Maximum number of objects to return per page. Defaults to 20, capped at
100.
API reference
The CashSDK REST API — base URLs, conventions, versioning, and pagination.
The CashSDK API is a RESTful interface over HTTPS. Every request and response
body is JSON. Resources are addressed by stable, prefixed identifiers (for
example app_, txn_, evt_), and every mutating call is authenticated with a
secret key.
Base URLs#
https://api.cashsdk.com
All endpoints live under the /v1 prefix, so a full URL looks like
https://api.cashsdk.com/v1/apps.
Conventions#
- HTTPS + JSON. Send
Content-Type: application/jsonon requests with a body. Responses are always JSON. - Authentication. Pass a bearer token in the
Authorizationheader on every request. See Authentication. - Identifiers. IDs are opaque strings with a type prefix. Treat them as case-sensitive and do not parse their contents.
- Timestamps. All timestamps are ISO 8601 strings in UTC, for example
2026-07-17T18:24:05Z. - Money. Monetary amounts are integers in the currency's minor units
(cents for USD), paired with an ISO 4217
currencycode.
Versioning#
The API is versioned in the URL path (/v1). Backwards-incompatible changes
ship under a new version prefix; additive changes (new fields, new endpoints,
new event types) may appear within v1 without notice, so write clients that
ignore unknown fields.
Pagination#
List endpoints are cursor-paginated. Pass limit to cap the page size and
cursor to fetch the next page. Every list response is wrapped in an envelope:
{
"data": [
{ "id": "txn_9f2a1c", "app_user_id": "u_812", "amount": 899 }
],
"has_more": true,
"next_cursor": "eyJpZCI6InR4bl85ZjJhMWMifQ"
}
limitintegercursorstringAn opaque cursor returned as next_cursor on the previous page. Omit it to
start from the first page.
Keep requesting with the returned next_cursor until has_more is false.
Endpoint groups#
Read and configure your apps, and check setup status.
Products, entitlements, and store mappings.
Remote paywalls and templates.
Look up customers and their entitlement state.
Grant and revoke access programmatically.
Purchases, renewals, and refunds.
Validate Apple and Google receipts server-side.
Register endpoints and verify signatures.
The recent event stream and event types.
Status codes, error bodies, and rate limits.