Documentation Index
Fetch the complete documentation index at: https://docs.lux-core.io/llms.txt
Use this file to discover all available pages before exploring further.
API Changelog
Stay informed about new features, improvements, and breaking changes to the LuxCore API.Subscribe to our developer newsletter to receive changelog updates via email.
2026
April 2026
2026-04-29
API v2 HMAC payment creation
- Added a merchant-scoped
POST /api/v2/paymentsendpoint for merchants onboarded to API v2 - API v2 payment creation uses HMAC-SHA256 request signing instead of
X-API-Key - API v2 HMAC request headers use
X-Merchant-Id,X-Timestamp,X-Nonce,X-Signature-Version, andX-Signature - Signatures cover the raw request body hash, method, path with query string, Unix timestamp, and nonce
- Requests outside a 300-second timestamp window or with a reused nonce are rejected
- Existing API v1 endpoints and API-key authentication remain unchanged for v1 merchants
- API v2 payment HMAC secrets are separate from webhook signing secrets and are shown only when issued or rotated
- Switching a merchant from API v1 to API v2 revokes active API keys and issues one-time HMAC credentials
March 2026
2026-03-17
Performance & Reliability OverhaulBreaking Change
- Payment
amountfield now enforces integer validation — values must be whole numbers representing minor currency units (e.g., cents). Requests with decimal/float amounts will be rejected with a400error. If you were previously sending integer values, no changes are needed.
- Payment creation latency reduced significantly through internal architecture optimizations (eliminated inter-service network round-trips for requisite selection)
customer_idfield on payments is now optional — payments can be created without a customer identifiermerchant_referenceuniqueness constraint relaxed: duplicate references are now allowed for failed, expired, and cancelled payments, preventing spurious conflicts on retried payment flows- Payment page: improved loading experience with skeleton placeholders instead of spinner
- Payment page: added countdown timer for payment expiration
- Payment page: sensitive URL parameters are now stripped from the browser address bar after loading
- Payment page: security headers hardened (X-Frame-Options, Content-Security-Policy, Permissions-Policy)
- Improved error responses with structured error codes and consistent formatting across all API endpoints
- Overall platform reliability and resilience improvements under high concurrency
2026-03-10
Webhook ordering support
- Webhook payloads now include a
status_versionfield — a monotonically increasing integer that increments with every payment status change - Use
status_versionto detect out-of-order or duplicate webhooks: ignore events wherestatus_versionis less than or equal to the last processed version - See the Webhooks Guide for implementation details
2026-03-01
Per-payment traffic type
- Payments now support an optional
traffic_typefield (primary,secondary,vip) passed at creation time - Admin panel: new traffic type filter on the payments list and stats pages
- Admin panel: traffic type badge displayed in payment details drawer
- CSV export includes the
traffic_typecolumn
February 2026
2026-02-26
Support Tickets API
- New public API endpoints for merchant ticket management (
/tickets) - Create, list, and view support tickets via API
- Add and list comments on tickets with attachment support
- Close and reopen tickets programmatically
- File attachments via pre-signed upload/download URLs
- Admin replies on merchant tickets now trigger
ticket.comment_addedwebhook - New webhook events:
ticket.created,ticket.updated,ticket.comment_added,ticket.resolved,ticket.closed - New API key scopes:
tickets.create,tickets.read,tickets.update
2026-02-26
iPay integration hardening
- Pending payment monitor: iPay payments with “Pending” (end-of-day settlement) status are now automatically monitored. Alerts are sent after 6 hours, and payments are auto-cancelled after 24 hours if unresolved
- Amount mismatch alerting: Real-time alerts are now triggered when an iPay callback reports an amount that doesn’t match the expected payment amount
- Rate limiting: Provider callback endpoints now enforce rate limits (300 req/min) to prevent abuse, replacing the previous unlimited access
- Documentation: Added iPay integration details including redirect flow, response fields, limits, and callback status mapping to the Payments Guide
2026-02-17
payment.refunded added to default webhook eventspayment.refundedis now included in the default set of webhook events for both in-request and admin-created webhooks- New default:
payment.created,payment.completed,payment.failed,payment.refunded - Existing webhooks are not affected — only newly created webhooks will include
payment.refundedby default - To receive refund events on existing webhooks, update the
eventsarray via the API or passwebhook_eventsexplicitly when creating payments
January 2026
v1.5.0 - In-Request Webhooks
2026-01-30
Per-Payment Webhook URLYou can now pass a webhook URL directly in the payment creation request, enabling per-payment notification routing without pre-configuring webhooks.New Features
webhook_url: Optional field inPOST /payments— specify a URL to receive webhook events for this specific paymentwebhook_events: Optional array to choose which events to subscribe to (defaults topayment.created,payment.completed,payment.failed,payment.refunded)- Automatic deduplication: If the same merchant sends the same
webhook_urlacross multiple payments, the system reuses the existing webhook configuration - Default webhook secret: In-request webhooks are signed using a per-merchant default secret, visible in the merchant settings panel
- Pass
webhook_url(and optionallywebhook_events) when creating a payment - The system automatically creates (or reuses) a webhook endpoint for your merchant
- Events are delivered to both admin-configured webhooks and in-request webhooks in parallel
- In-request webhooks use the same HMAC-SHA256 signature verification as admin webhooks
POST /paymentsnow accepts optionalwebhook_url(string, max 2048 chars) andwebhook_events(string array)- In-request webhooks are excluded from
GET /webhookslisting by default (use?source=in_requestto view them) - Merchant detail response now includes
default_webhook_secretfield
- None (backwards compatible)
v1.4.1 - PayID payments
2026-01-22
AUD currency and PayID payment methodAdded support for Australian Dollar (AUD) and PayID as a new payment method.New Features
- AUD currency: Full support for Australian Dollar deposits and withdrawals
- PayID method (
payid): Near-instant payments via Australia’s New Payments Platform (NPP). Customers can pay using an email address, phone number, or ABN as the PayID identifier - PayID deposits: Customers send funds to a dynamically generated PayID. Response includes
payid_detailswith the PayID identifier and reference - PayID withdrawals: Send payouts to a recipient’s PayID (email, phone, or ABN) instead of BSB/account number
- AUD bank transfers: Traditional BSB + account number method also supported for both deposits and withdrawals
POST /paymentsnow accepts"currency": "AUD"with methodsbank_transferorpayid- For AUD bank transfers,
bank_detailsresponse includesbsbfield (6-digit BSB code) - For PayID deposits, response includes
payid_detailsobject withpayid,payid_type,payid_name, andreference - For PayID withdrawals,
payoutobject acceptspayidandpayid_typefields instead ofbank_account/bank_code payid_typeaccepts:email,phone,abn
- None (backwards compatible)
v1.4.0 - Webhook Security & Contract Stabilization
2026-01-20
Webhook Payload WhitelistImproved security and API contract stability for webhook payloads.Changes
customer_datain webhook payloads now uses a whitelist approach — only specific, documented fields are included- Internal processing data (IP addresses, user agents, internal IDs, processing metadata) is no longer sent to merchant webhooks
payoutobject is now only included forwithdrawaltype payments (not for deposits)
- Top-level:
note,customer_email,customer_phone,customer_name,external_id,reference,description,expires_at,requested_payment_type commission:currency,total_minorpayout(withdrawals only):bank_code,bank_account,recipient_name,bank_name
- Webhook payloads no longer include internal fields that were previously exposed unintentionally
- If your integration relied on undocumented fields in
customer_data, you may need to update your webhook handler
2025
December 2025
v1.3.0 - Customer Management System
2025-12-22
Customer Base & Payment LinkingNew customer management system that enables tracking and analytics across payments.New Features
- Customer ID: Merchants can optionally pass
customer_idwhen creating payments to link to an existing customer - Auto-linking: When
customer_idis not provided, customers are automatically created/matched by email or phone - Customer Data in Response: Payment responses now include
customerobject withid,email,phone,name
POST /paymentsnow accepts optionalcustomer_idfield (integer)- Payment responses include
customer_idandcustomerobject customerobject in request body remains required (name, email, phone)
- None (backwards compatible)
v1.2.2 - Payment Page Enhancements
2025-12-03
Standalone Payment Page & Return URL SupportMajor improvements to the hosted payment page experience.New Features
- Return URLs: Merchants can now provide
success_urlandcancel_urlfor merchant settings for automatic redirect after payment completion - Mercado Pago Integration: Quick-pay button with deep link support (mobile devices only)
- Improved bundle size and performance
- Fixed SSE event handling for real-time payment status updates
- Payment page now correctly updates UI when payment status changes via SSE
GET /payment-pages/:token/detailsnow returnsreturn_urlsobject withsuccess_urlandcancel_url
- None (backwards compatible)
v1.2.1 - API Consistency & Validation
2025-12-02
API key format alignment and validation improvementsThis release fixes inconsistencies between API validation, documentation, and Swagger schemas.API Key Format Changes
- Standardized API key format validation:
- Test keys:
qp_test_sk_*(e.g.,qp_test_sk_abc123...) - Production keys:
qp_prod_sk_*(e.g.,qp_prod_sk_xyz789...)
- Test keys:
- Removed support for deprecated formats:
qp_sandbox_sk_*,qp_live_* - Updated all documentation and Swagger examples to reflect correct key formats
- Added
refundedandpartial_refundstatuses to payment API schemas - Payment pages now correctly display refund statuses
- DTOs and filters now support filtering by refund statuses
recipient_nameandbank_accountare now required fields for withdrawal requests for ARS flow.- Improved error messages for missing payout details
- Consistent validation across all withdrawal types
- Payment page URLs are now documented as dynamic (vary by currency/method/region)
- Updated all code examples with correct API key formats
- Clarified payout field requirements for different countries
- API keys using
qp_sandbox_sk_*orqp_live_*formats will no longer be accepted - Withdrawal requests without
recipient_nameorbank_accountwill return400 Bad Request
November 2025
v1.2.0 - Production Stability Release
2025-11-29
Major improvementsFollowing the successful scaling deployment, we shipped a set of optimizations based on real world usage patterns.Improvements
- Optimized payment processing pipeline for higher throughput
- Increased rate limits for payment creation to 5000 requests per minute (burst: 500 requests per 10 seconds)
- Improved webhook delivery reliability and retry mechanism
- More descriptive error messages for validation failures
- Reduced average API response time by about 40%
- Faster payment status transitions
- None
2025-11-25
Enhanced testing and quality of life
- Improved consistency of API responses across endpoints
- None
2025-11-22
LKR currency and iPay payment methodAdded support for Sri Lankan Rupee (LKR) and iPay as a new payment method.New Features
- LKR currency: Full support for Sri Lankan Rupee deposits
- iPay method (
ipay): Redirect-based online payments for Sri Lanka. Customers are redirected to a hosted checkout page to complete payment via Visa, Mastercard, LankaQR, or iPay App - Payment scheme filtering: Optionally restrict to a single scheme (
VISA,MC,IPAY,LQR) viaipay.payment_methodfield in the request
POST /paymentsnow accepts"currency": "LKR"with methodipay- Response includes
redirect_urlfor customer redirect to complete payment - Optional
ipayobject in request body acceptspayment_methodfield to filter available payment schemes
- None (backwards compatible)
2025-11-18
Optimization and refactors
- Internal architecture improvements for better scalability
- Enhanced payment method validation rules
- Improved balance calculation accuracy
- None
October 2025
v1.1.0 - Webhooks Improvements
2025-10-30
Webhook manager improvementsNew features
- Enhanced webhook signature binding for improved security and verification
- Make sure your webhook handlers are idempotent to safely handle retries.
- None
2025-10-24
Webhook delivery fixes
- Fixed webhook signature generation for consistent verification on client side
- Improved webhook retry logic with exponential backoff
- Enhanced request binding for webhook payloads
- None
2025-10-22
Payment limits update
- Corrected maximum amount validation rules
- Improved amount formatting in API responses
- None
2025-10-17
Production deployment optimizations
- Enhanced API key handling and validation
- Improved error responses for invalid credentials
- Added support for additional payment method configurations
- None
- API key formats
qp_sandbox_sk_*andqp_live_*are deprecated and will stop working in December 2025 - Please use the standard formats:
qp_test_sk_*for test mode,qp_prod_sk_*for production
September 2025
v1.0.2 - Integration Fixes
2025-09-14
Webhook flow corrections
- Fixed
payment.completedwebhook not being sent in some scenarios - Improved webhook scheduling reliability
- Enhanced stale webhook detection and cleanup
- None
2025-09-10
Balance and withdrawal improvements
- Resolved issues with balance calculations
- Fixed withdrawal validation edge cases
- Improved payment and requisite lock expiry handling
- None
2025-09-08
API key and proxy compatibility
- Fixed API key validation in specific edge cases
- Improved proxy compatibility by handling
X-Forwarded-Hostheaders - Strengthened request validation
- None
2025-09-05
Documentation updates
- Updated API documentation with corrected parameters
- Removed redundant request parameters
- Improved example payloads
- None
August 2025
v1.0.1 - Private Beta Improvements
2025-08-28
Payment processing enhancements
- Improved SPEI transfer handling
- Enhanced bank account validation (CLABE format)
- More informative error messages for invalid bank accounts
- None
2025-08-15
Webhook reliability improvements
- Added automatic retry for failed webhook deliveries
- Implemented webhook event deduplication
- Enhanced HMAC-SHA256 signature verification
- Webhook receivers should remain idempotent due to retries and deduplication.
- None
2025-08-05
Balance API enhancements
- Added
/balance/allendpoint for multi-currency support - Improved balance precision handling
- Added
availableandpendingbalance breakdown
- None
July 2025
v1.0.0 - Initial Release
2025-07-25
Public API v1.0.0 releasePublic release of the LuxCore Payment Gateway API.Core features
- Payment creation (deposits and withdrawals)
- Multiple payment methods support
- Hosted payment pages (
deposit_pp,withdrawal_pp) - Real time webhook notifications
- Balance inquiry API
- Test and production modes via API key prefixes (
qp_test_sk_*,qp_prod_sk_*)
bank_transfer- bank transfers (Argentina, Uruguay)spei- Mexican interbank transfers (SPEI)oxxo- cash payments at OXXO storescard- credit and debit cards (tokenized)cash- cash paymentscrypto- cryptocurrency payments
ARS- Argentine pesoUYU- Uruguayan pesoMXN- Mexican peso
payment.created- payment initializedpayment.processing- payment is being processedpayment.completed- payment successfulpayment.failed- payment failedpayment.cancelled- payment cancelledpayout.created- payout initiatedpayout.completed- payout successfulpayout.failed- payout failed
2025-07-10
Private beta launch
- Initial API endpoints for selected partners
- Core payment functionality
- Basic webhook support
- Authentication via API keys
Versioning Policy
The LuxCore API uses semantic versioning:- Major versions (v1, v2) indicate breaking changes
- Minor versions add new features that are backwards compatible
- Patches include bug fixes and minor improvements
Breaking changes
We strive to minimize breaking changes. When they occur:- We announce them at least 1 month in advance
- We provide migration guides
- We support the previous version during a transition period
Deprecation policy
Deprecated features will:- Be announced in the changelog
- Continue working for at least 3 months
- Return deprecation warnings in API responses when possible
Upcoming Changes
These features are in development. Timelines are estimates and may change.
Q2 2026 (planned)
- Programmatic Refunds - Initiate refunds via API instead of support tickets
- Transaction Reports - Export transaction history and analytics
- Batch Payouts - Bulk payout operations (up to 1000 payouts per request)
- Webhook Filtering - Subscribe to specific event types and filter by criteria
- Additional currencies - CLP (Chilean peso)