Sign In

Crypto Payment API Guide 2026: How Developers Should Evaluate, Compare, and Integrate

Aurpaytech Jun 15
Share
Crypto Payment API Guide 2026: How Developers Should Evaluate, Compare, and Integrate

Judge a crypto payment API in 2026 on five things: custody model, fee anatomy, coin and chain coverage, webhook design, and testnet fidelity. Everything else is secondary. A non-custodial API that settles directly to your wallet at a flat 0.8% (Aurpay) or a self-hosted stack at $0 plus infrastructure costs (BTCPay Server) beats a custodial API at 1-2% for most merchants, because custodial APIs add a withdrawal step, counterparty risk, and usually a KYC queue before you can ship anything.

The stakes are higher than they were two years ago. Stablecoins now account for 52% of total crypto transaction volume, and 43% of crypto-enabled merchants accept USDC or USDT versus 36% for Bitcoin, so an API that treats stablecoin routing (ERC-20 versus TRC-20) as an afterthought costs your customers real money in network fees. The crypto payment gateway market is valued at roughly $2.39 billion in 2026, growing 18.7% annually, which means more providers, more marketing claims, and more reasons to read the docs before you commit.

Key takeaways:

  • A production-grade crypto payment API must cover five operations: payin, payout, orders, invoices, and webhooks.
  • Custody is the biggest architectural decision: non-custodial APIs (Aurpay, BTCPay) settle to your wallet on confirmation; custodial APIs (BitPay, NOWPayments by default since May 2026) hold funds until you withdraw.
  • Real cost = gateway fee + network fee + conversion fee + offramp fee. Headline rates hide three of the four.
  • Webhook security: verify signatures, enforce idempotency, return a success response fast.
  • A testnet backed by real testnet nodes, with separate API keys, is non-negotiable. Mock sandboxes miss confirmation-timing bugs.

What a Crypto Payment API Actually Does

A crypto payment API sits between your application and the blockchains you accept payment on. Instead of running Bitcoin, Ethereum, and Tron nodes yourself, generating addresses, watching mempools, counting confirmations, and handling reorgs, you make HTTPS calls to a gateway that does all of that and pushes status changes back to you. The build-versus-buy math is lopsided: direct integration across three or four chains is a multi-month project with permanent node-maintenance overhead, while a payment API integration is typically measured in days.

That abstraction is also why provider choice matters. You are outsourcing address generation, payment detection, and confirmation logic, so the provider’s reliability, custody model, and callback design become part of your system’s threat model. The API contract is easy to read in an afternoon; behavior during chain congestion or when a customer underpays an invoice separates providers, and it rarely appears on the pricing page.

Developer testing crypto payment API webhooks in a testnet sandbox

The Five Operations Every Production API Must Cover

Before comparing providers, check that the API surface actually covers your flows. Five operations form the baseline.

1. Payin

Payin is inbound payment creation, and good APIs offer it in two shapes. The first is a hosted-checkout call: you POST order details and get back a payment URL where the customer picks a coin and pays on a page the gateway maintains. Aurpay’s REST API calls this Get Payment URL. The second is direct order creation, where the API returns the payment details and you render the checkout yourself; Aurpay exposes this as Get Payment Info. Hosted checkout ships faster, direct creation gives you full UI control, and a provider offering both lets you launch hosted and migrate later.

2. Payout

Payout is outbound: sending crypto to vendors, affiliates, or customers for refunds, marketplace splits, or mass disbursements. Many “payment APIs” are payin-only, a dead end for marketplaces and platforms. Aurpay’s REST API covers both payin and payout operations, as does BTCPay’s Greenfield API through its payout and pull-payment endpoints. Payouts move your money, so check approval workflows and rate limits here.

3. Orders

Every payment needs a queryable lifecycle: created, pending, confirming, confirmed or expired, failed. Polling an order-status endpoint is your fallback when a webhook is missed, so the orders API is not optional even if you build everything around callbacks. Reconciliation jobs, support tooling, and accounting exports all read from it.

4. Invoices

Invoices are price-locked payment requests with an expiry window, delivered by link, email, or SMS. They matter for B2B billing and any flow where the payer acts minutes or hours after the request is created, because crypto prices move and someone has to own that exchange-rate risk. If your use case is invoice-heavy, read how crypto invoicing works for getting paid first; a no-code invoice product may cover you without an integration at all.

5. Webhooks

Webhooks (callbacks) are how the gateway tells you an order’s status changed. Aurpay sends callbacks to your configured URLs whenever order status changes, with two distinct types: a callback_url triggered on successful payment and a timeout_callback triggered when an order expires unpaid. Separating success and timeout simplifies your handler logic considerably. The API also supports succeed_url and timeout_url redirect targets with custom appended parameters, so the customer-facing redirect and the server-to-server callback stay decoupled, which is exactly how it should be.

Webhook Security: The Part Most Guides Skip

Webhook handling is the highest-risk code in a payment integration, because an attacker who can forge a “payment confirmed” callback gets free goods. Four practices are mandatory.

Verify authenticity on every callback. Never trust a callback because it hit the right URL. Aurpay offers Simple Authentication via URL parameters and Signature Authentication for callbacks; use signature verification in production, always. The same logic applies to outbound API calls: Aurpay documents API Key authentication for testing and Signature Authentication as the production-recommended mode.

Enforce idempotency. Gateways retry callbacks on timeouts and network errors, so your handler will receive duplicates. Key fulfillment on the order ID and make crediting an account or releasing goods a no-op the second time. Double-crediting from duplicate webhooks is the most common real-world bug in payment integrations.

Acknowledge fast, process async. Return a success response immediately and do fulfillment work on a queue, so a slow database write does not register as a failed delivery.

Reconcile by polling. Webhooks are at-least-once, not exactly-once, and occasionally zero when your endpoint is down past the retry window. Run a periodic job polling order status for stuck-pending orders. Aurpay supports confirmation via webhooks or polling, including for Lightning invoices, so both paths are first-class.

Testnet Is Not Optional

The difference between a real testnet and a mock sandbox shows up in the bugs that hurt most in production: confirmation timing, underpayment edge cases, and order-expiry races. A mock that instantly returns “confirmed” tests your happy path and nothing else.

Aurpay’s development environment connects to testnet full nodes with separate API keys for development and production, so a leaked test key cannot move real funds. Before going live, run at minimum: a normal payment through to confirmation, an order left to expire and trigger timeout_callback, a duplicate webhook against your idempotency logic, and a polling pass with the webhook endpoint offline.

When evaluating other providers, ask whether their sandbox is testnet-node-backed or simulated. Simulation-only environments will not surface chain-level behavior.

Custody Model: The Decision That Sets Your Risk Profile

Custody determines where funds sit between customer payment and your control, and it splits the market into three camps.

Non-custodial, direct settlement. Funds move from the customer to a wallet you control as soon as the chain confirms. There is no gateway balance, no withdrawal step, and no counterparty risk if the provider is breached or freezes accounts. Aurpay works this way: payments settle straight to the merchant wallet, the merchant holds 100% of the private keys, and no contracts or banking details are required to start. BTCPay Server is the self-hosted equivalent, and Coinbase Commerce offers a self-managed mode secured by a 12-word seed phrase alongside its Coinbase-managed option.

Custodial with withdrawal. BitPay and CoinGate hold funds in a gateway account you withdraw from. You gain fiat settlement and lose direct control; you also take on the provider’s KYC timeline, which for BitPay can take days or weeks before you process a single payment. NOWPayments historically offered non-custodial flows, but as of May 29, 2026, custody is enabled by default for all new accounts, so treat it as custodial-by-default when modeling risk.

MPC or managed-wallet platforms (Cobo and similar) target institutions wanting programmatic treasury control with policy engines. Capable, but a different product category than a merchant payment API.

For most merchants the right default is non-custodial: the gateway never becomes a honeypot holding your revenue. The full trade-off analysis is in our custodial vs non-custodial gateway comparison. The API-level consequence: non-custodial APIs have no withdrawal endpoints to integrate, monitor, or secure, because there is nothing to withdraw.

Fee Anatomy: What You Actually Pay

Headline rates compress four separate costs into one number. Decompose them before comparing.

  • Gateway fee: the provider’s cut per transaction. Aurpay charges a flat 0.8%.
  • Network fee: on-chain gas, chain-dependent. TRC-20 transfers cost cents; ERC-20 varies with Ethereum congestion.
  • Conversion fee: auto-converting received crypto to another asset. NOWPayments charges 0.5% for payments without exchange, rising to 1% for multi-currency and fixed-rate flows.
  • Fiat offramp fee: converting to and withdrawing fiat, relevant only to custodial gateways. Non-custodial APIs skip this line entirely; you convert on an exchange yourself, on your own schedule.
API provider Gateway fee Custody KYC to start Testnet / sandbox Lightning payin
Aurpay REST API 0.8% flat Non-custodial No contracts or banking details required Yes (testnet full nodes, separate API keys) Yes (LN invoice via API)
BTCPay Greenfield API $0 (self-hosted; you pay infrastructure) Non-custodial None (self-hosted) Yes (point an instance at testnet) Yes (native)
Coinbase Commerce API 1% (as listed) Self-managed or Coinbase-managed Coinbase account Limited No native LN payin
NOWPayments API 0.5% base; 1% for conversion and fixed-rate flows Custodial by default (new accounts, May 2026) Yes for fiat features Sandbox Via supported assets
BitPay API 1–2% (as listed) Custodial with withdrawal Yes (days to weeks) Test environment Yes
CoinGate API 1% (as listed) Custodial Yes Sandbox Yes

BTCPay API details per its Greenfield v1 reference; other figures per provider documentation. For a deeper cost breakdown, see the gateway fees comparison; if you are weighing self-hosting seriously, the Aurpay vs BTCPay Server comparison covers the maintenance cost the $0 headline hides.

Coin and Chain Coverage: Stablecoin Routing Matters Most

Coverage breadth is the most-marketed and least-decisive spec. NOWPayments advertises 350+ cryptocurrencies; in practice a handful of assets carry nearly all merchant volume, and stablecoins dominate it.

For USDT and USDC that means ERC-20 and TRC-20 at minimum. TRC-20 transfers settle in seconds for cents, which is why lower-ticket payments skew to Tron, while ERC-20 is the default for larger transfers. An API that supports USDT on only one network forces some customers into fees they will abandon checkout over; the mechanics are in our guide to accepting USDT on ERC-20 and TRC-20.

Aurpay’s API covers BTC, Bitcoin Lightning, ETH, USDT (ERC-20 and TRC-20), USDC (ERC-20 and TRC-20), DAI (ERC-20), and BNB, across Ethereum, Tron, Bitcoin mainnet, and Lightning. Lightning support is worth flagging: the API supports creating a Lightning invoice, presenting it to the customer, and confirming via webhooks or polling, the same lifecycle as on-chain orders, so you get fast, low-fee BTC payins without operating any Lightning infrastructure yourself. If a provider lists USDT on additional networks such as Polygon or BSC, verify it in their live docs rather than their marketing pages; an unsupported-network deposit is one of the few unrecoverable errors in crypto payments.

Integration Flow: From API Keys to First Confirmed Payment

Using Aurpay’s REST API as the concrete example, the path to production looks like this:

  • 1. Register a developer account and generate API keys. Development and production use separate keys; start in development, which runs against testnet nodes.
  • 2. Create a payment. Call Get Payment URL for a hosted checkout link, or Get Payment Info to render your own checkout. A full API reference and a Postman collection cover request shapes; errors come back as JSON with standard HTTP response codes.
  • 3. Configure callbacks and redirects. Set callback_url for successful payments and timeout_callback for expired orders, plus succeed_url and timeout_url for customer redirects. Enable Signature Authentication on callbacks.
  • 4. Handle the callback. Verify the signature, check idempotency against the order ID, acknowledge, then fulfill asynchronously. Add a polling reconciliation job for missed deliveries.
  • 5. Run the testnet scenario suite, then switch to production keys and deploy. Live payments settle directly to your wallet at 0.8% per transaction, with no withdrawal step to build.

If you get stuck, Aurpay’s documentation states that technical support via contact@aurpay.net is free of charge. One honest caveat: Aurpay does not publish language-specific SDKs, so you will make REST calls with your stack’s HTTP client, whereas BTCPay publishes C#, Python, and Node.js SDKs against an OpenAPI 3.0 spec. For an API of this size that is a few hours of wrapper code, but it belongs in your evaluation. And if you suspect you do not need an API at all, a no-code hosted checkout reaches the same settlement outcome.

FAQ

What is a crypto payment API, and how is it different from direct blockchain integration?

A crypto payment API is a REST interface for creating payments, payouts, orders, and invoices, with the provider running blockchain nodes, generating addresses, and monitoring confirmations. Direct integration means doing all of that yourself, per chain. The API route trades a per-transaction fee for a build measured in days instead of months.

Do I need KYC to use a crypto payment API?

It depends on the custody model. Custodial providers like BitPay require identity verification that can take days or weeks before you process payments. Aurpay’s non-custodial API requires no contracts or banking details to start, because funds settle to your own wallet rather than a provider-held account.

How do I test a crypto payment API before going live?

Use the provider’s testnet environment with dedicated test API keys. Aurpay’s development environment connects to testnet full nodes, so confirmations behave like the real chain. Test the success callback, the timeout path, duplicate webhook deliveries, and a polling reconciliation pass before switching keys.

Does Aurpay’s REST API support Lightning Network payments?

Yes. You can create a Lightning invoice through the API, present it at checkout, and confirm payment via webhooks or polling. Aurpay does not provide Lightning node hosting or channel management; it handles the payment-acceptance layer, so you receive LN payments without running Lightning infrastructure.

Which crypto payment API is cheapest overall?

BTCPay Server charges $0 in gateway fees but is self-hosted, so you pay for servers and maintenance time. Among hosted APIs, Aurpay’s 0.8% flat with no fiat offramp fee sits below BitPay’s listed 1–2% and the 1% tiers at Coinbase Commerce and CoinGate. NOWPayments starts at 0.5%, but conversion and fixed-rate flows raise the effective rate, so model your actual payment mix.

Start Building on a Non-Custodial Payment API

Aurpay’s REST API gives you payin, payout, orders, and invoices through one interface, with testnet and production environments, signature-authenticated webhooks, a Postman collection, and Lightning support. Settlement is non-custodial at a flat 0.8% per transaction: confirmed payments land in your own wallet, with no withdrawal queue and no contracts or banking details required to begin. Read the Aurpay API documentation, generate your testnet keys, and you can have a first confirmed test payment the same day.

Aurpaytech

The Aurpay team

Aurpay is a non-custodial crypto payment gateway helping merchants accept Bitcoin, Lightning, and stablecoin payments without giving up custody of their funds.