto-generates a 48-char hex). Save this secret somewhere safe - it will not be shown again at /webhook/get. is_active defaults to true; set to false to pause delivery without deleting config.

Error 422: URL is not HTTPS, URL resolves to private/loopback IP (anti-SSRF), or an event is not valid (see list above).