List Instruments - Anton Payments

{ "data": [ { "id": "ins_01HX8Z9K0M2N3P4Q5R6S7T8UA2", "beneficiary_id": "ben_01HX8Z9K0M2N3P4Q5R6S7T8UA1", "merchant_id": "mer_01HX8Z9K0M2N3P4Q5R6S7T8UZZ", "method": "iban", "currency": "EUR", "country": "DE", "label": "Primary EUR account", "display_last4": "5432", "display_bank": "Deutsche Bank", "masked_account": "DE89****5432", "status": "active", "is_default": true, "created_at": "2026-04-15T14:30:00Z", "updated_at": "2026-04-15T14:30:00Z" } ], "has_more": true, "next_cursor": "<string>" }

Authorizations

Authorization

string

header

required

OAuth 2.0 client_credentials grant (RFC 6749 §4.4) bound to a DPoP keypair (RFC 9449).

Flow (every authenticated /v1 call requires both an access token AND a fresh per-request DPoP proof):

Register a credential via the merchant portal. Anton issues a client_id (ant_oc_<env>_<32hex>) and a client_secret (ant_ocs_<env>_<48hex>, shown ONCE). The portal generates an ES256 or Ed25519 DPoP keypair in your browser; you store the private half.
Mint an access token: POST /oauth/token with Authorization: Basic <client_id:client_secret> and Content-Type: application/x-www-form-urlencoded. Body: grant_type=client_credentials. A DPoP header carrying a proof signed for the token endpoint is required (no ath claim on this proof).
Use the token: send Authorization: DPoP <access_token> plus a fresh DPoP: <proof> header on every /v1 request. The proof JWT MUST carry htm (request method), htu (request URL, no query/fragment), iat (within ±60s), jti (unique within 5 min), and ath (SHA-256 of the access token, base64url).

Tokens expire in 1 hour in production / staging and 8 hours in sandbox. There are no refresh tokens — call /oauth/token again with your secret. Anton's public signing key is published at /.well-known/jwks.json.

OpenAPI 3.0 has no native DPoP scheme; this declaration plus dpopHeader together convey both the access-token Authorization and the per-request proof header.

DPoP

string

header

required

Per-request DPoP proof JWT (RFC 9449). MUST accompany the Authorization: DPoP <access_token> header on every protected operation. The proof is signed by the merchant's private DPoP key and carries htm, htu, iat, jti, and ath claims.

Query Parameters

limit

integer

default:20

Items per page. Maximum 100.

Required range: 1 <= x <= 100

cursor

string

Opaque cursor returned by a previous list response. Omit for the first page.

beneficiary_id

string

Pattern: ^ben_[a-zA-Z0-9]+$

method

enum<string>

Credential format of a payment instrument — named by what data is stored, not by the rail that delivers the funds. One credential type can route to multiple rails (e.g. an IBAN can go via SEPA, SEPA Instant, TARGET2, SWIFT, or CHAPS — the rail is selected at payout time).

Query GET /v1/payment-methods for the full country-specific catalog including per-method credential schemas.

Available options:

iban,

uk_bank,

us_bank,

ca_bank,

au_bank,

nz_bank,

jp_bank,

in_bank,

za_bank,

ng_bank,

ph_bank,

cl_bank,

co_bank,

swift,

clabe,

cbu,

cci,

pix,

upi,

interac,

paynow,

fps_hk,

promptpay,

card,

crypto,

mobile_money

currency

string

ISO 4217 three-letter currency code.

Pattern: ^[A-Z]{3}$

Example:

"USD"

country

string

ISO 3166-1 alpha-2 country code.

Pattern: ^[A-Z]{2}$

Example:

"US"

status

enum<string>

Available options:

active,

disabled

Response

Paginated list of instruments.

data

object[]

required

Array of results for this page. Element schema varies by endpoint.

Show child attributes

has_more

boolean

required

Whether more results exist beyond this page.

next_cursor

string

Cursor for the next page. Present only when has_more is true.

Documentation Index

Authorizations

Query Parameters

Response