Dalang Pay is a secure and developer-friendly payment gateway API platform designed to simplify payment integration across Indonesian financial ecosystems.
\nIt enables partners to create Virtual Accounts, generate QRIS codes, perform fund disbursements, and manage reconciliation using standardized RESTful APIs that comply with SNAP (National Standard Open API for Payments) by Bank Indonesia.
\nDalang Pay supports both Symmetric and Asymmetric signature authentication, ensuring every API request is verified and tamper-proof.
\nThrough its modular endpoints, merchants and institutions can connect to multiple banks, manage payment channels such as VA, QR, and monitor real-time transactions securely.
\nURL: https://dashboard.dalangpay.com
\nThe Dalang Pay Client Dashboard is the control panel for registered partners.
It is used to manage credentials, view available products, and monitor configuration.
Generate and manage credentials
\nView your Client Key / Client ID
Generate or rotate your private key / client secret
\nDownload the public key that Dalang Pay will use to verify your signature
\nManage signature mode (Symmetric / Asymmetric)
\nView product activation status
\nSee which payment products are currently enabled for your account
(e.g. Virtual Account, QRIS MPM, Direct Debit, Bank Transfer)
Check which bank channels or payout channels are available to you
\nReview each product’s service code and endpoint path
\nAccount profile and limits
\nView your merchant profile information
\nMonitor settlement accounts / destination accounts
\n\n\nAll credentials (Client Key, client secret / private key, webhook configuration, and product access) are managed from the Dalang Pay Dashboard. Each partner is responsible for keeping these credentials safe and generating their own request signatures in production.
\n
Important:
\nFor security reason, partners are advised to whitelist Dalang Pay's IP Address: 13.228.138.76 . Please incorporate this into your system firewall configurations.
Dalang Pay provides two helper endpoints in the sandbox environment:
\nAuth Signature
\nSignature Access (Symmetric/Asymmetric)
\nThese helper endpoints exist only for testing and onboarding purposes.
\nThey allow you to:
\nVerify how the signature is constructed
\nValidate the final X-Signature format
\nExperiment quickly using Postman
\nImportant:
\nAuth Signature, Signature Access (Symmetric Signature), and Signature Access (Asymmetric Signature) are provided for sandbox/testing purposes only.
These helper endpoints are not available in production.
\nIn production, you must generate the signature on your side using your own client secret / private key. Dalang Pay will verify the signature, but will not generate it for you.
\nDalang Pay uses the following service codes for its endpoints, following the SNAP format: HTTP Status Code + Service Code + Case Code. Example: A successful Get Token B2B request (Service Code 73) returns 2007300.
Reference SNAP Documentation: Response Code (Response Code section)
\nReference SNAP Documentation: Response Code (Response Code section)
\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[],"owner":"50997704","collectionId":"ecb29d04-b764-4cb9-8229-52fb940a8e16","publishedId":"2sBXVZnDix","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"},"publishDate":"2025-12-23T07:01:41.000Z"},"item":[{"name":"AUTHENTICATION","item":[{"name":"Utilities","item":[{"name":"Auth Signature","id":"0cb86102-995c-4ab3-891d-412006892c44","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Private_Key","value":"MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQCbQVYbzmeqOPnc\\...+vXGzNgM\\nasp7/9rHflVuhy1KOyo=","description":"The private key used for generating an asymmetric signature (SHA256 with RSA).\nObtain this key from your Dalang Pay Developer Dashboard\n.\nIt must be in Base64-encoded PEM format and kept confidential — do not expose it in client-side code.
\n","type":"text"},{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","description":"Required when using Asymmetric Signature (RSA-SHA256).\nRepresents the client identifier registered in the Dalang Pay Developer Dashboard.\nUsed together with Private_Key to generate a digital signature in the format {ClientKey}|{Timestamp}.
\n","type":"text"},{"key":"X-Timestamp","value":"2025-01-01T23:59:59Z","description":"A timestamp string following ISO 8601 format: YYYY-MM-DDTHH:mm:ssZ.\nUsed to prevent replay attacks — the request is only valid for 60 seconds from this timestamp.\nExample: 2025-01-01T23:59:59Z.
\n","type":"text"}],"url":"{{baseURL}}/snap-api/v1/utilities/signature-service","description":"This endpoint is available only in the sandbox / UAT environment.
\nPurpose:
\nHelp you build and verify the correct Signature
Show you how the final X-Signature header should look
Allow you to test the flow quickly using Postman
\nThis endpoint must NOT be called in production.
\nIn production:
\nYou MUST generate the signature locally in your own system
\nYou MUST send the generated signature in the X-Signature header
You MUST NOT send your private key or client secret to Dalang Pay
\nDalang Pay does not expose this endpoint in production and will not sign requests for you.
\nSNAP uses SHA256 Signed With RSA as the standard for signing Auth API requests. The signed data uses the pattern {ClientKey}|{TimeStamp}. You can get ClientKey and Private Key from Dalang Pay Client Dashboard.
The final signature must be sent as a Base64 string in the X-Signature header.
Example Code:
\n$privateKey = 'YourPrivateKeyFromClientDashboard';\n$clientKey = 'YourClientKeyFromClientDashboard';\n$timestamp = '2025-01-01T23:59:59Z';\n// 1. Build the string to sign\n$dataToSign = $clientKey . '|' . $timestamp;\n// 2. Sign using RSA-SHA256\n$signatureBinary = '';\nopenssl_sign($dataToSign, $signatureBinary, $privateKey, OPENSSL_ALGO_SHA256);\n// 3. Convert binary signature to Base64\n$signatureBase64 = base64_encode($signatureBinary);\necho $signatureBase64;\n?>\n\nconst { createSign } = require('crypto');\nconst privateKey = 'YourPrivateKeyFromClientDashboard';\nconst clientKey = 'YourClientKeyFromClientDashboard';\nconst timestamp = '2025-01-01T23:59:59Z';\n// 1. Build the string to sign\nconst dataToSign = clientKey + '|' + timestamp;\n// 2. Sign using RSA-SHA256 and output Base64\nconst signatureBase64 = createSign('sha256')\n .update(dataToSign)\n .sign(privateKey, 'base64');\nconsole.log(signatureBase64);\n\nRequired when using Symmetric Signature (HMAC-SHA512).\nContains the Bearer token obtained from /access-token/b2b.
\n","type":"text"},{"key":"EndpointUrl","value":"/snap-api/v1/access-token/b2b","description":"Specifies the target API endpoint that will be simulated during the signature generation process.\nAllowed values correspond to valid SNAP API paths (e.g. /snap-api/v1/balance-inquiry, /snap-api/v1/transfer-va/create-va, /snap-api/v1/qr/qr-mpm-generate).\nThis helps determine the request path used as part of the signing string.
\n","type":"text"},{"key":"HttpMethod","value":"POST","description":"Indicates the HTTP method used in the signature process.\nAllowed values: GET or POST.\nThis value must match the actual HTTP method used when sending the API request.
\n","type":"text"},{"key":"X-Client-Secret","value":"c4nehEmpSdSDw8HeYarbYvCf","description":"Required when using Symmetric Signature (HMAC-SHA512).\nRepresents the client’s secret key, used to compute the HMAC signature.
\n","type":"text"},{"key":"X-Timestamp","value":"2025-01-01T23:59:59Z","description":"A timestamp string following ISO 8601 format: YYYY-MM-DDTHH:mm:ssZ.\nUsed to prevent replay attacks — the request is only valid for 60 seconds from this timestamp.\nExample: 2025-01-01T23:59:59Z.
\n","type":"text"}],"body":{"mode":"raw","raw":"{\n \"virtualAccountName\": \"String\",\n \"trxId\": \"String\"\n}","options":{"raw":{"language":"json"}}},"url":"{{baseURL}}/snap-api/v1/utilities/signature-service","description":"This endpoint is available only in the sandbox / UAT environment.
\nPurpose:
\nHelp you build and verify the correct Signature
Show you how the final X-Signature header should look
Allow you to test the flow quickly using Postman
\nThis endpoint must NOT be called in production.
\nIn production:
\nYou MUST generate the signature locally in your own system
\nYou MUST send the generated signature in the X-Signature header
You MUST NOT send your private key or client secret to Dalang Pay
\nDalang Pay does not expose this endpoint in production and will not sign requests for you.
\nSNAP uses HMAC_SHA512 as the standard for symmetric signing of API requests with clientSecret as the secret key. The signed data uses the pattern {HTTPMethod}:{EndpointUrl}:{AccessToken}:{LowercaseHashedRequestBody}:{TimeStamp}. While LowercaseHashedRequestBody is obtained by making RequestBody into single-line, then hashing it using SHA256 with HEX format made into lower-case.
If explained, here are the steps that must be taken:
\n1 . Normalize and hash the request body (conditional)
\nDalang Pay expects request bodies in JSON format. By default, JSON is multiline / pretty-printed. For signing, you must convert it into a single-line JSON string, then hash it.
\nExample body (raw JSON):
\n{\n \"name\": \"Eko Sugema\",\n \"address\": \"Jl. Surabaya Selatan II / 123\"\n}\n\nThis must be converted to a single-line string:
\n{\"name\":\"Eko Sugema\",\"address\":\"Jl. Surabaya Selatan II / 123\"}\n\nThen you hash that single-line string using SHA-256, and take the result as lowercase hex. For example:
\n069a81f985277e7aade3f503088cde559ba09ea0603e00a568aed10a3d8f1920\n\nExample Code:
\n$payload = [\n 'name' => 'Eko Sugema',\n 'address' => 'Jl. Surabaya Selatan II / 123'\n];\n// 1. Minify JSON (no spaces / newlines)\n$trimmedPayload = json_encode($payload, JSON_UNESCAPED_SLASHES);\n// 2. SHA256 hash, output as lowercase hex\n$hashPayload = strtolower(\n bin2hex(hash('sha256', $trimmedPayload, true))\n);\n\nconst { createHash } = require('crypto');\nconst payload = {\n name: \"Eko Sugema\",\n address: \"Jl. Surabaya Selatan II / 123\"\n};\n// 1. Minify JSON\nconst trimmedPayload = JSON.stringify(payload);\n// 2. SHA256 hash -> lowercase hex\nconst hashPayload = createHash('sha256')\n .update(trimmedPayload)\n .digest('hex')\n .toLowerCase();\n\n2. Pattern of Data to be Signed
\nThe data pattern that will be signed is
\nPattern:
\n{HTTPMethod}:{EndpointUrl}:{AccessToken}:{LowercaseHashedRequestBody}:{TimeStamp}\n\nExample (with payload):
\nPOST:/open-api/v1/va/create:946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6:069a81f985277e7aade3f503088cde559ba09ea0603e00a568aed10a3d8f1920:2025-01-01T23:59:59Z\n\nExample (no payload):
\nGET:/open-api/v1/wallet:946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6::2025-01-01T23:59:59Z\n\n3. Sign The Data using HMAC_SHA512 and encode as Base64
The last step is Hash the data using HMAC_SHA512 with your X-Client-Secret that you created from
The final signature MUST be encoded in Base64, and that Base64 value is what you send in the X-Signature header.
Example (HMAC → Base64):
\n$secretKey = 'YourSecretKeyFromClientDashboard';\n$dataToSign = $httpMethod . ':' .\n $urlPath . ':' .\n $accessToken . ':' .\n $hashPayload . ':' .\n $timestamp;\n// 1. Generate HMAC-SHA512 (binary output)\n$rawSignature = hash_hmac('sha512', $dataToSign, $secretKey, true);\n// 2. Encode as Base64 for transport\n$signatureBase64 = base64_encode($rawSignature);\necho $signatureBase64;\n\nconst { createHmac } = require('crypto');\nconst secretKey = 'YourSecretKeyFromClientDashboard';\nconst dataToSign = [\n httpMethod,\n urlPath,\n accessToken,\n hashPayload,\n timestamp\n].join(':');\n// 1. Generate HMAC-SHA512\nconst rawSignature = createHmac('sha512', secretKey)\n .update(dataToSign)\n .digest();\n// 2. Convert to Base64\nconst signatureBase64 = rawSignature.toString('base64');\nconsole.log(signatureBase64);\n\nSpecifies the target API endpoint that will be simulated during the signature generation process.\nAllowed values correspond to valid SNAP API paths (e.g. /snap-api/v1/balance-inquiry, /snap-api/v1/transfer-va/create-va, /snap-api/v1/qr/qr-mpm-generate).\nThis helps determine the request path used as part of the signing string.
\n","type":"text"},{"key":"HttpMethod","value":"POST","description":"Indicates the HTTP method used in the signature process.\nAllowed values: GET or POST.\nThis value must match the actual HTTP method used when sending the API request.
\n","type":"text"},{"key":"Private_Key","value":"MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQCbQVYbzmeqOPnc\\...+vXGzNgM\\nasp7/9rHflVuhy1KOyo=","description":"Required when using Asymmetric Signature (RSA-SHA256).\nContains the Base64-encoded private key provided in the Dalang Pay Developer Dashboard.\nThis key is used to generate the digital signature through the RSA-SHA256 algorithm.
\n","type":"text"},{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","description":"Required when using Asymmetric Signature (RSA-SHA256).\nRepresents the client identifier registered in the Dalang Pay Developer Dashboard.\nUsed together with Private_Key to generate a digital signature in the format {ClientKey}|{Timestamp}.
\n","type":"text"},{"key":"X-Timestamp","value":"2025-01-01T23:59:59Z","description":"A timestamp string following ISO 8601 format: YYYY-MM-DDTHH:mm:ssZ.\nUsed to prevent replay attacks — the request is only valid for 60 seconds from this timestamp.\nExample: 2025-01-01T23:59:59Z.
\n","type":"text"}],"body":{"mode":"raw","raw":"{\n \"virtualAccountName\": \"String\",\n \"trxId\": \"String\"\n}","options":{"raw":{"language":"json"}}},"url":"{{baseURL}}/snap-api/v1/utilities/signature-service","description":"This endpoint is available only in the sandbox / UAT environment.
\nPurpose:
\nHelp you build and verify the correct Signature
Show you how the final X-Signature header should look
Allow you to test the flow quickly using Postman
\nThis endpoint must NOT be called in production.
\nIn production:
\nYou MUST generate the signature locally in your own system
\nYou MUST send the generated signature in the X-Signature header
You MUST NOT send your private key or client secret to Dalang Pay
\nDalang Pay does not expose this endpoint in production and will not sign requests for you.
\nSNAP uses SHA_256 Signed With RSA as the standard for asymmetric signing of API requests. The signed data uses the pattern {HTTPMethod}:{EndpointUrl}:{LowercaseHashedRequestBody}:{TimeStamp}. While LowercaseHashedRequestBody is obtained by making RequestBody into single-line, then hashing it using SHA256 with HEX format made into lower-case.
If explained, here are the steps that must be taken:
\nDalang Pay uses JSON for request bodies. By default, JSON is usually formatted across multiple lines. For signing, you must convert it into a single-line JSON string.
\n1. Trim the body request and Hash using SHA256 (conditional)
\nExample:
\n{\n \"name\": \"Eko Sugema\",\n \"address\": \"Jl. Surabaya Selatan II / 123\"\n}\n\nThis must be converted to a single-line string:
\n{\"name\": \"Eko Sugema\",\"address\": \"Jl. Surabaya Selatan II / 123\"}\n\nThen you hash that single-line string using SHA-256, and take the result as lowercase hex. For example:
\n069a81f985277e7aade3f503088cde559ba09ea0603e00a568aed10a3d8f1920\n\nExample Code:
\n$payload = [\n 'name' => 'Eko Sugema',\n 'address' => 'Jl. Surabaya Selatan II / 123'\n];\n// 1. Minify JSON (no spaces / newlines)\n$trimmedPayload = json_encode($payload, JSON_UNESCAPED_SLASHES);\n// 2. SHA256 hash, output as lowercase hex\n$hashPayload = strtolower(\n bin2hex(hash('sha256', $trimmedPayload, true))\n);\n\nconst { createHash } = require('crypto');\nconst payload = {\n name: \"Eko Sugema\",\n address: \"Jl. Surabaya Selatan II / 123\"\n};\n// 1. Minify JSON\nconst trimmedPayload = JSON.stringify(payload);\n// 2. SHA256 hash -> lowercase hex\nconst hashPayload = createHash('sha256')\n .update(trimmedPayload)\n .digest('hex')\n .toLowerCase();\n\n2. Pattern of Data to be Signed
\nThe data pattern that will be signed is
\nPattern:
\n{HTTPMethod}:{EndpointUrl}:{LowercaseHashedRequestBody}:{TimeStamp}\n\nExample (with payload):
\nPOST:/open-api/v1/va/create:069a81f985277e7aade3f503088cde559ba09ea0603e00a568aed10a3d8f1920:2025-01-01T23:59:59Z\n\nExample (no payload):
\nGET:/open-api/v1/wallet::2025-01-01T23:59:59Z\n\n3. Hash The Data using SHA256 Signed With RSA and encode as Base64
The last step is Hash the data using SHA_256 with your Private Key that you get from
The final signature MUST be encoded in Base64, and that Base64 value is what you send in the X-Signature header.
Example (RSA → Base64):
\n$privateKey = 'YourPrivateKeyFromClientDashboard';\n$dataToSign = $httpMethod.':'.\n $urlPath.':'.\n $hashPayload.':'.\n $timestamp;\n$signature = '';\nopenssl_sign($dataToSign, $signature, $privateKey, OPENSSL_ALGO_SHA256);\necho base64_encode($signature);\n\nconst { createSign } = require('crypto');\nconst privateKey = 'YourPrivateKeyFromClientDashboard';\nconst dataToSign = [\n httpMethod,\n urlPath,\n hashPayload,\n timestamp\n].join(':');\nconst signature = createSign('sha256').update(dataToSign).sign(privateKey, 'hex');\nconsole.log(signature);\n\nAbout Auth Signature and Signature Access
The Auth Signature and Signature Access endpoints are provided for sandbox / UAT integration testing only.
\nAllowed usage (sandbox only):
\nGenerate a test signature to try Dalang Pay endpoints from Postman
\nConfirm that your request headers are correct (X-Timestamp, EndpointUrl, etc.)
Debug signature mismatches during integration
\nNot allowed (production):
\nCalling these endpoints from a live application
\nSending your client secret or private key to Dalang Pay
\nRelying on Dalang Pay to generate X-Signature for you at runtime
In production:
\nYou generate the X-Signature locally using your own credentials
Dalang Pay will only verify your signature
\nDalang Pay will never generate or return a production signature on your behalf
\nAny request sent to production APIs must already include a valid X-Signature created by the client.
Dalang Pay supports two types of cryptographic signatures:
\nAuth Signature (Asymmetric) — uses SHA256 with RSA to sign authentication requests.
{ClientKey}|{TimeStamp}
\nGenerated using your Private Key obtained from the Dalang Pay Client Dashboard.
\nEnsures each client identity is securely verified.
\nTransaction Signature (Symmetric / Asymmetric) — used for business API requests such as VA, QRIS, or Disbursement.
\nSymmetric (HMAC-SHA512) → signs request body with your clientSecret.
Asymmetric (RSA) → signs using your registered Private_Key.
{HTTPMethod}:{EndpointUrl}:{AccessToken}:{LowercaseHashedRequestBody}:{TimeStamp}
\nWhen no request body exists, use an empty string \"\" for LowercaseHashedRequestBody.
These signatures confirm that the payload has not been altered and that each request originates from a trusted partner application.
\n","_postman_id":"76c09dfc-7d4f-450a-a2a7-6584e0d482df"},{"name":"Get Token B2B","id":"7fbee40e-fae9-4cd6-9b6f-a77a862d6569","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","type":"text"},{"key":"X-Signature","value":"1fd81deda180dbd789f5b15...22c0f04f243868dd5b2a8d","type":"text"},{"key":"X-Timestamp","value":"2025-01-01T23:59:59Z","type":"text"},{"key":"X-Signature-Id","value":"01JE2Z9ZHCBTM75T07MACVZHM5","type":"text"}],"url":"{{baseURL}}/snap-api/v1/access-token/b2b","description":"This endpoint is used to retrieve a Business-to-Business (B2B) access token, which represents an authenticated session between your system and Dalang Pay.
\nAfter a successful request containing your signature and client credentials (X-Client-Key, X-Timestamp, and X-Signature), Dalang Pay returns an accessToken and tokenType.
\n\nIn production, the client is responsible for generating and sending a valid
\nX-Signature. Dalang Pay will validate the signature but will not generate it for you.
The token must be included in subsequent API requests in the Authorization header as:
Authorization: Bearer {accessToken}\n\nEach token has an expiration period (expiresIn), after which you must request a new one.
\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
Snap Service Code: 73
\n","urlObject":{"path":["snap-api","v1","access-token","b2b"],"host":["{{baseURL}}"],"query":[],"variable":[]}},"response":[{"id":"6983a9d5-4779-4cec-94bd-44c7fa1ba9ac","name":"200 OK","originalRequest":{"method":"POST","header":[{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","type":"text"},{"key":"X-Signature","value":"1fd81deda180dbd789f5b15...22c0f04f243868dd5b2a8d","type":"text"},{"key":"X-Timestamp","value":"2025-01-01T23:59:59Z","type":"text"},{"key":"X-Signature-Id","value":"01JE2Z9ZHCBTM75T07MACVZHM5","type":"text"}],"url":"{{baseURL}}/snap-api/v1/access-token/b2b"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Fri, 05 2025 12:56 GMT","description":"","type":"text"},{"key":"Content-Type","value":"application/json","description":"","type":"text"},{"key":"Content-Length","value":"207","description":"","type":"text"},{"key":"Connection","value":"keep-alive","description":"","type":"text"},{"key":"Cache-Control","value":"no-cache, private","description":"","type":"text"},{"key":"Server","value":"FrankenPHP Caddy","description":"","type":"text"},{"key":"Vary","value":"Origin","description":"","type":"text"},{"key":"X-Powered-By","value":"PHP/8.4.15","description":"","type":"text"},{"key":"X-Ratelimit-Limit","value":"600","description":"","type":"text"},{"key":"X-Ratelimit-Remaining","value":"599","description":"","type":"text"}],"cookie":[],"responseTime":null,"body":"{\n \"responseCode\": \"2007300\",\n \"responseMessage\": \"Successful\",\n \"accessToken\": \"946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6\",\n \"tokenType\": \"Bearer\",\n \"expiresIn\": 86400\n}"}],"_postman_id":"7fbee40e-fae9-4cd6-9b6f-a77a862d6569"}],"id":"0a49f4a3-b5fb-4a50-bee3-3b852910efc2","description":"Authentication endpoints in Dalang Pay provide secure identity validation between partner systems and Dalang Pay’s API gateway.
\nAll API requests must include a valid signature and, in some cases, a B2B access token to ensure data integrity, prevent tampering, and comply with SNAP (Standard National Open API for Payments) security standards.
\nDevelopers can use these endpoints to generate or verify signatures and obtain access tokens before calling any business APIs (e.g., Virtual Account, QRIS, Disbursement).
\nThe authentication flow consists of:
\nGenerate Signature – Create a cryptographic signature (X-Signature) using your Private Key or Secret Key.
Obtain B2B Token – Request an access token by calling /access-token/b2b with the generated signature.
Call Business APIs – Use the obtained token and signature in subsequent API requests (e.g., Virtual Account, QRIS, Disbursement).
\nEach signature and token is time-bound (typically 60 seconds) to prevent replay attacks and ensure integrity.
\n","_postman_id":"0a49f4a3-b5fb-4a50-bee3-3b852910efc2"},{"name":"BALANCE","item":[{"name":"Balance Inquiry","id":"63a83b21-84ae-4207-a2b5-8efd7993f573","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer 946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6","type":"text"},{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","type":"text"},{"key":"X-Signature","value":"1fd81deda180dbd789f5b15...22c0f04f243868dd5b2a8d","type":"text"},{"key":"X-Timestamp","value":"2025-10-23T21:37:37Z","type":"text"},{"key":"X-Signature-Id","value":"01JE2Z9ZHCBTM75T07MACVZHM5","type":"text"}],"url":"{{baseURL}}/snap-api/v1/balance-inquiry","description":"This endpoint allows the client to retrieve the current account balance information.
\nIt can be accessed using either Symmetric or Asymmetric Signature Authentication, depending on the client configuration.
\nThe request must be signed properly using the X-Signature header and timestamped with X-Timestamp to ensure security and compliance with SNAP standards.
\n\nIn production, the client is responsible for generating and sending a valid
\nX-Signature. Dalang Pay will validate the signature but will not generate it for you.
\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
This endpoint does not require a request body.
\nAll necessary authentication parameters are included in the request headers.
\nSnap Service Code: 11
\nThis endpoint allows partners to create a Virtual Account (VA) under Dalang Pay’s payment system.
\nEach VA can be configured for one-time use or multi-use, depending on your business requirements.
\nIt can be accessed using either Symmetric or Asymmetric Signature Authentication, depending on the client configuration.
\nThe request must be signed properly using the X-Signature header and timestamped with X-Timestamp to ensure security and compliance with SNAP standards.
\n\nIn production, the client is responsible for generating and sending a valid
\nX-Signature. Dalang Pay will validate the signature but will not generate it for you.
\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
Snap Service Code: 27
\nDalang Pay provides a complete Virtual Account (VA) payment solution that allows customers to make payments through various Indonesian banks. Partners can create one-time or multi-use Virtual Accounts depending on operational needs.
\nDalang Pay support multiple banks and financial institutions.
\nEach channel is identified using a channelCode.
Example VA channels include:
\nVA_BCA - Bank Central Asia
VA_BNI - Bank Negara Indonesia
VA_MANDIRI - Bank Mandiri
VA_BRI - Bank Rakyat Indonesia
VA_PERMATA - Permata Bank
\n\nThe available channels may vary based on your merchant setup.
\n
Some channels may require additional configuration or approval depending on your business type.
The latest and complete product/channel list can be viewed through the Dalang Pay Client Portal.
\nYou can view the full VA product catalog through the portal.
\nURL: dashboard.dalangpay.com/payment-channels (Login Required)
\n\n\n","_postman_id":"d9710f41-075f-405d-ad0c-ad81b4001923"},{"name":"QRIS","item":[{"name":"Create QR MPM","id":"15faba5a-77ef-4025-a15c-23078e427285","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer 946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6","type":"text"},{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","type":"text"},{"key":"X-Signature","value":"1fd81deda180dbd789f5b15...22c0f04f243868dd5b2a8d","type":"text"},{"key":"X-Timestamp","value":"2025-10-23T21:37:37Z","type":"text"},{"key":"X-Signature-Id","value":"01JE2Z9ZHCBTM75T07MACVZHM5","type":"text"}],"body":{"mode":"raw","raw":"{\n \"partnerReferenceNo\": \"20251025025500001\",\n \"amount\": {\n \"value\": \"1000.00\",\n \"currency\": \"IDR\"\n },\n \"additionalInfo\": {\n \"channelCode\": \"CODE_QRIS\",\n \"reusability\": \"ONE_TIME_USE\",\n \"expiredDate\": \"2025-10-27T00:00:00.000Z\"\n }\n}","options":{"raw":{"language":"json"}}},"url":"{{baseURL}}/snap-api/v1/qr/qr-mpm-generate","description":"Important:
\n
Access to the portal requires merchant credentials created by the Dalang Pay Admin team.
If your have not received your credentials, please contact Dalang Pay Support.
The Generate QR MPM (Merchant Presented Mode) endpoint is used to create a QR code that can be displayed by the merchant for customer payments.
\nCustomers scan this QR using preferred payment application (QRIS-compliant) to complete a transaction.
\nIt can be accessed using either Symmetric or Asymmetric Signature Authentication, depending on the client configuration.
\nThe request must be signed properly using the X-Signature header and timestamped with X-Timestamp to ensure security and compliance with SNAP standards.
\n\nIn production, the client is responsible for generating and sending a valid
\nX-Signature. Dalang Pay will validate the signature but will not generate it for you.
\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
Snap Service Code: 47
\nDalang Pay provides QRIS MPM (Merchant Presented Mode) payment services that allow customers to make payments by scanning a QR code displayed by the merchant. QRIS ensures interoperability across all Indonesian payment service providers (banks, e-wallets, fintech), enabling a seamless and standardized checkout experience.
\nPartners can generate transaction-specific QR codes (QRIS Dynamic) depending on operational needs.
\nQRIS Dynamic (MPM Dynamic)
\nA dynamically generated QR tied to a specific transaction.
\nContains:
\nAmount
\nUnique reference
\nValidity period
\nSingle-use payment mapping
\nExample QRIS channelCode:
QR_CODEThis is the primary QR type supported by Dalang Pay at the moment.
\n\n\nNote:
\n
As of now, Dalang Pay supports QRIS Dynamic only.
Support for QRIS Static is planned and will be made available in a future update.
Merchants will be notified once QRIS Static is officialy supported.
You can view the complete list of QRIS channels through the portal.
\nURL: dashboard.dalangpay.com/payment-channels (Login Required)
\n\n\n","_postman_id":"9bcf1a99-6338-4afb-b7b1-aff01bbe9278"},{"name":"DIRECT DEBIT","item":[{"name":"Create Payment","id":"fe8129fa-83cd-4250-8412-ceb2ee98960b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer 946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6","type":"text"},{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","type":"text"},{"key":"X-Signature","value":"1fd81deda180dbd789f5b15...22c0f04f243868dd5b2a8d","type":"text"},{"key":"X-Timestamp","value":"2025-10-23T21:37:37Z","type":"text"},{"key":"X-Signature-Id","value":"01JE2Z9ZHCBTM75T07MACVZHM5","type":"text"}],"body":{"mode":"raw","raw":"{\n \"partnerReferenceNo\": \"01JE2Z9ZHCBTM75T07MACVZHB1\",\n \"validUpTo\": \"2025-10-26T00:00:00.000Z\",\n \"amount\": {\n \"value\": \"10000.00\",\n \"currency\": \"IDR\"\n },\n \"additionalInfo\": {\n \"accountNumber\": 62895342279156\n },\n \"payOptionDetails\": [\n {\n \"payMethod\": \"E_WALLET\",\n \"payOption\": \"EWALLET_SHOPEEPAY\"\n }\n ]\n}","options":{"raw":{"language":"json"}}},"url":"{{baseURL}}/snap-api/v1/debit/payment-host-to-host","description":"Important:
\n
Access to the portal requires merchant credentials created by the Dalang Pay Admin team.
If your have not received your credentials, please contact Dalang Pay Support.
The Create Payment (Direct Debit) endpoint is used to initiate a host-to-host debit transaction from the customer’s account to the merchant’s account through Dalang Pay’s Direct Debit channel.
\nIt can be accessed using either Symmetric or Asymmetric Signature Authentication, depending on the client configuration.
\nThe request must be signed properly using the X-Signature header and timestamped with X-Timestamp to ensure security and compliance with SNAP standards.
\n\nIn production, the client is responsible for generating and sending a valid
\nX-Signature. Dalang Pay will validate the signature but will not generate it for you.
\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
Snap Service Code: 54
\nDalang Pay's Direct Debit API enables customers to pay directly from their registered funding source such as bank accounts, e-wallets, or card-based instruments.
\nDalang Pay supports multiple Direct Debit methods under the payOptionDetails parameter. Each method may come with different requirements depending on the customer's payment instrument.
Currently supported values for payMethod include:
E_WALLET - Direct debit using supported e-wallet providers
CARD - Payment using tokenized debit/credit cards (Coming Soon)
\n\nNote:
\n
The availability of each method may vary based on your merchant configuration.
Additional Direct Debit sources (such as bank accounts via Open Banking) may be enabled in future releases based on eligibility and regulatory approval.
The following e-wallet providers are available under payOption:
EWALLET_OVO - OVO
EWALLET_SHOPEEPAY - ShopeePay
EWALLET_DANA - DANA
EWALLET_GOPAY - GOPAY
EWALLET_LINKAJA - LinkAja
Each e-wallet may require:
\nCustomer account registration
\nAuthorization approval (OTP, PIN, biometric, or in-app confirmation)
\nTokenization for recurring or subscription-type transactions
\nYou can view the full list of supported Direct Debit providers through the portal.
\nURL: dashboard.dalangpay.com/payment-channels (Login Required)
\n\n\n","_postman_id":"8412ddc5-7966-4a10-b962-1ff4260d3efd"}],"id":"e33975a7-e019-4ac6-8415-dc06da640bfc","description":"Important:
\n
Access to the portal requires merchant credentials created by the Dalang Pay Admin team.
If your have not received your credentials, please contact Dalang Pay Support.
All APIs that allow customers to send funds to the merchant via Virtual Account, QRIS, or direct debit channels.
\n","_postman_id":"e33975a7-e019-4ac6-8415-dc06da640bfc"},{"name":"PAY-OUT","item":[{"name":"DISBURSEMENT","item":[{"name":"Account Inquiry","id":"2a08da01-dbbe-4dd5-88ea-b12e8dbbec75","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer 946a8d2c0aec0eb65737c5712b845c4d6273f9bc832dec3926a44d8a187a8710781101f7b038af99efb382402f1db2d6","type":"text"},{"key":"X-Client-Key","value":"01JE2Y4PMSF32RSV5XRWAJY2BX","type":"text"},{"key":"X-Signature","value":"1fd81deda180dbd789f5b15...22c0f04f243868dd5b2a8d","type":"text"},{"key":"X-Timestamp","value":"2025-10-23T21:37:37Z","type":"text"},{"key":"X-Signature-Id","value":"01JE2Z9ZHCBTM75T07MACVZHM5","type":"text"}],"body":{"mode":"raw","raw":"{\n \"customerNumber\": \"5432187678\",\n \"amount\": {\n \"value\": \"10000.00\",\n \"currency\": \"IDR\"\n },\n \"additionalInfo\": {\n \"beneficiaryBankCode\": \"DISB_BCA\"\n }\n}","options":{"raw":{"language":"json"}}},"url":"{{baseURL}}/snap-api/v1/emoney/bank-account-inquiry","description":"The Account Inquiry endpoint is used to validate the recipient's bank account before sending funds. It checks whether the given account number and bank code are valid and retrieves the account holder's name for confirmation.
\nThis step ensures payment accuracy and prevents transfer errors due to incorrect beneficiary data.
\n\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
Snap Service Code: 42
\nThe Transfer to Bank endpoint performs the actual disbursement process, transferring funds from the partner's Dalang Pay balance to a verified recipient bank account.
\nThis operation follows the two-step-model:
\nPerform Account Inquiry (to Validate).
\nCall Transfer to Bank (to execute the fund movement).
\nEach transfer is uniquely identified by a partnerReferenceNo for reconciliate and tracking.
\n\n\nEnsure all headers are generated before sending the request body.
\n
Requests with invalid or expired signatures will be rejected.
Snap Service Code: 42
\nDalang Pay provides a Disbursement API that enables partners to perform outgoing fund transfers from their balance or settlement account to external bank accounts or supported e-wallets.
\nThis API offers a secure and standardized way to automate payouts, refunds, vendor payments, and other outbound transfers, aligned with SNAP (Standard Nasional Open API Pembayaran) specifications.
\nPartners can initiate disbursements based on operational needs and supported payout channels.
\nDalang Pay supports disbursement to Indonesian banks and major e-wallets using standardized beneficiaryBankCode identifiers.
Each transfer request includes the destination channel code, beneficiary account number, and other relevant payment information.
\nbeneficiaryBankCode values:Bank Transfers
\nDISB_BCA – Bank Central Asia
DISB_PERMATA – Permata Bank
E-Wallet Transfers
\nDISB_EWALLET_OVO – OVO
DISB_EWALLET_SHOPEEPAY – ShopeePay
DISB_EWALLET_DANA – DANA
DISB_EWALLET_GOJEK – GoPay / GoJek
DISB_EWALLET_LINKAJA – LinkAja
\n\nThe availability of each channel may vary based on your merchant configuration and settlement setup. Additional transfer channels may be added in future updates, depending on bank partnerships and regulatory support.
\n
Disbursement methods include:
\nBank Account Transfer (Domestic)
\nReal-time or near real-time transfer depending on the banking partner.
\nAccount Inquiry
\nUsed to validate the beneficiary account before partner.
\n\n\nAdditional transfer channels may be added in the future depending on bank availability and regulatory support.
\n
A complete list of supported bank codes, settlement rules, and availability can be viewed in the.
\nURL: dashboard.dalangpay.com/payment-channels (Login Required)
\nImportant:
Access to the portal requires merchant credentials created by the Dalang Pay Admin team.
If your have not received your credentials, please contact Dalang Pay Support.
This module consists of two main endpoints:
\nAccount Inquiry -- to validate recipient bank account details before initiating a transfer.
\nTransfer to Bank -- to execute the actual disbursement (fund transfer) to a verified beneficiary account.
\nIt can be accessed using either Symmetric or Asymmetric Signature Authentication, depending on the client configuration.
\nThe request must be signed properly using the X-Signature header and timestamped with X-Timestamp to ensure security and compliance with SNAP standards.
\n\n","_postman_id":"12d8e07d-c89b-4f6e-955d-6d1a637e25e2"}],"id":"1a21ceac-cc32-4e18-906c-98630363d574","description":"In production, the client is responsible for generating and sending a valid
\nX-Signature. Dalang Pay will validate the signature but will not generate it for you.
All APIs used by merchants to send funds outward to bank accounts or beneficiaries.
\n","_postman_id":"1a21ceac-cc32-4e18-906c-98630363d574"}]}