Frequently Asked Questions

Getting started

How do I get API credentials?

Contact your Migo account manager. Credentials are issued per environment (QA + production).

What languages / SDKs do you support?

Native libraries:

JavaScript / TypeScript — Wallet SDK for React / React Native + server OpenAPI-generated clients
Swift — iOS Wallet SDK
Kotlin — Android Wallet SDK
Go — server OpenAPI-generated clients (generate via oapi-codegen from the specs)
Python — server OpenAPI-generated clients (via openapi-python-client)

Is there a sandbox?

Yes. See Environments. All features work in sandbox with test cards — see Testing.

Authentication

How long do access tokens last?

For the merchant/client gateway, access tokens last 30 minutes and refresh tokens last 7 days. Wallet and CMS user-token lifetimes are configurable per partner/session rules (driven by the configuration service), not fixed values.

Refresh tokens?

Single-use. Every refresh rotates both access and refresh tokens. Discard the old refresh token immediately.

What happens if I lose the refresh token?

Re-log-in to obtain a new token pair. If you've forgotten your password, use the password-reset flow: request a one-time code via POST /users/auth/otp, then call POST /users/auth/password/reset.

Payments

What's the difference between one-step and two-step payments?

One-step — authorize + capture in a single request. Use for retail.
Two-step — authorize now, capture later (up to 7 days). Use for marketplaces, hospitality, pre-orders.

For card acceptance, charges run through the hosted checkout of a Payment Link.

When do I receive funds?

Capture → settled: next business day after 23:30 UTC cutoff. Settled → in merchant's bank: T+1 to T+3 depending on the issuing bank.

Do you support Apple Pay / Google Pay?

At the POS via contactless (NFC), yes. Provisioning Migo-issued cards into Apple/Google Pay wallets: planned, not yet shipped.

What about installments?

Installment support is issuer-dependent — contact support to confirm availability for your terminal configuration. The documented CreateTerminalPaymentInput body does not expose a top-level installments field.

Webhooks

Will I receive duplicate events?

Yes — at-least-once delivery means retries can arrive after the original. Always dedupe on eventId.

How do I verify the signature?

Signed outbound webhook delivery is on the roadmap and not yet shipped. The current webhook endpoints are inbound receivers (/webhooks/volcan, /webhooks/settlements). Signature-verification guidance will be published once outbound delivery is available.

How long does Migo retry failed deliveries?

7 days with exponential backoff.

Can I pause event delivery?

No self-service pause, but you can return 410 Gone from the endpoint to stop retries.

Subscriptions

Is the first charge automatic?

A subscription is created through the card-verification flow (POST /v1/subscriptions/verify-card with shouldCreateSubscription=true), which internally creates the subscription. There is no public POST /v1/subscriptions endpoint and no startAt parameter.

What if a scheduled charge fails?

Failed renewals are handled by a grace-period model (renewal status tracking), not a fixed retry ladder. A subscription's terminal status is inactive or expired — there is no unpaid status. The exact grace-period cadence is configurable; contact support to confirm the values for your account.

Can I charge outside the schedule?

Yes — On-demand charges.

Cards & wallet

Do Migo-issued cards work with Apple / Google Pay?

Provisioning is planned, not yet shipped. Once live, card push provisioning via the Wallet SDK will be supported.

How do I retrieve a CVV?

Two-step: request a view token, then use it in the CVV GET from the mobile client. Never from your backend.

Can a card belong to multiple users?

Yes — per-user permissions control who can do what. See Cardholder management.

Compliance

What's Migo's PCI-DSS scope?

Level 1 Service Provider. See Security & PCI scope.

Where is data stored?

Primary region: AWS us-east-1, with a secondary region in AWS us-east-2. For data-residency, GDPR, and regional-compliance specifics, contact legal.

Can I get a SOC 2 report?

Yes — under NDA. Contact your Migo account manager.

Errors

I got a `7604 INVALID_SIGNATURE` — what's wrong?

Your request signature did not validate. The most common cause is that the JSON body was re-serialized before signing, changing the byte content. Sign the raw body bytes and verify your signing keys are current.

I got a `7616 KEYS_EXPIRED` — what does this mean?

Your signature keys have expired. Rotate them and authenticate again.

What does `7303 INSUFFICIENT_FUNDS` mean?

The source account does not have enough balance to complete the transaction. See the full Error catalog for every code and its HTTP status.

Still stuck?

Error catalog for every code
Contact for direct support

Getting started​

How do I get API credentials?​

What languages / SDKs do you support?​

Is there a sandbox?​

Authentication​

How long do access tokens last?​

Refresh tokens?​

What happens if I lose the refresh token?​

Payments​

What's the difference between one-step and two-step payments?​

When do I receive funds?​

Do you support Apple Pay / Google Pay?​

What about installments?​

Webhooks​

Will I receive duplicate events?​

How do I verify the signature?​

How long does Migo retry failed deliveries?​

Can I pause event delivery?​

Subscriptions​

Is the first charge automatic?​

What if a scheduled charge fails?​

Can I charge outside the schedule?​

Cards & wallet​

Do Migo-issued cards work with Apple / Google Pay?​

How do I retrieve a CVV?​

Can a card belong to multiple users?​

Compliance​

What's Migo's PCI-DSS scope?​

Where is data stored?​

Can I get a SOC 2 report?​

Errors​

I got a 7604 INVALID_SIGNATURE — what's wrong?​

I got a 7616 KEYS_EXPIRED — what does this mean?​

What does 7303 INSUFFICIENT_FUNDS mean?​

Still stuck?​