> ## Documentation Index
> Fetch the complete documentation index at: https://docs.antonpayments.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List Payment-Method Schemas

> Return the per-country method catalog with the exact credential-field
schema required for each method. Use this to drive dynamic instrument-
creation forms that know which fields to prompt for based on the
selected country and method.




## OpenAPI

````yaml GET /v1/instruments/methods
openapi: 3.1.0
info:
  title: Anton Payments API
  version: 1.0.0
  summary: Cross-border payout infrastructure. Fiat, stablecoin, and crypto.
  description: >
    The Anton Payments merchant API. Versioned, idempotent, cursor-paginated.


    - **Authentication**: OAuth 2.0 client_credentials with DPoP
    proof-of-possession (RFC 6749 §4.4 + RFC 9449). Programmatic clients
    exchange `(client_id, client_secret)` for a short-lived access token at
    `POST /oauth/token`, then send each request with `Authorization: DPoP
    <access_token>` plus a per-request `DPoP: <proof>` header. Static API keys
    are not accepted on v1.

    - Base URLs: `https://api.antonpayments.com` (production),
    `https://api.antonpayments.dev` (sandbox).

    - Monetary amounts are decimal strings. Never floats.

    - Timestamps are RFC 3339 UTC.

    - All mutating endpoints support the `Idempotency-Key` header.

    - Anton's OAuth public signing key is published at `GET
    /.well-known/jwks.json` (5-minute cache; RFC 8615).


    See the Cross-Cutting section of the docs for idempotency, pagination, rate
    limits, errors, webhook events, and webhook signing.
  contact:
    name: Anton Payments Support
    url: https://help.antonpayments.com
  license:
    name: Proprietary
    url: https://www.antonpayments.com
servers:
  - url: https://api.antonpayments.com
    description: Production
  - url: https://api.antonpayments.dev
    description: Sandbox
security:
  - oauthDPoP: []
    dpopHeader: []
tags:
  - name: Authentication
    description: >-
      OAuth 2.0 token endpoint and JWKS publication. See the API description for
      the full DPoP-bound flow.
  - name: OAuth Clients
    description: >-
      Manage OAuth credentials (programmatic access). Portal-only — JWT auth
      required.
  - name: Reference Data
    description: Currencies, countries, and supported payment methods.
  - name: Beneficiaries
    description: Create and manage the people and businesses you pay.
  - name: Instruments
    description: >-
      Payment instruments attached to beneficiaries — bank accounts, wallets,
      cards.
  - name: Payouts
    description: Initiate and track payouts.
  - name: Batches
    description: CSV-driven bulk payout processing.
  - name: Balances
    description: Merchant balance by currency.
  - name: Accounts
    description: Virtual accounts for merchant funding.
  - name: Webhooks
    description: Subscribe to event notifications.
  - name: Documents
    description: Upload and manage KYB and supporting documents.
  - name: RFIs
    description: Respond to Requests for Information raised during review.
  - name: Pricing
    description: Read merchant pricing plans and quote fees.
  - name: FX
    description: Quote, lock, and execute currency exchanges between balances.
  - name: Corridors
    description: Active cross-border corridors for your merchant.
  - name: Balance Alerts
    description: >-
      Per-currency low-balance thresholds that drive the `balance.low` webhook
      event.
  - name: Sandbox
    description: Reset and seed your sandbox environment.
  - name: Merchant
    description: Merchant profile, branding, preferences, and security posture.
  - name: API Keys
    description: Issue, list, and revoke API keys.
  - name: Users
    description: Self-service profile, MFA, and team management.
  - name: Notifications
    description: Per-user notification channels and preferences.
  - name: Velocity
    description: Merchant-scoped risk rules and what-if simulation.
  - name: Engine
    description: Glass-box view of Anton's risk intelligence.
  - name: Onboarding
    description: Authenticated KYB onboarding draft and submission.
  - name: Public Onboarding
    description: >-
      Session-authenticated hosted onboarding flow. Not intended for SDK
      consumption.
paths:
  /v1/instruments/methods:
    get:
      tags:
        - Instruments
      summary: List payment-method schemas per country
      description: |
        Return the per-country method catalog with the exact credential-field
        schema required for each method. Use this to drive dynamic instrument-
        creation forms that know which fields to prompt for based on the
        selected country and method.
      operationId: listInstrumentMethods
      parameters:
        - name: country
          in: query
          description: Filter to methods available in a specific country.
          schema:
            $ref: '#/components/schemas/CountryCode'
      responses:
        '200':
          description: Per-country method schemas.
          content:
            application/json:
              schema:
                type: object
                required:
                  - data
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/InstrumentMethodSchema'
components:
  schemas:
    CountryCode:
      type: string
      description: ISO 3166-1 alpha-2 country code.
      pattern: ^[A-Z]{2}$
      example: US
    InstrumentMethodSchema:
      type: object
      description: |
        Credential-field schema for a payment method in a specific country.
        Use to drive dynamic instrument-creation forms.
      required:
        - code
        - country
        - currency
      properties:
        code:
          $ref: '#/components/schemas/PaymentMethodCode'
        country:
          $ref: '#/components/schemas/CountryCode'
        currency:
          $ref: '#/components/schemas/CurrencyCode'
        label:
          type: string
          description: Human-friendly label for this country+method pairing.
          example: UK Bank Account (Faster Payments)
        fields:
          type: array
          description: Credential fields to prompt for.
          items:
            type: object
            required:
              - name
              - type
              - required
            properties:
              name:
                type: string
                example: sort_code
              label:
                type: string
                example: Sort code
              type:
                type: string
                enum:
                  - string
                  - integer
                  - enum
              required:
                type: boolean
              pattern:
                type: string
                description: Regex the value must match, if any.
              enum:
                type: array
                items:
                  type: string
                description: Allowed values when `type=enum`.
              help:
                type: string
    PaymentMethodCode:
      type: string
      description: >
        Credential format of a payment instrument — named by what data is
        stored,

        not by the rail that delivers the funds. One credential type can route
        to

        multiple rails (e.g. an IBAN can go via SEPA, SEPA Instant, TARGET2,
        SWIFT,

        or CHAPS — the rail is selected at payout time).


        Query `GET /v1/payment-methods` for the full country-specific catalog

        including per-method credential schemas.
      enum:
        - iban
        - uk_bank
        - us_bank
        - ca_bank
        - au_bank
        - nz_bank
        - jp_bank
        - in_bank
        - za_bank
        - ng_bank
        - ph_bank
        - cl_bank
        - co_bank
        - swift
        - clabe
        - cbu
        - cci
        - pix
        - upi
        - interac
        - paynow
        - fps_hk
        - promptpay
        - card
        - crypto
        - mobile_money
    CurrencyCode:
      type: string
      description: ISO 4217 three-letter currency code.
      pattern: ^[A-Z]{3}$
      example: USD
  securitySchemes:
    oauthDPoP:
      type: oauth2
      description: >
        OAuth 2.0 client_credentials grant (RFC 6749 §4.4) bound to a DPoP
        keypair (RFC 9449).


        **Flow** (every authenticated `/v1` call requires both an access token
        AND a fresh per-request DPoP proof):


        1. Register a credential via the merchant portal. Anton issues a
        `client_id` (`ant_oc_<env>_<32hex>`) and a `client_secret`
        (`ant_ocs_<env>_<48hex>`, shown ONCE). The portal generates an ES256 or
        Ed25519 DPoP keypair in your browser; you store the private half.

        2. Mint an access token: `POST /oauth/token` with `Authorization: Basic
        <client_id:client_secret>` and `Content-Type:
        application/x-www-form-urlencoded`. Body:
        `grant_type=client_credentials`. A `DPoP` header carrying a proof signed
        for the token endpoint is required (no `ath` claim on this proof).

        3. Use the token: send `Authorization: DPoP <access_token>` plus a fresh
        `DPoP: <proof>` header on every `/v1` request. The proof JWT MUST carry
        `htm` (request method), `htu` (request URL, no query/fragment), `iat`
        (within ±60s), `jti` (unique within 5 min), and `ath` (SHA-256 of the
        access token, base64url).


        Tokens expire in **1 hour** in production / staging and **8 hours** in
        sandbox. There are no refresh tokens — call `/oauth/token` again with
        your secret. Anton's public signing key is published at
        `/.well-known/jwks.json`.


        OpenAPI 3.0 has no native DPoP scheme; this declaration plus
        `dpopHeader` together convey both the access-token Authorization and the
        per-request proof header.
      flows:
        clientCredentials:
          tokenUrl: /oauth/token
          scopes: {}
    dpopHeader:
      type: apiKey
      in: header
      name: DPoP
      description: >
        Per-request DPoP proof JWT (RFC 9449). MUST accompany the
        `Authorization: DPoP <access_token>` header on every protected
        operation. The proof is signed by the merchant's private DPoP key and
        carries `htm`, `htu`, `iat`, `jti`, and `ath` claims.

````