API Reference
Human-readable reference for all Payments Service REST endpoints. For interactive exploration and full request/response schemas, see API Specification (Swagger UI).
Authentication
All endpoints require AWS Signature V4 (SigV4) authentication via the Authorization header.
| Caller Type | Authentication |
|---|---|
Internal FloatMe services |
AWS IAM + SigV4. The caller’s AWS account ID is validated by the |
Mobile app |
JWT token. The user ID is extracted from the token by the authorizer middleware and used for path parameter validation. |
Payments
| Method | Path | Summary |
|---|---|---|
|
|
Submit a payment. Routes to JPM ACH (subscription), Usio ACH (float/loan), Usio pinless debit/credit, or Usio RTP based on request body. Returns |
|
|
Get all payment records for a user from |
|
|
Get a single payment record by its processor-assigned confirmation ID. |
See Payment Flow for routing logic and status transitions.
Prenotes
| Method | Path | Summary |
|---|---|---|
|
|
Submit a zero-dollar ACH prenote to JPM for bank account validation. Fetches bank account from DynamoDB, decrypts with KMS, submits directly to JPM. |
|
|
Submit a zero-dollar ACH prenote to Usio. Can target the subscription debit account ( |
See Prenotes for submission flow and NACHA return code reference.
Debit Cards
Two versions of the debit card endpoints coexist, backed by different DynamoDB tables:
-
v1 endpoints use the legacy path
/{user_id}/debit-card(singular). They operate onpinless-default-card— the legacy table with one record per user. -
v2 endpoints use
/{user_id}/payments/debit-cards(plural, nested under payments). They operate on the newprod-paymentssingle table, which supports multiple debit cards per user.
New cards are written to both tables when primary_card_type = ALL. Reads on the new table fall back to the legacy table transparently — see DynamoDB Tables for the migration fallback behaviour.
v1 Endpoints (Legacy)
| Method | Path | Summary |
|---|---|---|
|
|
Save a Usio pinless debit/credit token for a user. Raw card numbers are never stored. |
|
|
Get the user’s primary debit card record, including masked card number and validity status. |
|
|
Delete the user’s debit card record. |
|
|
Check whether the user’s debit card can currently be changed based on recent payment activity. Returns |
|
|
Test environment only. Forces the user’s debit card to return a failure response. Used for QA payment failure testing. |
|
|
Get the history of debit card changes for a user. |
v2 Endpoints
| Method | Path | Summary |
|---|---|---|
|
|
Save a Usio debit token (v2 path). Uses v2 card validation logic; skips outstanding-float check for admin callers. |
|
|
Get all debit cards for a user. Accepts optional |
|
|
Get a specific debit card by its FloatMe debit card ID. |
|
|
Delete a specific debit card by FloatMe debit card ID. |
|
|
Update a specific debit card by FloatMe debit card ID. |
Admin Endpoints
| Method | Path | Summary |
|---|---|---|
|
|
Admin/support endpoint. Toggles |
|
|
Admin update of a debit card using v2 logic. Skips outstanding-float verification — intended for Backoffice and internal API calls only. |
|
|
Admin version of toggle-failure by debit card ID. |
|
|
Force-delete a debit card. Support/admin endpoint. |
See DynamoDB Tables for the debit card table schemas and migration fallback behaviour.
Bank Accounts
| Method | Path | Summary |
|---|---|---|
|
|
Returns the last 4 digits of the account number for the given user and Plaid account ID. |
|
|
Deletes a bank account record from DynamoDB. Also triggers blocklist removal for the user. |
|
|
Checks whether a bank account already exists by hash. Returns the user IDs that have the same |
See DynamoDB Tables for the bank-accounts schema and encryption details.
Refunds
| Method | Path | Summary |
|---|---|---|
|
|
Submit a Usio refund transaction. Can be tied to a specific payment or submitted as an arbitrary amount not linked to any existing payment. |
|
|
Get all refund records for a user from |
Blocklist
| Method | Path | Summary |
|---|---|---|
|
|
Returns the current blocklist status for a user ( |
|
|
Returns the full history of blocklist status changes for a user. |
|
|
Manually add a user to the blocklist. Support/admin endpoint. Requires a |
|
|
Manually remove a user from the blocklist. Also triggered automatically via SQS when a user updates their bank account. |
See Blocklist for auto-blocking logic and return code reference.
Fraud
| Method | Path | Summary |
|---|---|---|
|
|
Performs up to four fraud checks (user ID, install ID, bank account hash, debit card hash). Returns |
|
|
Saves the result of a completed float (success or failure) to the fraud log. Called by the float-service after disbursement. |
See Fraud Detection for check behavior and log storage details.
Usio Transactions
| Method | Path | Summary |
|---|---|---|
|
|
Returns Usio transaction records for a user. Requires |
|
|
Checks whether a Usio tokenization transaction passes the AVS code check. Queries the Usio master account only. |
Payment Methods
| Method | Path | Summary |
|---|---|---|
|
|
Returns available payment methods for a user, including RTP eligibility. Returns |
QA
| Method | Path | Summary |
|---|---|---|
|
|
Test environment only. Saves a list of payment records directly to the test DynamoDB table. Used to seed test data. |
Error Codes
| HTTP Status | Meaning |
|---|---|
|
Request succeeded. For |
|
Resource created successfully (prenotes, blocklist add, QA payments). |
|
Accepted for processing (debit card delete, bank account delete, force-delete). |
|
Action completed; no response body. |
|
Invalid request body (JSON decode error, missing required fields). |
|
Returned by |
|
Resource not found (payment, debit card, bank account, refund). |
|
Returned by |
|
Unhandled server error, provider API error, or DynamoDB write failure. |
POST /payments returns 200 with status = "FAILED" when the payment provider rejects the payment. It only returns 500 on infrastructure errors (e.g. DynamoDB write failure, provider unreachable).
|