Introduction
The APIs are RESTful, they use HTTPS methods (POST, PATCH, PUT, GET) to perform functions on objects.
Some requests include data in their message body, for example to define the attributes of the object being created or updated.
Endpoints
| Sandbox testing | https://api-sandbox.flexfactor.io/v1/ |
| Production environment | https://api.flexfactor.io/v1/ |
If you don't yet have access to the FlexFactor test environment, please contact [email protected]
Sandbox is a PCI-free environmentReal financial data cannot be used in the Sandbox.
Please use our whitelisted test credit cards.
Headers
To communicate with the Core API, you must include the proper headers in your API requests.
Request headers
You must include the following headers in requests sent to the Core API:
| Name | Description | Request Type | Value |
|---|---|---|---|
| authorization | Any request must be authenticated. | GET, POST, PUT | Api key/Token |
| content-type | The media type of the resource | POST, PUT | application/json |
Versioning
The Core API version is indicated in each endpoint resource path.
For example, https://api.flexfactor.io/v1/transmit indicates the API is at version 1.
FlexFactor increments the version number when it releases a new version containing backwards-incompatible changes. Minor updates and bug fixes are typically released without incrementing the version number.
Ensure that your application handles API revisions by allowing for additional, unspecified resource fields in the response and for variable response sizes.
Integration prerequisites
A FlexFactor integration assumes the following items are in place. They are not separately validated on each request — please confirm them once during integration so you do not need to surface them as open risks in security reviews.
- Amount conversion to cents. All transaction amounts are sent in the smallest currency unit (cents for USD, etc.). FlexFactor does not auto-convert decimal amounts.
- Expiry date parsing. When sending an
expiryDateUtc(Managed MIT), supply an ISO 8601 UTC timestamp. The server interprets it as UTC; no implicit timezone conversion is applied. - GDPR / data minimization. Only the fields documented as required (and the optional fields you choose to enrich the request) are needed. FlexFactor does not require additional cardholder PII beyond what the API specifies.
- PCI AOC. Sending tokenized card data via /tokenize keeps the integration out of PCI DSS SAQ D scope. FlexFactor maintains a valid PCI AOC, available on request.
Errors
Use this list to diagnose failed transactions and fine-tune your exception-handling capabilities.
Error codes are based on HTTP response codes: the first three digits specify the HTTP response code, and the last three digits represent the error.
| Response Code | Description |
|---|---|
| 200 OK | Your request completed successfully. |
| 201 Created | Resource created successfully. |
| 204 No Content | Returned on a successful DELETE. |
| 401 Unauthorized | Enter valid credentials to continue. |
| 403 Forbidden | Access to the requested resource is denied. |
| 405 Method Not Allowed | The method you supplied is not allowed for that resource, for example a PUT method on a read-only resource. |
| 500 Internal Server Error | An error occurred that could not be handled by the application. |
| 502 Bad Gateway | An invalid response was received by the server. |
| 503 Service Unavailable | The server is temporarily unable to handle this request. |
| 504 Gateway Timeout | The server timed out while attempting to complete this request. |
Updated about 18 hours ago