Skip to main content
GET
/
v1
/
transactions
List transactions across all accounts
curl --request GET \
  --url https://api.antonpayments.com/v1/transactions \
  --header 'Authorization: Bearer <token>' \
  --header 'DPoP: <api-key>'
{
  "data": [
    {
      "id": "<string>",
      "type": "<string>",
      "status": "<string>",
      "amount": "1234.56",
      "currency": "USD",
      "created_at": "2026-04-15T14:30:00Z",
      "account_id": "<string>",
      "reference": "<string>",
      "counterparty_name": "<string>"
    }
  ],
  "has_more": true,
  "next_cursor": "<string>"
}

Documentation Index

Fetch the complete documentation index at: https://docs.antonpayments.com/llms.txt

Use this file to discover all available pages before exploring further.

Filtering is not yet supported on this endpoint. Only limit and cursor are honored — any additional query parameters are silently ignored. To narrow results by currency, call GET /v1/accounts/{currency}/transactions. For other filters (type, time range), filter client-side on the returned MerchantTransaction objects until server-side filtering ships.

Authorizations

Authorization
string
header
required

OAuth 2.0 client_credentials grant (RFC 6749 §4.4) bound to a DPoP keypair (RFC 9449).

Flow (every authenticated /v1 call requires both an access token AND a fresh per-request DPoP proof):

  1. Register a credential via the merchant portal. Anton issues a client_id (ant_oc_<env>_<32hex>) and a client_secret (ant_ocs_<env>_<48hex>, shown ONCE). The portal generates an ES256 or Ed25519 DPoP keypair in your browser; you store the private half.
  2. Mint an access token: POST /oauth/token with Authorization: Basic <client_id:client_secret> and Content-Type: application/x-www-form-urlencoded. Body: grant_type=client_credentials. A DPoP header carrying a proof signed for the token endpoint is required (no ath claim on this proof).
  3. Use the token: send Authorization: DPoP <access_token> plus a fresh DPoP: <proof> header on every /v1 request. The proof JWT MUST carry htm (request method), htu (request URL, no query/fragment), iat (within ±60s), jti (unique within 5 min), and ath (SHA-256 of the access token, base64url).

Tokens expire in 1 hour in production / staging and 8 hours in sandbox. There are no refresh tokens — call /oauth/token again with your secret. Anton's public signing key is published at /.well-known/jwks.json.

OpenAPI 3.0 has no native DPoP scheme; this declaration plus dpopHeader together convey both the access-token Authorization and the per-request proof header.

DPoP
string
header
required

Per-request DPoP proof JWT (RFC 9449). MUST accompany the Authorization: DPoP <access_token> header on every protected operation. The proof is signed by the merchant's private DPoP key and carries htm, htu, iat, jti, and ath claims.

Query Parameters

limit
integer
default:20

Items per page. Maximum 100.

Required range: 1 <= x <= 100
cursor
string

Opaque cursor returned by a previous list response. Omit for the first page.

currency
string

ISO 4217 three-letter currency code.

Pattern: ^[A-Z]{3}$
Example:

"USD"

type
string

Transaction type — credit, debit, fee, fx, etc.

created_after
string<date-time>

RFC 3339 / ISO 8601 timestamp in UTC.

Example:

"2026-04-15T14:30:00Z"

created_before
string<date-time>

RFC 3339 / ISO 8601 timestamp in UTC.

Example:

"2026-04-15T14:30:00Z"

Response

Transactions.

data
object[]
required

Array of results for this page. Element schema varies by endpoint.

has_more
boolean
required

Whether more results exist beyond this page.

next_cursor
string

Cursor for the next page. Present only when has_more is true.