SNAP-BI Gateway API
Bank Indonesia SNAP (Standar Nasional Open API Pembayaran) partner gateway
The SNAP-BI Gateway is the external partner-facing API that implements Bank Indonesia's SNAP standard (PBI No.23/6/PBI/2021). It validates BI-standard request signatures, enforces replay protection and clock-skew, and forwards requests to the appropriate downstream service.
Base URLs
The SNAP-BI gateway is served via the REST aggregator under the /v1.0/ path prefix.
| Environment | Base URL |
|---|---|
| Sandbox (505pay.link) | https://sandbox.505pay.link/v1.0 |
| Production (505pay.link) | https://api.505pay.link/v1.0 |
| Sandbox (straventa.com) | https://sandbox.straventa.com/v1.0 |
| Production (straventa.com) | https://api.straventa.com/v1.0 |
The OpenAPI specification is served at <base-url>/openapi.json.
Authentication model
SNAP-BI uses two distinct authentication paths:
Asymmetric (B2B access token)
: RSA-SHA256 PKCS#1v1.5 signature over clientKey + "|" + X-TIMESTAMP.
: Returns a short-lived Bearer access token (1 hour).
Symmetric (transaction endpoints)
: HMAC-SHA512 signature over METHOD + "|" + PATH + "|" + accessToken + "|" + sha256hex(body) + "|" + X-TIMESTAMP.
: Requires a valid Bearer token from the B2B endpoint.
Both paths verify X-TIMESTAMP within ±300 seconds of the server clock (SNAP requirement).
Replay protection
Every transaction request must carry a unique X-EXTERNAL-ID per partner per UTC day.
Duplicate IDs return 409 with response code 409{svc}00.
Endpoints
| Method | Path | Svc Code | Downstream |
|---|---|---|---|
| POST | /v1.0/access-token/b2b | 73 | auth-service |
| POST | /v1.0/transfer-va/inquiry | 27 | payments-service |
| POST | /v1.0/transfer-va/payment | 27 | payments-service |
| POST | /v1.0/transfer-va/status | 27 | payments-service |
| POST | /v1.0/transfer-credit/{route} | 25 | payments-service |
| POST | /v1.0/balance-inquiry | 24 | payments-service |
| POST | /v1.0/transaction-status-inquiry | 60 | recon-service |
| POST | /v1.0/transaction-history-list | 50 | recon-service |
| POST | /v1.0/qr/qr-mpm-generate | 47 | payments-service |
| POST | /v1.0/qr/qr-mpm-notify-payment | 47 | payments-service |
Response codes
SNAP response codes follow the format <http-prefix><service-code><sub-code> (7 digits).
| Code | HTTP | Meaning |
|---|---|---|
200{svc}00 | 200 | Successful |
400{svc}02 | 400 | Invalid X-TIMESTAMP |
401{svc}00 | 401 | Unauthorized (invalid signature) |
403{svc}00 | 403 | Forbidden (insufficient scope) |
404{svc}01 | 404 | Resource not found |
409{svc}00 | 409 | Duplicate X-EXTERNAL-ID |
500{svc}00 | 500 | Internal server error |
504{svc}04 | 504 | Downstream timeout |
Error envelopes contain only responseCode and responseMessage — no internal
error details are ever returned to partners (BI compliance requirement §AC9.2).
Partner registration
Partners are registered via the 505pay admin console. Contact your 505pay integration
contact to obtain your X-CLIENT-KEY, RSA keypair, and HMAC secret.
For operator onboarding steps, see the snap-gateway-service runbook.
Endpoint reference
Authentication (B2B access token)
RSA-SHA256 asymmetric signature exchange to obtain a short-lived Bearer token.
Virtual Account (Transfer VA)
SNAP-BI Virtual Account inquiry, payment, and status endpoints.
Transfer credit
SNAP-BI credit transfer initiation.
QRIS
QR code generation and payment notification for Merchant-Presented Mode.
Inquiry & history
Balance inquiry, transaction status, and transaction history.
Health & metadata
Liveness/readiness probes, OpenAPI spec, and JWKS.
Was this page helpful?