Skip to main content

Get started with Hubpay Connect

Use Hubpay Connect to add payments, account onboarding, balances and money movement to your product. Start in sandbox, make one authenticated request, then follow the guide for what you are building.

What are you building?

GoalStart here
Accept card, bank transfer or supported crypto paymentsAccept payments
Onboard business accounts and respond to compliance requestsAccounts & onboarding
Read balances and transactions or initiate paymentsBanking & money movement
Let Hubpay customers approve access for your softwareConnected apps

1. Use the sandbox

EnvironmentBase URL
Sandboxhttps://sandbox-api.hubpay.io
Productionhttps://api.hubpay.io

Sandbox and production use separate credentials, account identifiers and data. Do not reuse an access token between environments.

2. Obtain credentials

Hubpay provides a clientId, clientSecret and account context during integration onboarding. Store the secret in a server-side secret manager; never put it in browser, mobile or distributed package code.

If API access is enabled for your account, an authorised administrator can create and manage API credentials in Hubpay.

3. Authenticate your backend

Exchange the client credentials for a short-lived bearer token. The authentication guide includes a working request and explains how to use the token with Send API request in the interactive API reference.

API authentication is separate from customer login or account linking. A connected app adds customer-approved access after your own backend is authenticated.

4. Make your first request

This sandbox request lists wallets and balances for an account:

curl 'https://sandbox-api.hubpay.io/v1/wallets' \
-H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
-H 'AccountId: YOUR_ACCOUNT_ID'

Some endpoints operate on the authenticated partner and do not use AccountId. The API reference states which headers each endpoint requires.

5. Test the complete journey

Before production

  • Provide Hubpay with the fixed outbound IP addresses used by your production backend so they can be allowlisted before go-live
  • Keep sandbox and production credentials, data and webhook endpoints separate
  • Use the documented externalId or idempotency field to prevent duplicate operations
  • Handle 429 Too Many Requests responses with backoff
  • Follow pagination fields such as page, size, totalPages and last
  • Verify every webhook signature and make event processing idempotent

Continue with the product area in the first table, or go directly to the API reference when you know the endpoint you need.