Bank Hub API overview & auth

SePay Bank Hub API overview: sandbox/production environments, Bearer Token authentication, HTTP status codes, error formats, and the endpoint list.

||

Introduction

In addition to Hosted Link, Bank Hub provides a full set of RESTful APIs to:

  • Create and manage link tokens
  • Create and manage companies
  • Manage linked bank accounts
  • Query transaction history
  • Configure merchant settings
  • Configure webhooks for event notifications

API Environments & Versioning

Bank Hub supports two environments:

Production

  • Base URL: https://bankhub-api.sepay.vn
  • API Version: /v1
  • Used for production (real environment)

Sandbox

  • Base URL: https://bankhub-api-sandbox.sepay.vn
  • API Version: /v1
  • Used for development and testing
Note

All endpoints are prefixed with /v1/ and are routed based on the hostname.

API Authentication

Create Access Token

The token endpoint uses Basic Authentication with client_id and client_secret provided by SePay.

POST
/v1/token
Authorization: Basic {base64(client_id:client_secret)}
Security

DO NOT use this API from the client side (browser, mobile app). The token API requires client_secret, which must be strictly protected on the server. Only call this API from your backend server.

See details here: Create Token API

Calling Business APIs

All other business APIs require authentication using a Bearer Token:

Authorization Header
Authorization: Bearer YOUR_ACCESS_TOKEN
Token Management
  • Tokens have a limited lifetime (TTL)
  • When a token expires, the API returns 401 Unauthorized
  • Call /v1/token again to obtain a new token
  • Recommendation: Implement an automatic token refresh mechanism before expiration

HTTP Status Codes

Bank Hub uses standard HTTP status codes:

  • 200 OK – Request succeeded
  • 201 Created – Resource created successfully
  • 400 Bad Request – Validation error or invalid request
  • 401 Unauthorized – Missing or invalid authentication
  • 404 Not Found – Resource not found
  • 405 Method Not Allowed – Incorrect HTTP method
  • 500 Internal Server Error – Server-side error
  • 503 Service Unavailable – Service temporarily unavailable

Error Response Format

All API errors follow a consistent structure:

RESPONSE 400 - Validation Error
{
  "code": 400,
  "message": "Bad request",
  "errors": {
    "field_name": "Detailed error message"
  }
}
RESPONSE 401 - Authentication Error
{
  "code": 401,
  "message": "Unauthenticated"
}
RESPONSE 404 - Not Found
{
  "code": 404,
  "message": "Resource not found"
}

API Endpoints List

  • Link Token APIs:
POST
/v1/link-token/create

Create a link token for linking or unlinking a bank account (can be embedded in an iframe or used with the SDK). API details →

POST
/v1/link-token/get

Retrieve detailed information about a created link token. API details →

POST
/v1/link-token/revoke

Revoke a created link token and deactivate the link. API details →

  • Company APIs:
GET
/v1/company

Get the list of companies belonging to the merchant. API details →

GET
/v1/company/{xid}

Get details of a company by xid. API details →

POST
/v1/company/create

Create a new company for the merchant. API details →

POST
/v1/company/edit/{xid}

Update a company's information by xid. API details →

GET
/v1/company/counter/{xid}

Count transactions for a company. API details →

  • Bank Account APIs:
GET
/v1/bank-account

Get the list of linked bank accounts. API details →

GET
/v1/bank-account/{xid}

Get details of a bank account by xid. API details →

  • Transaction APIs:
GET
/v1/transaction

Query transaction history with flexible filters. API details →

GET
/v1/transaction/{transaction_id}

Get details of a transaction by transaction_id. API details →

  • Merchant Config APIs:
GET
/v1/merchant-config

Get merchant display configuration (logo, name, colors). API details →

POST
/v1/merchant-config

Update merchant display configuration. API details →

POST
/v1/merchant-config/logo

Upload a merchant logo. API details →

  • Webhook APIs:
GET
/v1/webhook

Get the current webhook configuration. API details →

POST
/v1/webhook

Configure webhook URL and secret key for receiving events. API details →

Best Practices

1. Token Management

  • Store tokens securely and never expose them on the client side
  • Implement automatic token refresh before expiration
  • Handle 401 errors by fetching a new token automatically and retrying the request

2. Error Handling

  • Always check HTTP status codes
  • Parse and display error messages from the response
  • Implement retry logic for temporary (5xx) errors

3. Rate Limiting

  • Follow the API rate limits
  • Implement exponential backoff when encountering 429 errors
  • Cache data when possible to reduce the number of API calls

4. Idempotency

  • Use an idempotency key for important requests
  • Store and validate responses based on the idempotency key
  • Safely handle duplicate requests

Next Steps

To get started with Bank Hub API, follow these steps:

  1. Create Access Token - Get a Bearer token to authenticate subsequent APIs
  2. Create Company - Create a company to manage bank accounts
  3. Create Link Token - Create a link for users to connect their bank
Tip

See the Quick Start Guide for a step-by-step integration tutorial with complete code examples.

Previous page
Next page