Idempotency keys on every endpoint. Webhooks with replay and 30-day history. A sandbox that mirrors production, network-for-network. Documentation that doesn't lie.
Create a charge, send the customer a URL, listen for the webhook. The rest is your business logic.
# POST https://api.coinmoove.io/v1/charges curl https://api.coinmoove.io/v1/charges \ -H "Authorization: Bearer sk_live_•••" \ -H "Idempotency-Key: ord_4f8a2c1" \ -d amount=149.00 \ -d currency=EUR \ -d accept[]=BTC,ETH,USDC \ -d settle_to=EUR
{
"id": "ch_01H9YJ7K",
"status": "awaiting_payment",
"amount": 14900,
"currency": "EUR",
"hosted_url": "https://pay.coinmoove.io/ch_01H9YJ7K",
"expires_at": "2026-05-14T19:42:01Z"
}
// PHP — POST /webhooks/coinmoove $payload = file_get_contents('php://input'); $sig = $_SERVER['HTTP_COINMOOVE_SIGNATURE']; if (!CoinMoove::verify($payload, $sig, $secret)) { http_response_code(400); exit; } $event = json_decode($payload, true); if ($event['type'] === 'charge.confirmed') { fulfilOrder($event['data']['reference']); } http_response_code(200);
SIGNATURE: HMAC-SHA256 OVER RAW BODY · ROTATING SECRETS · 5-MINUTE REPLAY WINDOW
First-party, MIT-licensed, with type definitions where they exist. Generated against the same OpenAPI spec the docs use — the SDK never drifts from the truth.
Every mutating endpoint accepts an idempotency key. Retry safely. Avoid double-charges on flaky networks.
Inspect, replay, and re-deliver the last 30 days of events from the dashboard. Signed payloads, rotating secrets.
Same API surface, real testnets, fake assets. The only difference is the network ID. Switch with one env var.
API version pinned at account level. Breaking changes ship to a new version — older versions are supported for at least 24 months. You move on your schedule.
Every request, response, and webhook attempt is searchable for 90 days. Export as JSON or stream to your SIEM.
Full reference, recipes, postman collections, and a status page that doesn't lie. All public, no log-in required.