FAQ

Quick answers to common questions about using the P100 Partner API

Find solutions to the most frequently encountered issues and questions during API integration.

General & Authentication

How do I get an API key?

To access the P100 Partner API, you'll need a P100 Business Account:

Apply for a Business Account → Visit P100.io

Account Review → Our team will review your application

Onboarding → Once approved, you'll receive:

Staging API key (partner-api-stage.p100.io)

Production API key (partner-api.p100.io)

Integration documentation and dedicated support

What's the difference between staging and production environments?

Environment	URL	Purpose	Data
Staging	`https://partner-api-stage.p100.io`	Development & Testing	Test data, no real money
Production	`https://partner-api.p100.io`	Live Operations	Real transactions & funds

Best Practices:

Always test thoroughly in staging before production deployment.

Use separate API keys for each environment.

Never use production keys in development/testing.

❌ Getting "401 Unauthorized - Access Denied" error?

This specific error indicates an API key authentication problem:

✅ Quick Fix Checklist:

Common Issues:

❌ Missing x-api-key header.

❌ Wrong environment (using a staging key on a production URL).

❌ Copy-paste errors (extra spaces or hidden characters).

Debug Steps:

Verify header name: x-api-key (not X-API-Key).

Check if the environment URL matches your key type.

Ensure no trailing whitespace in the key value.

Where should I store my API key securely?

🚫 Never Do:

Hard-code in source code.

Commit to version control (e.g., GitHub, GitLab).

Store in client-side applications (mobile apps, frontend).

Share in plain text communications.

✅ Recommended Approaches:

Environment Variables:

Cloud Secret Managers:

AWS Secrets Manager

HashiCorp Vault

Azure Key Vault

Google Secret Manager

User Management & Verification (KYC)

Who can be verified? (Supported Geographies & Documents)

The P100 Partner API supports a global user base. Users from over 180 supported countries can be successfully onboarded.

Accepted Documents:
For every supported country, you can verify users using either:

National ID Card

Passport

For the full list of allowed jurisdictions, please refer to our Supported Countries page.

What is POA and when is it required?

POA = Proof of Address

A document that verifies the user's residential address for AML compliance purposes.

When is it required?
Proof of Address is optional by default. However, it becomes strictly mandatory if a user is classified as High Risk by our AML systems during the verification process. Your integration should be prepared to handle dynamic requests for a POA.

Acceptable Documents:

Utility bills (gas, electricity, water)

Bank statements

Official government correspondence

Document Requirements:

Must be issued within the last 3 months.

Must clearly show the user's full name and residential address.

Must be issued by a recognized institution.

How do I get a user's balance for the first time?

Since balances are only created after a successful verification, you should not call the Get User Balances endpoint immediately after creating a user.

The correct, event-driven flow is:

Create a user and submit their documents for verification.

Listen for the /webhook/user/status webhook. You will receive this notification when verification is successful and the user's account status becomes ACTIVE. The payload looks like this:

{
  "externalUserId": "bca65c48-df49-4831-a7b2-de7903321581",
  "status": "ACTIVE"
}

After receiving the webhook confirming the ACTIVE status, you can safely call GET /v1/user/balances/{externalUserId} to retrieve the user's newly generated balances.

This approach ensures you only request balances when you are certain they exist, preventing unnecessary API errors.

What are the available methods for KYC verification?

You can onboard a user through two distinct KYC methods depending on your integration preference:

Method A (Direct API Integration)
Use this method when you want to handle the UI and collect the user's KYC documents yourself.

Method B (Hosted Verification Flow)
Use this method when you want to redirect the user to a secure portal to complete the document submission and liveness check.

Transactions & Exchange

Transaction created successfully but balance is unchanged?

This is normal behavior - P100 transactions are asynchronous.

Transaction Lifecycle:

Process Flow:

Immediate Response → Transaction is queued and an ID is returned.

Background Processing → Compliance checks and balance validations occur.

Final Status → You receive a webhook notification with the final status.

✅ How to Track Status:
The best way to track the final status of a transaction is by listening for our real-time webhook notifications. See the Webhooks section for a full list of transaction events.

Difference between get-rate vs get-lock endpoints?

The key difference is that get-rate provides an indicative, non-guaranteed market price, while get-lock provides a guaranteed, executable rate for a specific transaction.

Use get-rate for informational purposes.
Think of it as a live market snapshot. It's perfect for displaying an estimated conversion rate in your user interface.

Use get-lock to prepare for an actual transaction.
This endpoint provides a guaranteed exchange rate for a specific user that is locked for 60 seconds. You should call this immediately before creating the exchange to ensure the user gets the exact quoted rate.

Rule of Thumb:

Show the user an estimate using get-rate.

When the user is ready to confirm, call get-lock to get a final rate.

Immediately use the response from get-lock to execute the transaction.

What is the Travel Rule and when do I need it?

Travel Rule is a global Anti-Money Laundering (AML) regulation that requires sharing sender and recipient information for crypto transactions above certain thresholds.

When Travel Rule Applies:

Crypto deposits exceeding local fiat equivalent thresholds (e.g., > $1,000 USD).

Transactions originating from exchanges or other custodial services.

Webhook Notification:
When a transaction requires Travel Rule data, you will receive a specific webhook:

{
  "event_type": "crypto_deposit.status_changed",
  "data": {
    "cryptoDepositId": "dep_123",
    "status": "WAITING_FOR_TR_DATA",
    "amount": "0.05",
    "currency": "btc"
  }
}

Providing Required Information:

Webhooks

How do I verify webhook authenticity?

Verifying every webhook is a critical security measure to ensure the data originates from P100 and has not been tampered with.

Our system uses a secret token for authentication. Every webhook request includes an Authorization HTTP header containing your unique token.

Verification Process:

Extract Token: Read the value from the Authorization header.

Compare Secret: Securely compare the received token with the secret token provided to you during account setup.

Validate:

If tokens match, process the payload and return a 200 OK status.

If tokens do not match (or the header is missing), discard the request immediately and return 401 Unauthorized.

What happens if my server is down during webhook delivery?

Automatic Retry System
P100 implements an exponential backoff retry strategy for failed webhooks:

Attempt	Delay After Previous Failure
1st	- (Initial delivery)
2nd	~8 seconds
3rd	~16 seconds
4th	~32 seconds
5th	~64 seconds

Retry Conditions:

Non-2xx HTTP responses from your server.

Connection timeouts (30s).

DNS resolution failures or SSL/TLS errors.

Need Help?

💬 Support

Can't find what you're looking for? Contact our support team for assistance.

General & Authentication#

User Management & Verification (KYC)#

Transactions & Exchange#

Webhooks#

Need Help?#

General & Authentication

User Management & Verification (KYC)

Transactions & Exchange

Webhooks

Need Help?