Accepting Cryptocurrency Payments with Paymint

Paymint is a cryptocurrency payment processor that allows businesses, solo developers, and others to easily accept payments in Bitcoin or Monero. With just a few simple steps, you can start accepting payments and receive callback notifications when payments are made.

To generate a cryptocurrency address, send a GET request to the following endpoint:

https://<coin\>.paymint.to/<output\>?callback=<callback\>

Where:

• <coin>: the cryptocurrency you want to generate an address for. This can be either BTC (bitcoin) or XMR (monero).
• <output>: the address you want to receive payments at. This must be a valid address for the cryptocurrency specified in <coin>.
• <callback>: the address to receive callback GET requests with information about received payments. This should be a unique address on your domain (for example, [https://example.com/payment/12345](https://example.com/payment/12345)). It is important that callback domains are unique to prevent forgery.

Example

Here is an example of a request to generate a bitcoin address:

GET https://btc.paymint.to/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2?callback=https://example.com/payment/12345

The response will be a JSON structure with the following fields:

• input: the address end users should send payments to (string).
• transactions: an array of objects representing transactions received at the input address. Each object has the following structure:
• • inbound: the transaction ID of the received payment (string).
  • outbound: the transaction ID of the forwarded payment (null if the transaction has not been forwarded yet).
  • confirmations: the number of confirmations the transaction has (integer).
  • input: the input address of the transaction (string).
  • output: the output address of the transaction (string).
  • amount: the amount of the received payment (string).

Example Response

{
"input": "1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2",
"transactions": \[
{
"inbound": "8ab61a2fc00ab3f05e876f70a0c7cd0e0b55b2ba8755002e3c467171848e1c5f",
"outbound": null,
"confirmations": 1,
"input": "43Z695PyZVXD9Jswbfjgdaa4wSyGbwx991qdmDxxBt5qJxxdR59EnbJ9VHAn8HzJbKEEEWCzPseJk1KxJwGfqJwxEW4GniH",
"output": "85hjkvaEUnYYNzeye9uSKVjHXctUSa6gUSRGKGSSVn78QqgJuLkHALBEn2Rz4ThiBG6ARverWsE7rHqyiTjHcoR

When a payment is received at the generated address, Paymint will send a callback notification to the callback URL specified in the API request. The callback notification will be a GET request with the following parameters:

• input: the input address of the transaction (string).
• output: the output address of the transaction (string).
• inbound: the transaction ID of the received payment (string).
• outbound: the transaction ID of the forwarded payment (possibly not defined if the transaction has not been forwarded yet).
• confirmations: the number of confirmations the transaction has (integer).
• received: the timestamp at which the payment was received (integer).
• forwarded: the timestamp at which the payment was forwarded (possibly not defined if the transaction has not been forwarded yet).

It is important to note that callback notifications may not be received in real-time, and there may be a delay between the time the payment is made and the time the callback notification is received.

Here is an example of a callback notification that might be received:

GET https://example.com/payment/12345?input=43Z695PyZVXD9Jswbfjgdaa4wSyGbwx991qdmDxxBt5qJxxdR59EnbJ9VHAn8HzJbKEEEWCzPseJk1KxJwGfqJwxEW4GniH&output=85hjkvaEUnYYNzeye9uSKVjHXctUSa6gUSRGKGSSVn78QqgJuLkHALBEn2Rz4ThiBG6ARverWsE7rHqyiTjHcoRcK5GAYqz&inbound=8ab61a2fc00ab3f05e876f70a0c7cd0e0b55b2ba8755002e3c467171848e1c5f&outbound=null&confirmations=1&received=1623456789&forwarded=null

To ensure that responses and callbacks are actually coming from Paymint and not a nefarious third party, you can verify the X-Signature header included in each response and callback. This header contains a RSASSA-PKCS1-v1_5 SHA-256 signature signed by Paymint's private key. The public key can be found at [https://paymint.com/key](https://paymint.com/key).

Utilizing this signature feature is not required, but is recommended to make the process more secure. To verify the signature, you will need to:

1. Retrieve the public key from the [https://paymint.com/key](https://paymint.com/key) endpoint.
2. Use the public key to verify the signature included in the X-Signature header of the response or callback.

Please note that Paymint's public key may change over time, so it is important to retrieve the current key before verifying each signature.

Here is an example of how you might verify the signature included in a Paymint callback:

const crypto = require('crypto');
const request = require('request');

const publicKey = retrievePaymintPublicKey();

request.get({
    url: 'https://example.com/payment/12345',
    headers: {
        'X-Signature': '<signature>'
    }
}, (error, response, body) => {
    if (error) {
        console.error(error);
        return;
    }

    const isSignatureValid = crypto.createVerify('RSA-SHA256')
        .update(body)
        .verify(publicKey, response.headers['x-signature'], 'base64');

    if (isSignatureValid) {
        console.log('Signature is valid');
    } else {
        console.log('Signature is invalid');
    }
});

This example uses the crypto and request modules in Node.js to retrieve the public key from the [https://paymint.com/key](https://paymint.com/key) endpoint and verify the signature included in the X-Signature header of the callback.

If the signature is valid, the isSignatureValid variable will be set to true. If the signature is invalid, it will be set to false.

Please note that this is just one example of how signature verification can be implemented, and there are many other ways to achieve the same result.