{"info":{"_postman_id":"69b0cfee-802b-4727-bd7b-b013e89bb889","name":"VERIFIED Crypto Checkout API","description":"

Official Postman collection for the VERIFIED Crypto Checkout API.

Quick Start

Set merchant_wallet to your Polygon USDC wallet address (starts with 0x, 42 chars)
Set webhook_secret to a strong random string (the SAME value must be set in your webhook handler's environment)
Set success_url and cancel_url to your redirect URLs
Run Create Session (Full) — test script auto-saves session_id and checkout_url
Redirect your customer to checkout_url exactly as returned — do NOT modify it
Verify payments via HMAC-SHA256 signed webhooks

Key Rules

No API key required — merchant identity = wallet address
order_id is required on every session creation request
webhook_secret is required whenever webhook_url is set
Sessions expire after 30 minutes
Never modify checkout_url after receiving it
Webhooks are the authoritative payment signal — only treat event: payment.confirmed / status: confirmed as paid
No sandbox — all sessions are live. Use small amounts ($1–$10) for testing.

Domains

API: https://payapi.verifiedcryptocheckout.com
Hosted Checkout: https://pay.verifiedcryptocheckout.com

Support

cryptocheckout@verifiedcreditcardprocessing.com

\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[],"owner":"53498215","collectionId":"69b0cfee-802b-4727-bd7b-b013e89bb889","publishedId":"2sBXinHAaA","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"},"publishDate":"2026-04-02T00:28:09.000Z"},"item":[{"name":"SESSION CREATION","item":[{"name":"1 · Create Session — Full Request ✅","id":"8bf171e9-932e-4883-a6d0-b30b1f41c937","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json","description":"

Required on all POST requests.

\n"},{"key":"Idempotency-Key","value":"784cc148-2af7-4a6d-842d-8df28452dc5a","description":"

Optional but recommended on retries. If same key is reused, the API may return the existing session instead of creating a duplicate.

\n"}],"body":{"mode":"raw","raw":"{\n \"amount\": 125.50,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"ORDER-1001\",\n \"customer_email\": \"customer@example.com\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\",\n \"webhook_url\": \"https://yourstore.com/api/payment-webhook\",\n \"webhook_secret\": \"CHANGE_ME_TO_A_STRONG_RANDOM_STRING\",\n \"metadata\": {\n \"cart_id\": \"CART-8821\",\n \"customer_id\": \"USR-442\"\n }\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"8bf171e9-932e-4883-a6d0-b30b1f41c937"},{"name":"2 · Create Session — Minimal (Required Fields Only)","id":"ba24780b-6383-4e8e-8385-78125eaf10db","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"amount\": 10.00,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"ORDER-001\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\",\n \"webhook_url\": \"https://yourstore.com/api/payment-webhook\",\n \"webhook_secret\": \"CHANGE_ME_TO_A_STRONG_RANDOM_STRING\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"ba24780b-6383-4e8e-8385-78125eaf10db"},{"name":"3 · Create Session — With Provider Hint","id":"9eb1c7f5-742f-45cf-8487-f6d9ed00fe93","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"},{"key":"Idempotency-Key","value":"36fc0ee2-9778-4c6c-b656-bcd72386a42a"}],"body":{"mode":"raw","raw":"{\n \"amount\": 75.00,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"ORDER-PROV-295\",\n \"customer_email\": \"customer@example.com\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\",\n \"webhook_url\": \"https://yourstore.com/api/payment-webhook\",\n \"webhook_secret\": \"CHANGE_ME_TO_A_STRONG_RANDOM_STRING\",\n \"provider\": \"moonpay\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"9eb1c7f5-742f-45cf-8487-f6d9ed00fe93"}],"id":"14066319-4741-4448-9bc6-65044d2389ae","description":"

Create payment sessions — the first and only required step to initiate a checkout flow.

Your server calls POST /v1/session with the order amount, currency, merchant wallet, and order details. VERIFIED validates the request, configures routing and settlement parameters, and returns a fully prepared checkout_url. Redirect the customer to that URL to begin the payment flow.

⚠️ Session creation must always be performed server-side — never from client-side JavaScript. Although no API key is required, server-side creation prevents tampering with order amounts, wallet values, and metadata.

\n","_postman_id":"14066319-4741-4448-9bc6-65044d2389ae"},{"name":"DEBUG","item":[{"name":"4 · Inspect URL Structure — GET /test-config","id":"83e5ebe2-152d-487e-a421-8bfd1c3f3f4d","request":{"method":"GET","header":[],"url":"https://payapi.verifiedcryptocheckout.com/test-config?wallet=0xYOUR_POLYGON_USDC_WALLET_ADDRESS&amount=10¤cy=USD&order_id=TEST-DEBUG-001&customer_email=customer@example.com&success_url=https://yourstore.com/order/success&cancel_url=https://yourstore.com/order/cancelled&webhook_url=https://yourstore.com/api/payment-webhook","urlObject":{"path":["test-config"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[{"key":"wallet","value":"0xYOUR_POLYGON_USDC_WALLET_ADDRESS"},{"key":"amount","value":"10"},{"key":"currency","value":"USD"},{"key":"order_id","value":"TEST-DEBUG-001"},{"key":"customer_email","value":"customer@example.com"},{"key":"success_url","value":"https://yourstore.com/order/success"},{"key":"cancel_url","value":"https://yourstore.com/order/cancelled"},{"key":"webhook_url","value":"https://yourstore.com/api/payment-webhook"}],"variable":[]}},"response":[],"_postman_id":"83e5ebe2-152d-487e-a421-8bfd1c3f3f4d"}],"id":"0c2b9d33-919c-400a-905a-c1453943b6f6","description":"

Developer helper endpoint for inspecting generated URL structures without creating a live payment session.

Use GET /test-config during development to validate your wallet address format, confirm redirect URLs are correctly formed, and inspect the checkout_url structure before going live.

⚠️ This endpoint does NOT create a live session and does NOT accept real payments.

\n","_postman_id":"0c2b9d33-919c-400a-905a-c1453943b6f6"},{"name":"ERROR HANDLING","item":[{"name":"5 · Error — Missing Wallet (expect 400)","id":"1eca86b7-eb8c-4bff-9260-10b30c1fcae8","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"amount\": 100.00,\n \"currency\": \"USD\",\n \"order_id\": \"ORDER-ERROR-TEST\",\n \"success_url\": \"https://example.com/success\",\n \"cancel_url\": \"https://example.com/cancel\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"1eca86b7-eb8c-4bff-9260-10b30c1fcae8"},{"name":"6 · Error — Invalid Wallet Format (expect 400)","id":"2528c108-3b35-47b3-b2c8-e485f7870d1b","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"amount\": 100.00,\n \"currency\": \"USD\",\n \"wallet\": \"INVALID_WALLET_NO_0x_PREFIX\",\n \"order_id\": \"ORDER-WALLET-ERROR\",\n \"success_url\": \"https://example.com/success\",\n \"cancel_url\": \"https://example.com/cancel\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"2528c108-3b35-47b3-b2c8-e485f7870d1b"},{"name":"7 · Error — Wrong HTTP Method GET /v1/session (expect 405)","id":"71702ee9-6d0e-42d5-8a23-cc799d501e71","request":{"method":"GET","header":[],"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"71702ee9-6d0e-42d5-8a23-cc799d501e71"},{"name":"8 · Error — Rate Limit Exceeded (expect 429)","id":"382e344c-b12b-3788-fd2d-b3a8d628a24f","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"amount\": 10.00,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"RATE-LIMIT-TEST\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"382e344c-b12b-3788-fd2d-b3a8d628a24f"}],"id":"75255bb2-c525-4126-b095-df8614a68c29","description":"

Reference requests demonstrating common error scenarios and the expected HTTP status codes.

All VERIFIED API errors return JSON with ok: false, code, error, and message fields.

\n","_postman_id":"75255bb2-c525-4126-b095-df8614a68c29"},{"name":"WEBHOOK REFERENCE","item":[{"name":"9 · Webhook Payload — payment.confirmed (Reference)","id":"e2373377-204c-48a5-90da-1a21fb1fe05f","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json","description":"

Webhook payload is always JSON.

\n"},{"key":"X-VCC-Timestamp","value":"1742040731","description":"

Unix timestamp (seconds). Reject if >5 minutes from current server time.

\n"},{"key":"X-VCC-Signature","value":"a3f8c2e1d7b9f4e2c1a8d7f3b2e9c4a1d8f7e2b3c9a4f1e8d7b2c3f9a4e1d8","description":"

HMAC-SHA256(webhook_secret, '{X-VCC-Timestamp}.{raw_body}'). Use constant-time comparison.

\n"}],"body":{"mode":"raw","raw":"{\n \"event\": \"payment.confirmed\",\n \"session_id\": \"\",\n \"order_id\": \"ORDER-1001\",\n \"amount\": 125.50,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"tx_hash\": \"0x8f12c4d9e3b7a2f1c6d8e5b4a3f2e1d9c8b7a6f5e4d3c2b1a0f9e8d7c6b5a4\",\n \"status\": \"confirmed\",\n \"timestamp\": \"2026-03-29T14:32:11Z\",\n \"amount_forwarded\": 120.48,\n \"confirmations\": 12,\n \"raw\": {\n \"provider\": \"moonpay\",\n \"provider_tx_id\": \"mp_8472afe1\",\n \"settlement_chain\": \"polygon\",\n \"settlement_token\": \"USDC\",\n \"block_number\": 56234118\n }\n}","options":{"raw":{"language":"json"}}},"url":"https://yourstore.com/api/payment-webhook","urlObject":{"host":["https://yourstore.com/api/payment-webhook"],"query":[],"variable":[]}},"response":[],"_postman_id":"e2373377-204c-48a5-90da-1a21fb1fe05f"}],"id":"b58ab8e3-dc15-427f-b2b6-b62041903146","description":"

Reference showing the structure of the HMAC-signed webhook POST that VERIFIED sends to your webhook_url when payment is confirmed on-chain.

Webhooks are the authoritative payment confirmation signal — never mark an order as paid based on the success_url redirect alone. Verify the HMAC-SHA256 signature on every incoming webhook before updating order state.

Only treat event: payment.confirmed / status: confirmed as paid. Other event/status combinations (e.g. pending) must not move the order to paid.

\n","_postman_id":"b58ab8e3-dc15-427f-b2b6-b62041903146"},{"name":"10 · Payment Links — Sharing checkout_url (Reference)","id":"14040f6b-6659-9c9c-3dbf-51f35c56d07d","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"},{"key":"Idempotency-Key","value":"f336ce78-3564-4dda-86d7-a559a4840ad2"}],"body":{"mode":"raw","raw":"{\n \"amount\": 75.00,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"ORDER-817\",\n \"customer_email\": \"customer@example.com\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\",\n \"webhook_url\": \"https://yourstore.com/api/payment-webhook\",\n \"webhook_secret\": \"CHANGE_ME_TO_A_STRONG_RANDOM_STRING\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","description":"

PATTERN — The checkout_url returned by every session is a fully functional, shareable payment link. Distribute it via email, SMS, invoice PDFs, or dashboard buttons.

No additional API calls or token generation required. Sessions expire after 30 minutes — create a new session if the link has expired.

\n","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"14040f6b-6659-9c9c-3dbf-51f35c56d07d"},{"name":"11 · Abandoned Order Recovery — New Session Pattern (Reference)","id":"4a2233d9-3595-6bbc-284d-794926a9e845","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"},{"key":"Idempotency-Key","value":"10d4f8d9-e54d-4b2c-8b0a-a84a04b1237f"}],"body":{"mode":"raw","raw":"{\n \"amount\": 89.99,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"ORD-RECOVERY-EXAMPLE\",\n \"customer_email\": \"customer@example.com\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\",\n \"webhook_url\": \"https://yourstore.com/api/payment-webhook\",\n \"webhook_secret\": \"CHANGE_ME_TO_A_STRONG_RANDOM_STRING\"\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","description":"

PATTERN — Abandoned order recovery for API integrations.

When a customer creates an order but doesn't complete payment, the session expires after 30 minutes. If no payment.confirmed webhook is received within your recovery window, create a new session for the same order and resend the checkout_url to the customer.

Suppression guards:

Order already paid → skip
Recovery already sent once → skip
No customer email → skip
Order older than 72 hours → skip

\n","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"4a2233d9-3595-6bbc-284d-794926a9e845"},{"name":"11 · Webhook Recovery — On-Chain Missed Payment Check (Reference)","id":"532bfabb-9b7e-552c-920f-ee6402538972","request":{"method":"GET","header":[],"url":"https://api.polygonscan.com/api?module=account&action=tokentx&contractaddress=0x3c499c542cef5e3811e1192ce70d8cc03d5c3359&address=0xYOUR_POLYGON_USDC_WALLET_ADDRESS&sort=desc&apikey=YOUR_FREE_POLYGONSCAN_KEY","description":"

PATTERN REFERENCE — A server-side safety net that confirms payments by reading the Polygon blockchain directly, for cases where a webhook was missed or delayed. This is the direct-API equivalent of the Missed Payment Protection feature built into the VERIFIED WooCommerce plugin.

Why you need this: Webhooks are the primary confirmation signal, but no webhook system is perfect — endpoints have downtime, callbacks can be delayed by slow provider KYC, and some payment routes confirm on-chain without an immediate callback. This recovery check guarantees you can confirm any settled payment independently, because USDC settlement on Polygon is public and verifiable.

Core idea: Periodically scan your own merchant wallet for incoming USDC transfers that match the expected amount of any order still marked pending. If a match is found, flag the order for confirmation.

Design principles (ported from the production plugin)

Check your OWN merchant wallet. Funds always land in your destination wallet regardless of how they were routed, so this is the most reliable address to monitor.
Two query methods, no API key required to start. Use the public Polygon RPC (eth_getLogs) by default — works with zero setup. Optionally use the Polygonscan API with a free key for higher-volume reliability.
Match by amount with tolerance. On-chain amounts rarely match the order total exactly (conversion, rounding). Use a small tolerance (~2%).
Only check aged, still-pending orders. Wait at least ~2 hours after order creation so normal webhooks arrive first, then scan on a schedule (e.g. every 3 hours).
Flag for review — never auto-fulfill blindly. A matching transfer is strong evidence, but treat it as \"confirm and review,\" not silent auto-completion, to protect against amount mismatches or unrelated deposits.

USDC contract + Transfer topic (Polygon)

USDC (native):  0x3c499c542cef5e3811e1192ce70d8cc03d5c3359\nTransfer topic: 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef\nPublic RPC:     https://polygon-rpc.com\nDecimals:       6   (so $70.00 = 70000000 raw units)\n

Method A — Public RPC (no API key, works out of the box)

const USDC = '0x3c499c542cef5e3811e1192ce70d8cc03d5c3359';\nconst TRANSFER_TOPIC =\n  '0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef';\n\nasync function rpc(method, params) {\n  const res = await fetch('https://polygon-rpc.com', {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/json' },\n    body: JSON.stringify({ jsonrpc: '2.0', id: 1, method, params }),\n  });\n  const json = await res.json();\n  if (json.error) throw new Error(JSON.stringify(json.error));\n  return json.result;\n}\n\n// Find incoming USDC transfers to your wallet since a given block.\nasync function findIncomingUSDC(merchantWallet, fromBlock) {\n  const toBlock = await rpc('eth_blockNumber', []);\n  const paddedTo =\n    '0x000000000000000000000000' + merchantWallet.toLowerCase().replace(/^0x/, '');\n\n  const logs = await rpc('eth_getLogs', [{\n    fromBlock: '0x' + Math.max(1, fromBlock).toString(16),\n    toBlock,\n    address: USDC,\n    topics: [TRANSFER_TOPIC, null, paddedTo], // [event, from(any), to(you)]\n  }]);\n\n  return logs.map(log => ({\n    tx_hash: log.transactionHash,\n    amount: parseInt(log.data, 16) / 1_000_000,        // 6 decimals\n    block: parseInt(log.blockNumber, 16),\n  }));\n}\n

Method B — Polygonscan API (optional, free key, higher reliability)

async function findIncomingUSDC_Polygonscan(merchantWallet, fromBlock, apiKey) {\n  const url = new URL('https://api.polygonscan.com/api');\n  url.searchParams.set('module', 'account');\n  url.searchParams.set('action', 'tokentx');\n  url.searchParams.set('contractaddress', USDC);\n  url.searchParams.set('address', merchantWallet);\n  url.searchParams.set('startblock', String(Math.max(1, fromBlock)));\n  url.searchParams.set('sort', 'asc');\n  url.searchParams.set('apikey', apiKey);\n\n  const res = await fetch(url);\n  const json = await res.json();\n  if (!Array.isArray(json.result)) return [];\n\n  return json.result\n    .filter(r => (r.to || '').toLowerCase() === merchantWallet.toLowerCase())\n    .map(r => ({\n      tx_hash: r.hash,\n      amount: Number(r.value) / 1_000_000,\n      block: Number(r.blockNumber),\n    }));\n}\n

Amount matching with tolerance

function pickMatch(events, expectedAmount) {\n  if (!events.length) return null;\n  const tolerance = Math.max(0.01, expectedAmount * 0.02); // 2%\n  let best = null, bestDiff = null;\n  for (const e of events) {\n    const diff = Math.abs(e.amount - expectedAmount);\n    if (diff <= tolerance && (bestDiff === null || diff < bestDiff)) {\n      best = e; bestDiff = diff;\n    }\n  }\n  return best;\n}\n

The scheduled recovery scan (run every ~3 hours)

const POLYGON_BLOCK_SECONDS = 2;\n\nasync function runRecoveryScan() {\n  // Orders still pending and older than the min age (e.g. 2 hours)\n  const minAgeMs = 2 * 60 * 60 * 1000;\n  const stuck = await db.orders.find({\n    status: 'pending',\n    created_at: { $lt: new Date(Date.now() - minAgeMs) },\n    recovery_checked: { $ne: true },\n  });\n\n  const currentBlockHex = await rpc('eth_blockNumber', []);\n  const currentBlock = parseInt(currentBlockHex, 16);\n\n  for (const order of stuck) {\n    // Narrow the block range from order age (+buffer)\n    const ageSec = Math.floor((Date.now() - new Date(order.created_at)) / 1000);\n    const fromBlock = Math.max(\n      1,\n      currentBlock - Math.ceil(ageSec / POLYGON_BLOCK_SECONDS) - 5000\n    );\n\n    let events;\n    try {\n      events = process.env.POLYGONSCAN_API_KEY\n        ? await findIncomingUSDC_Polygonscan(\n            process.env.MERCHANT_WALLET, fromBlock, process.env.POLYGONSCAN_API_KEY)\n        : await findIncomingUSDC(process.env.MERCHANT_WALLET, fromBlock);\n    } catch (e) {\n      // Retry up to 3 times across future scans, then give up gracefully\n      const retries = (order.recovery_retries || 0) + 1;\n      await db.orders.update({ id: order.id }, { recovery_retries: retries });\n      if (retries >= 3) {\n        await db.orders.update({ id: order.id }, { recovery_checked: true });\n        await alertOps(order, 'Recovery check failed after 3 attempts — review manually');\n      }\n      continue;\n    }\n\n    const match = pickMatch(events, order.expected_amount);\n    await db.orders.update({ id: order.id }, { recovery_checked: true });\n\n    if (match) {\n      // Flag for confirmation — do NOT silently auto-fulfil\n      await db.orders.update({ id: order.id }, {\n        status: 'paid_pending_review',\n        tx_hash: match.tx_hash,\n        on_chain_amount: match.amount,\n        on_chain_block: match.block,\n      });\n      await alertOps(order, `On-chain USDC match found: ${match.amount} USDC, tx ${match.tx_hash}`);\n    }\n  }\n}\n

Notes

No API key path works immediately via polygon-rpc.com. Add a free Polygonscan key only if you run high volume and want extra reliability.
expected_amount should be the USDC amount you expect to receive. If you pass non-USD currency at session creation it is converted to USD/USDC, so store the converted figure where possible.
Verify on Polygonscan any tx_hash at https://polygonscan.com/tx/{tx_hash} for an independent audit trail.
This recovery check complements webhooks — it does not replace them. Keep your signed webhook handler as the primary path and run this scan as the safety net.

\n","urlObject":{"protocol":"https","path":["api"],"host":["api","polygonscan","com"],"query":[{"key":"module","value":"account"},{"key":"action","value":"tokentx"},{"description":{"content":"

Native USDC on Polygon (Circle-issued). Chain ID 137.

\n","type":"text/plain"},"key":"contractaddress","value":"0x3c499c542cef5e3811e1192ce70d8cc03d5c3359"},{"key":"address","value":"0xYOUR_POLYGON_USDC_WALLET_ADDRESS"},{"key":"sort","value":"desc"},{"key":"apikey","value":"YOUR_FREE_POLYGONSCAN_KEY"}],"variable":[]}},"response":[],"_postman_id":"532bfabb-9b7e-552c-920f-ee6402538972"},{"name":"13 · Recurring Payments — Session Per Billing Cycle (Reference)","id":"a8e8549b-fa5a-e3a0-d5a7-1711639ebdb4","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"},{"key":"Idempotency-Key","value":"25d89396-2703-4dfb-a0c5-8a71c3b40fc6"}],"body":{"mode":"raw","raw":"{\n \"amount\": 29.99,\n \"currency\": \"USD\",\n \"wallet\": \"0xYOUR_POLYGON_USDC_WALLET_ADDRESS\",\n \"order_id\": \"RNW-SUB001-334\",\n \"customer_email\": \"customer@example.com\",\n \"success_url\": \"https://yourstore.com/order/success\",\n \"cancel_url\": \"https://yourstore.com/order/cancelled\",\n \"webhook_url\": \"https://yourstore.com/api/payment-webhook\",\n \"webhook_secret\": \"CHANGE_ME_TO_A_STRONG_RANDOM_STRING\",\n \"metadata\": {\n \"subscription_id\": \"SUB-001\",\n \"billing_cycle\": \"2026-04\"\n }\n}","options":{"raw":{"language":"json"}}},"url":"https://payapi.verifiedcryptocheckout.com/v1/session","description":"

PATTERN — Recurring payments via session-per-billing-cycle.

VERIFIED does not manage subscription state. Each billing cycle, your system creates a new payment session for the renewal amount, sends the checkout_url to the customer, and listens for the payment.confirmed webhook. This pattern works with any billing platform.

Key notes:

Each renewal is a completely independent session
order_id is required — use a unique value per renewal attempt (include a timestamp)
You are responsible for tracking subscription state and retry logic in your own system

\n","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"a8e8549b-fa5a-e3a0-d5a7-1711639ebdb4"},{"name":"ℹ️ FAQ — Common Integration Questions (Reference)","id":"bc1ce4ec-4dbe-47c9-9a01-2eba2cfb6641","request":{"method":"GET","header":[],"url":"https://payapi.verifiedcryptocheckout.com/v1/session","description":"

REFERENCE — Do not send. Answers to common integration questions.

Q1 — Webhook signing secret: how to obtain and rotate?

You define it. Pass webhook_secret in the session creation body. It is required whenever webhook_url is set — an endpoint that verifies signatures will reject (401) an unsigned delivery. VERIFIED uses it to sign outbound webhooks via HMAC-SHA256. To rotate: supply a new value in the next session. Each session carries its own secret independently.

Q2 — Is there a GET endpoint to query session status?

No. Session state is communicated exclusively via webhook callbacks. If a webhook is missed after 2+ hours, use the Polygonscan on-chain fallback.

Q3 — Webhook payload fields

9 stable core fields always present: event, session_id, order_id, amount, currency, wallet, tx_hash, status, timestamp.

Additional non-breaking fields also delivered: amount_forwarded (net forwarded after fees), confirmations (on-chain confirmations), raw (full upstream provider passthrough).

Treat unknown keys as non-breaking and ignore them. Build business logic against the 9 core fields.

Q4 — Event / status semantics

Only treat event: payment.confirmed AND status: confirmed as paid. If a payment.pending / status: pending event ever arrives, do not mark the order paid — wait for the confirmed delivery.

Q5 — Multi-chain / multi-token settlements

The webhook fires reliably regardless of settlement chain/token. Payload reflects actual chain and token used. For high-value transactions, verify tx_hash on polygonscan.com.

Q6 — Provider failover

Handled automatically by VERIFIED routing. No API parameter to configure fallback order. Omit provider for automatic routing.

Q7 — Fee structure

Platform fee (4%): deducted from USDC settlement
Upstream onramp fee (~4%): deducted from card charge before USDC conversion
Merchant receives USDC net of both
amount_forwarded in the webhook reports the net delivered to your wallet

Q8 — Settlement timing

~2–5 minutes end-to-end from card approval to webhook fire. Webhook and USDC arrival are simultaneous (same on-chain event).

Q9 — Rate limits

~1 req/sec/IP standard. On 429, back off using Retry-After header. Contact support for enterprise limits.

\n","urlObject":{"path":["v1","session"],"host":["https://payapi.verifiedcryptocheckout.com"],"query":[],"variable":[]}},"response":[],"_postman_id":"bc1ce4ec-4dbe-47c9-9a01-2eba2cfb6641"}],"event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":["// Collection-level: validate wallet format before any request","const wallet = pm.collectionVariables.get('merchant_wallet');","if (wallet && wallet !== '0xYOUR_POLYGON_USDC_WALLET_ADDRESS') {"," if (!/^0x[0-9a-fA-F]{40}$/.test(wallet)) {"," console.warn('⚠️ merchant_wallet format invalid. Expected: 0x + 40 hex chars (42 total). Got: ' + wallet);"," }","}"],"id":"8ef38d27-601f-4eb9-89ff-20fe9a3937f9"}}],"variable":[{"key":"base_url","value":"https://payapi.verifiedcryptocheckout.com","description":"VERIFIED API base URL. Do not change."},{"key":"merchant_wallet","value":"0xYOUR_POLYGON_USDC_WALLET_ADDRESS","description":"Your Polygon USDC wallet address. Must start with 0x and be exactly 42 characters (0x + 40 hex). This is your merchant identifier — USDC settles here. USDC sent to an incorrect wallet cannot be recovered."},{"key":"webhook_secret","value":"CHANGE_ME_TO_A_STRONG_RANDOM_STRING","description":"Your webhook signing secret. REQUIRED whenever webhook_url is set. You define this value. VERIFIED uses it to compute HMAC-SHA256 signatures on outbound webhook callbacks. The EXACT same value must be set as VCC_WEBHOOK_SECRET (or equivalent) in your webhook handler's environment so signatures can be verified. An endpoint that verifies signatures will reject (401) an unsigned delivery. Rotate by supplying a new value in the next session create. Never commit to source control."},{"key":"order_id","value":"ORDER-1001","description":"Your unique internal order reference. REQUIRED on every session creation request. Returned in all webhook events for matching. Must be unique per session."},{"key":"customer_email","value":"customer@example.com","description":"Customer email — used by the provider for KYC and transaction confirmation."},{"key":"success_url","value":"https://yourstore.com/order/success","description":"URL to redirect customer after successful payment. Best-effort only — always use webhook as authoritative confirmation."},{"key":"cancel_url","value":"https://yourstore.com/order/cancelled","description":"URL to redirect customer if they cancel or abandon checkout."},{"key":"webhook_url","value":"https://yourstore.com/api/payment-webhook","description":"Your HTTPS endpoint to receive HMAC-SHA256 signed payment confirmation events. Strongly recommended for production. If set, webhook_secret is required."},{"key":"session_id","value":"","description":"Auto-populated by test script after session creation. Store this on your order record to match incoming webhook events."},{"key":"checkout_url","value":"","description":"Auto-populated by test script. Redirect your customer to this URL exactly as returned — do NOT modify, decode, or append parameters."}]}