1. What Is the API Developer Workspace

The Vistarkriya API Developer Workspace is a browser-based, interactive tool where developers can explore, test, and integrate with every API endpoint the platform offers. It lives at vistarkriya.com/website/developers.php and requires no login to access the page itself.

Think of it as Postman, API documentation, and a code generator combined into one interface — except it runs entirely in your browser with zero setup. You paste your API credentials, pick an endpoint from the sidebar, fill in parameters, and hit Send. The workspace handles HMAC signature generation client-side using the Web Crypto API, sends the request, and displays the response with syntax-highlighted JSON.

There is no separate documentation site. There is no PDF to download. There is no Swagger UI to configure. The workspace is the documentation — every endpoint includes its description, parameter details, cost indicator (free or paid), response schema, and sample bodies. The tagline says it clearly: No Docs. Just Build.

2. Why This Is Different from Traditional API Documentation

Most fintech API providers in India follow the same pattern: a static documentation page (or worse, a PDF), a separate Postman collection link, and a long list of endpoints with example request/response JSONs you have to manually copy into your code. The developer has to switch between three or four tools before they can send their first authenticated request.

Vistarkriya's approach collapses all of that into a single screen.

3. Smart Login — Credentials in 30 Seconds

The most common friction point when working with any API is getting your credentials into the testing tool. You open the dashboard, find the API settings page, copy the key, switch tabs, paste it, go back, copy the secret, switch tabs again, paste it. Smart Login eliminates this entirely.

How Smart Login Works

4. Workspace Layout — Sidebar, Request Pane, Response Pane

The workspace uses a three-panel layout designed for efficient API testing. On desktop, all three panels are visible simultaneously. On mobile (below 900px), the request and response panes are switchable via tabs, and the sidebar is accessible through a hamburger toggle.

Sidebar (Left Panel)

The sidebar contains everything you need before sending your first request. At the top is the platform logo linking back to the main site, followed by the "Developer Workspace" label and the HMAC Playground button. Below that is the Smart Login button and three credential input fields: API Key (expects a vk_live_ prefixed key), API Secret, and Tenant Code. Once all three are filled, a "Remember credentials" panel appears with 1-hour, 4-hour, and 24-hour save options. The sidebar also includes a "What's My IP?" button that calls the ipify API and displays your public IP for whitelisting purposes, and an SDK download section with buttons for PHP, Python, and Node.js. The bottom of the sidebar is the endpoint navigation — a collapsible list of all API modules and their endpoints, dynamically loaded from a catalog endpoint.

Request Pane (Center)

When you select an endpoint, the center pane transforms from a welcome screen into a request builder. It shows the HTTP method badge (GET/POST/PUT/DELETE), the full endpoint path, and a Send button with a loading spinner. Below the request bar, you see the endpoint description, cost indicator, optional notes, query parameter inputs (for GET), or a JSON body editor (for POST/PUT) with real-time validation that shows whether your JSON is valid or invalid as you type. If a sample body is available and you are in sandbox mode, a "Fill Sample" button appears. At the bottom, a collapsible Response Schema section documents every field the endpoint returns, including nested fields with indentation. A Ctrl+Enter keyboard shortcut lets you send requests without reaching for the mouse.

Response Pane (Right Panel)

The response pane starts with an empty state message. After sending a request, it displays the HTTP status code (color-coded: green for 2xx, yellow for 4xx, red for 5xx), response time in milliseconds, and the full JSON response body with syntax highlighting — keys, strings, numbers, booleans, and null values are each colored differently. A "Copy as" dropdown lets you export the request as cURL, PHP (cURL), Python (requests), or Node.js (fetch) code with all your actual headers and payload pre-filled. Below the response, a request history panel tracks your last 10 requests with timestamp, method, endpoint name, status code, and response time. You can click any history entry to replay and review its response.

5. Authentication — 4 Required Headers

Every API request to Vistarkriya must include exactly 4 custom headers. Missing any one of them results in a 401 authentication error.

6. HMAC Signing — How It Works and the Built-In Playground

HMAC (Hash-based Message Authentication Code) signing ensures that every request is authentic — it proves the request came from someone who holds the API secret, and that the request was not tampered with in transit.

The Signing Formula

Step-by-Step Breakdown

The HMAC Playground

The workspace includes a built-in HMAC Playground — a modal tool accessible from the sidebar button or the welcome screen. It lets you enter each component of the signature (timestamp, method, endpoint, body, and secret) individually, and shows you three things in real time: the exact "string to sign" with each component color-coded, the resulting HMAC-SHA256 hex digest, and a one-click Copy button. There is also a "Set Current Timestamp" button that auto-fills the current Unix time. This is the fastest way to debug a signature mismatch — enter the same values your code is using and compare the outputs.

The HMAC generation in both the workspace and the playground uses the Web Crypto API (crypto.subtle.importKey and crypto.subtle.sign) — no external libraries, no server round-trip. The signing happens entirely in your browser.

7. Sandbox vs Live Mode

The workspace automatically detects your API key's mode from the X-API-Mode response header and adjusts the interface accordingly.

You toggle between modes from your Admin Panel → API Access → Sandbox/Live switch. The workspace detects the change automatically on the next request — no need to refresh the page.

8. Access Types — Free, SA Activated, Subscription

Not all API modules are available by default. Access depends on your account type and plan.

If you try to access a module you are not authorized for, the API returns a 403 status with error code MODULE_ACCESS_DENIED, and the workspace appends a guidance message telling you how to get access.

9. Copy as Code — cURL, PHP, Python, Node.js

After sending any request in the workspace, a "Copy as" button appears in the response pane. This generates production-ready code from the request you just made — not a generic template, but your actual URL, your actual headers (including the HMAC signature), and your actual request body.

The supported languages are:

The code is copied to your clipboard instantly with a toast notification confirming the language. This means you can test an endpoint in the workspace, verify the response, and immediately paste a working code snippet into your project — with the correct headers already in place.

10. SDK Downloads

The sidebar includes a dedicated "API Client SDK" section with three download buttons: PHP, Python, and Node.js. Each button opens a new tab and downloads the SDK file directly from the platform's API endpoint server. These are complete client libraries that handle HMAC signature generation, header construction, error handling, and request execution — so you can start making API calls with a few lines of code instead of building the authentication layer from scratch.

The SDK files are served from /api/v1/endpoints/sdk-{language}.php?raw=1 — meaning they are always the latest version. No GitHub repository to clone, no package manager to configure. Download, drop into your project, configure your credentials, and call endpoints.

11. Error Handling and Smart Error Guidance

All API errors return a consistent JSON structure with three fields: success: false, an error_code string for programmatic handling, and a human-readable message.

The workspace takes this a step further with Smart Error Guidance — when the response contains an error_code, the workspace automatically appends a contextual help message below the JSON response, telling you exactly what went wrong and how to fix it.

Complete Error Code Reference

When building your own integration, always check the HTTP status first, then parse the error_code field for programmatic handling. The message field is intended for human display and may change — error_code will not.

12. Rate Limits and IP Whitelisting

The workspace includes a "What's My IP?" button in the sidebar that calls the ipify API and displays your current public IP address. It also shows a hint: "whitelist this" — reminding you to add it to your IP whitelist in the admin panel before making API calls from that network.

13. Developer-First Features — History, Dark Mode, Keyboard Shortcuts

Beyond the core testing functionality, the workspace includes several quality-of-life features designed for developers who spend extended time working with APIs.

Request History

The response pane tracks your last 10 requests in a collapsible history panel. Each entry shows the timestamp, HTTP method, endpoint name, status code (color-coded), and response duration. Clicking any entry replays its response with full syntax highlighting — useful for comparing responses across different parameter combinations without re-sending requests.

Dark Mode

A theme toggle button in the header switches between light and dark mode. The preference is saved to localStorage and persists across sessions. The entire workspace — sidebar, request pane, response pane, modals, and all components — respects the theme.

Keyboard Shortcut

Ctrl+Enter (or Cmd+Enter on Mac) sends the current request instantly. No need to reach for the Send button.

JSON Body Validation

For POST and PUT endpoints, the body editor validates your JSON in real time as you type. A green checkmark confirms valid JSON; a red cross shows the exact parse error with position. This prevents wasted requests on malformed payloads.

Credential Memory

Once all three credential fields are filled, a "Remember credentials for" panel appears with options for 1 hour, 4 hours, or 24 hours. Credentials are base64-encoded and stored in localStorage with a timestamp-based expiry. On return visits, they auto-fill and the remaining time is displayed. A Clear button lets you wipe stored credentials instantly.

Offline Detection

If your network connection drops, a banner appears at the top of the workspace warning that requests will fail. When the connection is restored, a "Back online" toast confirms recovery. This is detected via the browser's native online/offline events.

Mobile-Responsive Layout

The workspace is fully functional on mobile devices. Below 900px, the request and response panes are switchable via tabs. Below 640px, the sidebar collapses into a hamburger toggle. After sending a request on mobile, the workspace automatically switches to the response tab with a notification dot.

CORS Error Handling

If a request fails due to a CORS issue, the workspace detects it and displays the exact headers your API server needs to include (Access-Control-Allow-Origin, Access-Control-Allow-Headers) — instead of a cryptic browser error.

14. Getting Started — Step by Step

Here is the fastest path from zero to a working API call.

15. Frequently Asked Questions

Start Integrating Today

The Vistarkriya API Developer Workspace is designed for one purpose: to eliminate everything between you and a working API integration. No PDF documentation to read. No Postman collections to import. No Swagger UI to set up. You open the workspace, authenticate, pick an endpoint, and send a live request — all within a single browser tab.

With Smart Login for instant credential access, an HMAC Playground for debugging signatures, one-click code generation in 4 languages, downloadable SDKs, sandbox mode for safe testing, contextual error guidance, request history, dark mode, keyboard shortcuts, and full mobile support — this is the integration experience that fintech platforms with 50-person engineering teams offer. Except it is available to every Vistarkriya tenant, free of charge.

If you are building fintech applications — whether you are a DSA agent integrating CRM and verification services, a developer connecting credit bureau and loan origination APIs, a CA/CS firm automating compliance workflows, or an NBFC building custom applications — the workspace is your starting point.