Quick Start
Make your first authenticated request in under 5 minutes. This walkthrough uses the QA environment of the Wallet Gateway API (https://ali-qa.ali.app/rest). Every endpoint below is cross-referenced against the live OpenAPI spec at /api-reference/ali-api-gw-rest.
1. Get credentialsβ
Contact your Migo account manager to obtain:
merchantβ your public app identifier- The Ed25519 private key you use to sign login payloads
- The Ed25519 public key Migo uses to validate your tokens (per environment)
2. Authenticateβ
The login endpoint expects a merchant slug plus an Ed25519 signature of the payload. See Authentication for the canonical signing recipe.
curl -X POST https://ali-qa.ali.app/rest/auth/login \
-H "Content-Type: application/json" \
-d '{
"merchant": "YOUR_MERCHANT_SLUG",
"signature": "<ed25519-signature-base64>"
}'
Response (envelope shape β every endpoint returns CustomResponse<T>):
{
"statusCode": 200,
"message": "ok",
"data": {
"accessToken": "eyJhbGciOi...",
"refreshToken": "eyJhbGciOi...",
"expirationToken": 1735689600,
"expirationRefreshToken": 1736294400
}
}
Spec:
POST /auth/login.
3. Verify the gateway is upβ
curl https://ali-qa.ali.app/rest/health
Response:
{ "statusCode": 200, "message": "ok", "data": {} }
Spec:
GET /health.
4. Register a cardholderβ
The gateway uses invitation-coded onboarding rather than free-form sign-up β the merchant first issues an invitation code, then the cardholder registers with their username (email), password, and the invitation code.
curl -X POST https://ali-qa.ali.app/rest/users \
-H "Authorization: Bearer <access-token>" \
-H "Content-Type: application/json" \
-d '{
"deviceId": "device-abc-123",
"invitationCode": "INV-9F4D2A",
"username": "test+1@example.com",
"password": "Str0ng-P@ssw0rd",
"confirmPassword": "Str0ng-P@ssw0rd"
}'
To generate the invitation code first, call POST /users/invitation-code with the appropriate role.
Spec:
POST /usersΒ·POST /users/invitation-code.
5. Issue a cardβ
This is the Migo-issued physical card endpoint. It takes no request body β the card is provisioned for the user identified in the path, with the merchant defaults attached to the user's role.
curl -X POST https://ali-qa.ali.app/rest/users/<userId>/cards/virtuals \
-H "Authorization: Bearer <access-token>" \
-H "x-application-id: YOUR_APP_ID"
Card identifiers are numeric. A newly issued card needs a PIN before it can authorize transactions β see Card Lifecycle and PIN management.
Spec:
POST /users/{userId}/cards/virtualsΒ·GET /cards/{cardId}/cvv.
Node.js exampleβ
import axios from 'axios';
const api = axios.create({ baseURL: 'https://ali-qa.ali.app/rest' });
const login = await api.post('/auth/login', {
merchant: process.env.MIGO_MERCHANT,
signature: process.env.MIGO_LOGIN_SIGNATURE,
});
const token = login.data.data.accessToken;
const health = await api.get('/health');
console.log(health.data);