API Workspace

LIVE

⚠️ LIVE MODE — Real API calls. Wallet will be charged for POST requests.

⚡ RESTful API v1

No Docs. Just Build.

Every endpoint. Live sandbox. Real responses. No PDF, no Postman, no separate docs site — everything you need to integrate is right here.

Get your credentials from Admin Panel → top header → API Access — or use Smart Login in the sidebar

Getting Started Guide

Everything you need to integrate — auth, signing, error codes, and more. No external docs needed.

🔒 Authentication — 4 required headers ▶

Every API request must include these 4 headers. Missing any one will result in a 401 error.

Header Description

X-API-Key Your API key starting with vk_live_

X-Timestamp Current Unix timestamp in seconds. Must be within 5 minutes of server time.

X-Signature HMAC-SHA256 hex digest signed with your API secret.

X-Tenant-Code Your 6-digit tenant path code. Not part of the signature.

⚡ How HMAC signing works ▶

The signature proves your request is authentic and hasn't been tampered with.

HMAC-SHA256( timestamp + method + endpoint + body, api_secret )

1Get the current Unix timestamp (seconds) — e.g. 1714728000

2Concatenate: timestamp + HTTP method (uppercase) + full endpoint path with query string + JSON body (empty string for GET)

3Sign the concatenated string with your API secret using HMAC-SHA256

4Send the hex digest as the X-Signature header

Use the above to test your signing logic.

📌 Access types — free, activated, subscription ▶

Not all modules are available by default. Access depends on your plan.

Type Modules Requirement

Free Wallet, UCB, UVS, Marketplace, B2C, Users Active API key only

SA Activated Kamao (Referral Program) Super Admin must enable

Subscription Micro Loan Services Active chapter subscription

🛡 Rate limits & IP whitelist ▶

Rate Limiting

Requests are limited per API key per minute. If you exceed the limit, you'll receive a 429 response with error code RATE_LIMITED. Wait and retry.

IP Whitelist

Every API key requires at least 1 whitelisted IP (max 5). Requests from non-whitelisted IPs are rejected with 403 and error code AUTH_IP_BLOCKED. Manage IPs from Admin Panel → API Access.

⚠️ Error handling — codes & HTTP status ▶

All errors return JSON with success: false, an error_code string, and a human-readable message. Always check the HTTP status first, then parse error_code for programmatic handling.

HTTP Error Code Meaning

401 AUTH_MISSING_KEY X-API-Key header not sent

401 AUTH_INVALID_KEY API key not found

401 HMAC_INVALID Signature mismatch

401 TIMESTAMP_EXPIRED Timestamp older than 5 minutes

403 AUTH_IP_BLOCKED IP not whitelisted

403 MODULE_ACCESS_DENIED Not authorized for this module

429 RATE_LIMITED Too many requests per minute

422 VALIDATION_ERROR Invalid or missing parameters

🔬 Sandbox vs Live mode ▶

Sandbox Mode

POST requests return predefined dummy responses. No wallet charges. Safe for testing your integration logic. GET requests still return real data even in sandbox.

Response header: X-API-Mode: sandbox

Live Mode

All requests hit real APIs. POST requests will charge your wallet. Use only after your integration is tested and verified in sandbox.

Response header: X-API-Mode: live

Toggle between modes from Admin Panel → API Access → Sandbox/Live switch.

Response Send a request to see the response here

This workspace is for authorized API consumers only. All requests are logged and monitored. Unauthorized access attempts may result in permanent key revocation.
By using this workspace or making any API call, you agree to the API Terms of Use.
© 2026 Vistarkriya. All rights reserved.

Smart Login

Enter OTP

Credentials Loaded

No Docs. Just Build.