Skip to main content
Use the interactive playground below to exercise the Zennopay Partner API against the sandbox environment. Every endpoint defined in openapi.json is callable here — request bodies are validated client-side against the schema before they’re sent.
The playground talks to https://api.sandbox.zennopay.com. Use a sandbox HMAC key ({partner}_sandbox_*) — production keys are rejected by the sandbox host.

What you’ll need

  • A sandbox HMAC key (X-Zennopay-Key-Id) and shared secret. Compute the signature with the canonical-request recipe from Authentication.
  • For JWT-protected endpoints (GET /v1/payment_intents/{intent_id} and POST /v1/payment_intents/{intent_id}/confirm), a freshly minted partner JWT bound to the intent you’re calling. See Debugging auth for a tool that decodes your JWT so you can sanity-check the claims before trying it here.

Endpoints

The playground is generated from /openapi.json and groups endpoints by tag:
  • Payment IntentsPOST /v1/payment_intents, GET /v1/payment_intents/{intent_id}, POST /v1/payment_intents/{intent_id}/confirm, POST /v1/payment_intents/{intent_id}/cancel

Open the OpenAPI spec

Raw OpenAPI 3.1 document. Drop this into Postman, Insomnia, or your own codegen if you’d rather build a client locally.

Tips for first-time use

The most common causes, in order:
  1. Clock skew. X-Zennopay-Timestamp must be within ±5 minutes of server time. NTP-sync your machine.
  2. Body hash mismatch. The canonical request hashes the exact bytes of the request body. Don’t pretty-print or re-serialize between signing and sending.
  3. Source IP not allowlisted. The sandbox allowlist is configured per partner in the dashboard.
Decode the JWT with the JWT inspector first and confirm:
  • aud is zennopay-checkout
  • exp - iat is ≤ 600 seconds
  • zennopay:intent_id matches the path parameter you’re calling
  • zennopay:amount_usd_cents and zennopay:corridor match the intent’s persisted values
  • iss is registered in the dashboard and its JWKS is reachable
Each X-Zennopay-Nonce is single-use within a 10-minute window. Generate a fresh random 32-byte hex string for every request — never hardcode or reuse one.