API integration

Base URLs and your first request

Use the Test environment while building; switch keys and host only when you go live.

Send your secret key on every request as X-API-Key (header names are case-insensitive). A minimal read that works in both environments is GET /accounts:

curl -sS \
  -H "X-API-Key: $LOMI_API_KEY" \
  "https://sandbox.api.lomi.africa/accounts"

Replace $LOMI_API_KEY with a secret key from the dashboard Developers / API section (lomi_sk_test_… / lomi_sk_live_…). Never send secret keys from a browser or mobile client. For environment details and key hygiene, see Authentication.

Full HTTP reference (OpenAPI)

The canonical list of paths, methods, parameters, security, and request bodies is the generated OpenAPI site:

• OpenAPI reference index — browse operations; each page includes language tabs (cURL, JavaScript, Go, Python, Java, and C#) and a Try it playground.

The playground sends requests through the docs proxy (/api/proxy in this app), so you can exercise the API from the browser without CORS issues. Treat it as a convenience for exploration, not a substitute for calling the API from your own servers in production.

SDKs vs raw HTTP

SDKs should follow the same base URL, headers, and JSON conventions as raw HTTP.

Webhooks (incoming HTTP to your server)

Your endpoint receives raw JSON in the request body. For signature verification you must use the exact bytes the gateway sent—do not rely on a prettified or re-serialized JSON string, which can change spacing or key order and break HMAC or similar schemes.

Ingress routes for payment providers (e.g. Wave, Stripe-style) are documented in the OpenAPI tree under the relevant webhook paths. Configure URLs in the dashboard and validate signatures using the provider’s documented algorithm and the raw body buffer.

For managing your outbound webhook subscriptions (list, get, update) over the merchant API, see Webhooks and the matching operations in the OpenAPI reference.