1 of 66

Flash Payments Developer API

Overview

Flash Payments Developer API documentation

General information

Flash Payments API is GraphQL-based, offering simple and developer-friendly querying experience. All data is exchanged in JSON format.

Flash Payments API playground is located here: https://api.uat.flash-payments.com.au/

Complete API docs

This documentation website does not have full list of API fields and methods. This is intentional. The full list of the API calls you can performs and the data fields you can send/receive is listed in the API Playground (click "DOCS" on the right hand side).

High level feature overview

You can search, visualise, or extract your data using our FlashConnect interface.

Instant local Australian deposit (aka pay-in)

Once registration is complete, a dedicated BSB and Virtual Account Number (VAN) for use within Australia will be assigned to you.

IMPORTANT: Your Australian VAN will be restricted to local Australian transfers. For international payments (aka FX payments), we offer different solutions.

Any funds deposited to your VAN would increase your Flash Payments balance. We store and retain the reference attached to each deposit (e.g., an invoice number) to support your reconciliation or reporting needs.

By default, only you can deposit into your VAN. Third-party deposits are also supported, but this feature must be enabled separately

Deposits are typically processed in real time, but depending on the bank, there may be a delay of up to 24 hours.

You can configure webhook notifications to receive alerts for every deposit made to your VAN. Please visit to set up your deposit webhook.

You can manually reject unwanted deposits via the interface. The funds will be returned to the original sender bank account.

The Flash Payments API enables you to withdraw funds from your Flash Payments balance. By default, only you are authorized to receive these withdrawals. Third-party withdrawals (also known as payouts) are available upon request and require separate activation.

If your payout involves a foreign exchange (FX) payment, it must be processed using the Australian Direct Entry system in accordance with legal requirements. Processing time may vary from immediate to a few hours. Other payouts are credited instantly.

If a payout fails, you will receive a webhook notification detailing the reason for the failure.

The payout remitter name is configurable. You can give us the remitter name as withdrawal.sender data property. This is especially useful for FX-linked payouts. If a Brazilian mama Katarina Oreiro sends money to her son in Australia, he will see his mom's name in the bank statement - "Payment from Katarina Oreiro".

Payouts can also be done via the interface.

You can send your Flash Payments balance internationally via our API and benefit from instant delivery to many countries with local instant payment systems (e.g. Philippines)

To initiate a payment, you must pre-create the sender and recipient via the API.

All entities in our database, including withdrawals, payments, senders, and recipients, can store your system’s unique identifier. Please refer to the externalId field in the .

Payment delivery times depend on the recipient's country. While many are processed quickly, some may take additional time. You’ll be notified via webhook whenever the payment status changes.

You can send funds through an international payment to your Flash Payments account. A webhook notification will be triggered when we detect payments from other countries.

The API token you generate expires in 4 hours. You can always use logout GraphQL mutation to expire it earlier.

You can't reset your own password until we verify your identity.

The interface supports Google and One-Time-Password logins.

Webhooks have cryptographic signatures.

IP address whitelisting feature is available from FlashConnect interface allowing login to our APIs from only preapproved addresses that you specify.

API rate limiting is in place to ensure stable performance of our service and prevent its potential abuse.

Contact with us via or by clicking the Intercom button on the bottom right of this page.
Explain what kind of services you are looking from Flash Payments.
We will examine your needs and explain how to get access to our UAT environment.

For more detailed instructions head to the page.

While we will endeavour to not introduce any breaking changes they might still occur in the future. In that case we will communicate about the upcoming changes via your registered email.

Basics

Why GraphQL

General information how to start using Flash Payments API

The examples below assume you are a verified customer of Flash Payments and have been enabled for API access.

GraphQL Playground

All the GraphQL queries can be sent via the GraphQL Playground or as a HTTP POST request to https://api.uat.flash-payments.com.au. Example:

echo '{
  "query":
    "{
       quote(input: {
         fromCurrency: AUD, toCurrency: USD, size: 9.9, currency: AUD
       })
       {
         bid ask symbol timestamp inverted
       }
     }"
}' | curl -X POST 'https://api.uat.flash-payments.com.au' \
-H 'authorization: Bearer YOUR_TOKEN' \
-H 'content-type: application/json' \
-d @-

All the responses are JSON and have at least one property data and optional property errors.

{
  "data": { ... },
  "errors": [ ... ]
}

In GraphQL Playground query editor press Cmd+Space or Ctrl+Space or Opt+Space or Alt+Space or Shift+Space to show context help and possible options.

Some of the GraphQL query parameters are required, others are optional. To understand if a variable/property is required you would need to check the API schema.

Go to the and click the button "DOCS" on the right.
Browse through queries, mutations, input and output types. Find a variable/property which have an exclamation mark at the end. E.g. fromCurrency: FromCurrency!.
The exclamation mark denotes that the variable/property is mandatory.

It is a good idea to always send custom user-agent HTTP header value when doing requests to Flash Payments API. Here is why:

In case of troubleshooting we will be able to trace and mitigate your support questions faster.
You might be blocked by our automated firewall if your user agent is something generic like curl, Java-http-client, python-requests, Ruby, etc.

Our API have smart monitoring and it may temporarily block your IP if it detects system misuse. For more information, please refer to the page.

Sending data as JSON

Here is how to send your data to us as JSON instead of embedding it into the GraphQL queries.

For your initial tests, it may be easier and more practical to send data by embedding values directly into the GraphQL queries and mutations, as shown in the example below.

At the same time, to enable efficient and accurate handling of complex queries in code, we support sending GraphQL queries as JSON objects that consist of two properties: "query" and "variables". Here is how you can do it:

Declare the $input variable in the QraphQL "query"

Required fields

Here is how to identify the mandatory input fields for your GraphQL queries and mutations.

Most documentation examples utilise typical GraphQL input data for successfully executing queries.

It's strongly encouraged that you always submit complete and accurate data, as this reduces our compliance team's reviewing efforts and, as a result, speeds up transactions and provides a great experience for your customers.

At the same time, we recognise that gathering complete customer information can be technically challenging, particularly regarding country-specific address details or account information. As a result, our API documentation emphasises the required input fields based on the principle of minimal necessity.

Please pay attention to the exclamation mark ( ! ) next to the field type in the API schema specification from the "Docs" section of our API Playground. Those are the required fields as it's demonstated on the screenshot below:

Please always verify that you have all required data to initiate a successful mutation or query.

Ad hoc webhooks

How to secure your callback endpoints

When sending a payment, creating a local withdrawal or ordering a conversion you can provide us a webhook (callback) URI - callbackUri. We will call it when a payment or withdrawal status changes.

We recommend API clients to generate and add ?signature=ASecretPerPaymentKey query to your callbackUri to make sure it's Flash Payments calling your webhook endpoint. For example:

https://my-webhooks.example.com/flash-payments?signature=oZaDlmfXbdXSKCnuWrvos2ImVBFX2Ru5

To avoid storing the signatures in a database we recommend generating them on the fly using a strong hash function or any kind of cryptography.

Example

This is just an example. Feel free to sign your URLs the way you want.

You would need to implement two functions.

Function to generate "signature".
Function to verify the "signature".

Node.js pseudo code to generate a signature in your integration code.

The code above creates a callbackUri and externalId variables. Use both of them when creating a transfer in Flash Payments API.

Node.js pseudo code of your webhook HTTP request handler.

Regular webhooks

How to setup web hooks for your integration

Event notifications with webhooks

Flash Payments uses webhooks to notify your application when a transaction event happens in your account. This includes status update of your withdrawal, clearing of the incoming deposit, and more.

With webhooks, you can subscribe to the events of interest to trigger a subsequent action within your integration.

There are two steps to begin using webhooks. Building a custom endpoint on your server and registering it via the FlashConnect settings.

Building webhook endpoint

Each time a transaction event happens, we will send a HTTP POST request to your endpoint(s) that are subscribed to that event. The payload with event data is in the JSON format and can be used immediately. Every webhook endpoint must acknowledge the request, and as we strongly advise, verify the webhook signature.

Acknowledging request

To acknowledge the receipt of the event, your endpoint must return 2xx HTTP status code. All other response codes, including 3xx codes, indicate that you did not receive the event.

If we do not receive 200 HTTP status code, we will make up to 3 more request attempts. There is 6, 60 and 600 seconds delay between each delivery attempt respectively. If all request attempts fail, we mark webhook request as failed and will no longer try to deliver it.

Each webhook request has a flashfx-request-id header with a string that uniquely identifies a webhook event. For example, if there are multiple delivery attempts for the webhook event, each request will hold the same flashfx-request-id. This can be used to check if the webhook event was already processed by your application.

We advise that you acknowledge webhook request as early as possible.

Securing the request

To ensure that webhook was sent by Flash Payments and not a third party, we include the cryptographic signature in each request’s flashfx-signature header.

Before you can verify a signature, you need to retrieve your endpoint’s secret from webhook settings in the . Each registered endpoint has a unique secret that is used to sign a payload delivered to you on each event. Steps to verify signature:

Extract signature from the request header
Compute HMAC with SHA256 function. Use your endpoint secret as key and JSON payload string as a message.
Compare signature in the header to the computed signature.

Here is a Node.js pseudo code to generate and compare signatures

And verifying signature

Testing your endpoint

To make sure your webhook endpoint is setup correctly, you can make a test HTTP request from the webhook settings. Click the "Send Test” button. You should receive a dummy request, which will need to be acknowledged the same way as your real webhook requests.

Then go to the history of the webhook requests and find the test request and response there.

Webhook requests come with event data. You can see all available event types in the settings. To subscribe, select which events you would like to receive and specify your endpoint. Please note, your endpoint must adhere to the HTTPS protocol for security reasons.

Accounts

Master Balance

Query your master account balances

Paste this query to the GraphQL Playground

The cleared is the Primary balance you see on the Flash Connect website.

The pending balance is typically not shown on the Flash Connect interface because it's rather short lived. If your Pending

Statement

Understand every movement of your primary balance

This query returns the same data as the Download CSV button on the Account Statement page of the Flash Connect.

The dates must be any ISO 8601 formatted dates.

const bodyJSON = {
  variables

query($input: StatementQueryInput!) {

{
  "input": {
    "fromDate": "2023-08-28T00:00:00+03:00",
    "currency": "USD"
  }
}

{
  "data": {
    "statement": [
      {
        "success": true,
        "code": "GENERATED",
        "message": "Statement generated",
        "fromDate": "2023-08-27T21:00:00Z",
        "toDate": "2023-08-28T21:00:00Z",
        "rows": {
          [
            {
              "debit": 123.45,
              "credit": 0
            }
          ]
        }
      }
    ]
  }
}

The response dates are aways UTC. Timezones are always taken into account.

Virtual account numbers

Generate named Virtual Account Numbers (aka sub-clients) for your clients' for collection

The sub-client (aka merchant) feature allows you to create client accounts for deposit collection purposes. These virtual accounts can be issued to individuals, companies, or other organisations.

Each sub-client will receive a dedicated BSB and Vitrual Account Number (VAN) that you or your clients can use to accept and withdraw domestic AUD transfers within Australia.

The account name is your sub-client's name. For companies - it's their tradingAsName or legalName. For individuals - it's their fullName (firstName + middleName

Sub-client statuses

Sub-client VANs lifecycle

A sub-client lifecycle follows these stages.

A sub-client is created and has the temporary INITIATED status. At this stage, the request has been received and the system is currently processing it.

If processing is completed successfully, the sub-client automatically transitions to the ACTIVE. In this status, the sub-client is fully activated and approved.

If the sub-client requires manual compliance review, the sub-client moves from INITIATED to the temporary UNAPPROVED status. From this status it would eventually transition to either ACTIVE or FAILED_KYC. Typically, we can't disclose the exact reason of the KYC failure, while it mostly happens because we do not have risk appetite for your client.

You can deactivate the client (via API of Flash Connect), - it'd move from ACTIVE to DEACTIVATED. A sub-client in the DEACTIVATED status can be activated by you at any time, returning to ACTIVE.

At any point, a sub-client may be moved to DISABLED. In this status, the sub-client is disabled and cannot be enabled by you, and contacting support is required for further information.

Moving funds

Payouts

Disburse your money to a third party bank account

You can create payouts via the createWithdrawal mutation.

You can retrieve your payouts via the withdrawals query.

Sometimes you'd need to understand the supported delivery methods using the availableDeliveryMethods query.

If you get instructed by another financial institution then you must submit their details too.

If the payouts didn't pass compliance we would reject it with a proper rejection code and descriptive message.

Withdrawal statuses

Withdrawal processing statuses

You create a withdrawal. Your balance goes down by the withdrawal amount plus fee. INITIALISED
1. We might internally review the transaction. INITIALISED-> REVIEWING
2. If review goes well it will become pending. REVIEWING→ PENDING
3. Otherwise it gets cancelled. REVIEWING→ CANCELLED
The transaction is sent to the recipient bank for processing. INITIALISED → PENDING
PENDING →
- CONFIRMED - the recipient bank has the money now. Does not mean the beneficiary account number was credited though. Mostly FINAL status. Except when bank decides to return the funds, the withdrawal gets refunded (see step 4).
The recipient bank decided to return this transaction back to Flash Payments.CONFIRMED → FAILED → REFUNDED - usual way - automatic refunding. Your balance goes up by the withdrawal amount, Flash Payments keeps the fee. FINAL status.

The payout passed our automated compliance checks and was processed successfully:

INITIALISED→PENDING→CONFIRMED

The payout was successfully processed after a manual compliance review:

INITIALISED→REVIEWING→PENDING→CONFIRMED

Recipient bank accepts the payout but then returns it:

INITIALISED→PENDING→CONFIRMED→FAILED→REFUNDED

Recipient bank rejects the payout:

INITIALISED→PENDING→FAILED→REFUNDED

Flash Payments Compliance team rejects the payout:

INITIALISED→REVIEWING→CANCELLED

Withdrawal outcomes simulation

Test common payout outcomes in UAT, as you build and exercise your integration solution against the full range of real-life withdrawal flows, statuses and webhooks before going live.

To trigger a happy or unhappy path scenario, put the corresponding keyword in the externalReference field when you submit a withdrawal. The keyword instructs our system to automatically simulate that outcome instead of routing the withdrawal through the standard compliance and payout pipelines, which may require manual intervention by a compliance analyst. Typically, you want to adapt your system to handle the following common withdrawal scenarios:

1. Too long in the REVIEWING status

If your withdrawal is in this status this means that we are doing an internal review of it. It happens occasionally when you trigger our monitoring rules. Also, this means that we have sent your Compliance Team (or else) an email message requesting more information. You must respond. In other words, if there is a delay - it's on you. Because Flash Payments delivers all your transactions in real-time 24/7.

Please always provide accurate and information, including the full address, to prevent delays associated with internal compliance reviews on our side.

Sender and recipient addresses are automatically validated when a transaction is created. If the address cannot be verified, the transaction will be flagged for review by our Compliance team, resulting in processing delays. To help ensure smooth and timely processing, please provide complete and accurate address details.

You can simulate the behaviour. Your externalReference must include this text: HALT_AML. For example: "testing HALT_AML attempt 2". The withdrawal will get stuck in REVIEWING forever.

We checked the data you sent us for withdrawal. We didn't like it. So we cancel it immediately.

You can simulate the behaviour. Your externalReference must include this text: FAIL_AML. For example: "testing FAIL_AML attempt 4". The withdrawal will be cancelled next moment after you submit it.

If our smart AML/TM checks stop your withdrawal for manual review, you can have it automatically pushed forward by including PUSH_AML in the externalReference. For example: "testing PUSH_AML attempt 5". This enables the transaction to continue as if it were approved by the compliance analyst. It can be particularly useful during your integration testing activities and also help with UAT regression testing later.

Please note that the REVIEWING status for this payout will be recorded on our end, and a withdrawal_reviewing webhook will be sent.

Whenever our Compliance team needs more details about specific withdrawal, you’ll receive an email with a link to the RFI form. The withdrawal will sit in REVIEWING until you respond to the RFI via the link in the email and a compliance analyst marks it satisfactory.

You can simulate the behaviour by including SEND_RFI text into the externalReference For example: "testing SEND_RFI attempt 3". The withdrawal remains in REVIEWING until you respond to the RFI. At that point, we will review your submission and provide feedback, and then manually push the transaction forward. The primary goal of this test is to familiarize your team with our RFI process and address any questions beforehand, ensuring a smooth transition to production.

A common scenario in the Australian domestic payment system involves a transaction that appears successful initially, but is later reversed by the recipient’s bank—sometimes days after processing. This can happen for various reasons, such as an invalid or closed account number, an account in the wrong currency, or other account-related issues.

You can simulate the behaviour. Your externalReference must include this text: FAIL_ACC. For example: "testing FAIL_ACC attempt 8". The withdrawal will be completed, and next moment failed and refunded.

Rejection codes

How to handle a payout rejection

If your withdrawal is canceled (aka rejected) by our AML and Compliance team, you'll receive the webhook containing both a rejection code (rejectCode) and a manually written rejection reason (statusMessage). You can find the same two properties within the GraphQL type.

Here is a current list of all possible rejectCodes, but please note this list can be extended with time.

Please also note that while the rejection codes are set, the corresponding free text statusMessage will have a case-by-case human written text explaining the root cause of the cancellation. We'll try to be as descriprive as possible taking into account the legal bounds (we are not allowed by the law to disclose certain information).

Deposits

Explains how to accept deposits programmatically

After fully registering with us, you get a BSB and a dedicated Virtual Account Number (VAN).

Every deposit to your VAN would increase your Flash Payments balance.

Every deposit can trigger a notification, keeping you informed in real time

The deposit data includes the payment reference (we call it externalReference in this API).

By default, only you are permitted to make deposits. However, we can enable third-party deposits for your account upon request. Once enabled, your account number functions as a local collection account, allowing others to deposit funds on your behalf.

We can also enable the

Deposit statuses

Deposit processing statuses

Upon detecting a deposit in a Flash Payments Virtual Account Number (VAN), we immediately record it as a deposit in our system.

The status of a successful deposit goes through the following lifecycle

INITIALISED->REVIEWING→CONFIRMED

If you choose to reject a deposit, its status goes through the following lifecycle instead:

INITIALISED->REVIEWING→CONFIRMED→REFUNDING→REFUNDED

If Flash Payments Compliance choose to reject a deposit, its status lifecycle goes through following stages:

INITIALISED→REVIEWING→REFUNDING→REFUNDED

Query deposits

Query all deposits

const bodyJSON = {
  variables

query($input: DepositQueryInput!) {

{ 
  "input": {
  }
}

{
  "data": {
    "deposits": [
      {
        "id": "6053d4e0e3bc655e0598a742",
        "amount": 2000,
        "currency": "AUD",
        "status": "CONFIRMED",
        "statusMessage": "Transaction Confirmed",
        "externalId": "PR.1vcl",
        "externalReference": "FX1111",
        "subClient": null,
        "createdAt": "2021-03-18T22:32:01.010Z"
      },
      {
        "id": "6053d3319588389e1443587e",
        "amount": 40,
        "currency": "AUD",
        "status": "CONFIRMED",
        "statusMessage": "Transaction Confirmed",
        "externalId": "PR.1vci",
        "externalReference": "FX2121",
        "subClient": {
          "id": "5fb314cb9224595df522db61",
          "fullName": "John Doe",
          "status": "ACTIVE",
          "clientType": "INDIVIDUAL"
        },
        "createdAt": "2021-03-18T22:24:49.096Z"
      },
    ]
  }
}

Query deposit by ID

const bodyJSON = {
  variables

query($input: ID) {

{
  # there are more query parameters available, see the API schema
  "input": "6053d4e0e3bc655e0598a742"
}

{
  "data": {
    "deposit": {
      "id": "6053d4e0e3bc655e0598a742",
      "amount": 2000,
      "currency": "AUD",
      "status": "CONFIRMED",
      "statusMessage": "Transaction Confirmed",
      "externalId": "PR.1vcl",
      "externalReference": "KX23249",
      "createdAt": "2021-03-18T22:32:01.010Z"
    }
  }
}

Refund deposits

Return the funds back to the original sender

Delivery methods

Different countries support different account types, transfer mechanisms, payment delivery methods.

Please verify that you have all the required data to initiate a successful payment transfer.

List all the available payment delivery methods

const bodyJSON = {
  variables

query($input: AvailableDeliveryMethodsInput!) {

{ 
  "input": {

{
  "data": {
    "availableDeliveryMethods": [
      {
        "country": "AE",
        "currency": "AED",
        "method": "ACC_NO",
        "requiredFields": [
          "bic",
          "accountNo"
        ]
      },
      {
        "country": "AT",
        "currency": "EUR",
        "method": "IBAN",
        "requiredFields": [
          "bic",
          "iban"
        ]
      },
...

The response above means that if you want to send euros to Austria (AT) then you'd need a BIC (aka SWIFT) code and an IBAN.

List some of the delivery methods

const bodyJSON = {
  variables:

query($input: AvailableDeliveryMethodsInput!) {

{
  "input": {
    "country": "FR", 
    "currency": "EUR" 
  }
}

The response above means that to send euros to France (FR) you have to have ether of:

BIC and an account number, or
BIC and an IBAN.

FX

Conversions

Convert between your multi-currency balances

If you use our multi-currency feature, you can exchange currency and convert funds between your master accounts in real-time.

Conversion fees are detailed in your contract and vary based on your use case and risk assessment.

Conversion statuses

The GraphQL schema defines statuses like this:

enum ConversionStatus {
    INITIALISED
    PENDING
    CONVERTED
    FAILED
    CANCELLED
}

The status of a conversion can be any of the following:

INITIALISED — A conversion record was created, but no further action has been taken. This status typically does not occur via the API.
PENDING — The conversion is in progress. This is the usual status immediately after creation.
CONVERTED — The conversion completed successfully. Your balances have been updated accordingly.
FAILED — An error occurred during the conversion. This is usually a temporary state.
CANCELLED — The conversion was not completed and has been cancelled. This action is typically performed by the Flash Payments operations team.

FX Payments

Convert and send your balance as single instruction

What we call "FX Payment" is a fully orchestrated account to account delivery of any currency(-ies) we support. Typical examples:

You need to send from the EU to Australia. You would have a European virtual IBAN on your name. As soon as you deposit some EUR to it - you'll see a corresponding amount of AUD on your master balance in a matter of minutes, which you'll be able to use immediately.
You need to fund someone's overseas IBAN in Euros. You send us the AUD and give us the recipient's details either via API or via you FlashConnect back-office GUI. We orchestrate the rest.

You can create payments. using the createPayment mutation.

You can your payments with the payments query.

But before you need to understand the supported delivery methods using the query.

Payment statuses

The GraphQL schema defines statuses like this:

The status of a payment can be any of the following:

Payment Statuses:

INITIALISING – a draft payment. It may or may not have all required information to be executed. Typically, this never happens through the API. Can be created via the under certain circumstances.
OPEN – The payment is in progress.

COMPLIANCE

Request for Information

Respond to compliance information requests programmatically

A Request for Information (RFI) is a compliance request raised by Flash Payments against deposits, withdrawals, or payments that require additional information before they can be released. RFIs are created on our side when a compliance review flags certain transactions — you cannot create RFIs via the API.

Each RFI carries a list of questions and a response deadline. There are two ways to respond:

Via the API (this section) — receive a webhook, , n with text or documents, or if you cannot comply.

RFI statuses

RFI lifecycle statuses

Most common RFI status transitions follow one of these paths.

Happy path

PENDING → ASSESSING → CLOSED

It starts when our compliance review flags one of your transactions. An RFI is created with a list of questions and a response deadline. Status PENDING means the RFI is open for your response. Answer each question via before deadline. The status stays PENDING until all answers are received or the deadline passes.
The last open question is answered. Status ASSESSING means that all your answers have been received and are under our review. No action is required from you.
The review is completed. Status CLOSED means that the RFI is finalised. No further answers are accepted. Final status.

Declined or expired path

PENDING → CLOSED

An RFI can also move to CLOSED directly from PENDING when you , or when the deadline passes without a complete response from your end.

Cancelled path

PENDING → CANCELLED or ASSESSING → CANCELLED

Separately from your responses, our compliance team can withdraw an RFI when the information is no longer needed — for example the underlying transaction question was resolved another way. The RFI moves to CANCELLED, no further answers are accepted, and any linked deposits, withdrawals, or payments are left untouched and continue on their own lifecycle. You don't need to do anything — we notify you by email and via the rfi_cancelled webhook. Final status.

Each transition emits a :

Event

Status

Status message

The statusMessage field carries a meaningful explanation of the current status, for example "We are waiting for your replies" while PENDING, or "We assessed the information you provided" once CLOSED. The exact wording varies with the circumstances — treat it as display text, not as a value to parse.

Decline an RFI

When you cannot provide the requested information

Use the declineRfi mutation when you are unable to provide the requested information — the API equivalent of "Unable to comply" on the secure form.

Declining:

marks the RFI as CLOSED — an webhook is dispatched;

RFI response codes

All reply codes and GraphQL errors

There are two places an RFI call can report a problem: the code field on the mutation reply payload, and the top-level GraphQL errors array.

Returned in the code field of AnswerRfiQuestionReply / DeclineRfiReply:

Mutation

Confirmation of Payee

Verify that a payee's account name matches their bank account details

Confirmation of Payee (CoP) is a security feature that verifies whether an account holder's name matches the account details you provide. It helps to:

Reduce fraud by verifying the account holder's name before sending funds
Prevent accidental payments to wrong accounts due to mistyped details
Provide confidence that money is being sent to the intended recipient
Alert you when the account name doesn't match or only partially matches

To verify account details, execute the confirmationOfPayee mutation. You must provide the accountIdType, the relevant account details, and the accountName you wish to verify.

The code field in the response indicates the .

The billable field indicates whether the CoP request may be subject to a fee.

CoP response codes

Here is the list of all possible CoP response codes.

Code

Description

Recommended Action

Adverse Media Search

Screen individuals and organisations against adverse media sources

Adverse Media Search (AMS) lets you screen an individual or organisation against web-based adverse media sources — news articles, court records, and other publicly available content.

The feature is also available through the portal. You can perform the AMS directly from the UI, view your request history, and monitor usage statistics without writing any code. This can be useful for getting familiar with the feature before integrating it into your application via the API.

You can run a search via the adverseMediaSearch mutation or past searches via the amsRequest and amsRequests queries. Scans run in the background and can take several minutes. Use webhooks or poll the amsRequest query to track progress. See AMS statuses for the full lifecycle.

Address Cleanser

Validate and standardise physical addresses

Address Cleanser is a data-standardisation and geocoding utility designed to ensure physical addresses exist and are correctly formatted. It standardises a supplied address against multiple geocoding providers and returns a suggested recommendation together with a score.

It helps you:

Validate and standardise addresses before processing payments
Reduce failed deliveries due to incorrect or unrecognised addresses

Other

Reference data

- query bank information to validate if we support your BSB, IBAN, BIC (aka Swift code).
depositDetails - query the accounts you can send deposits to in order to increase your Flash Payments master balance.

Rate limiting

How to avoid and resolve HTTP 429 Too Many Requests

Limits

This API apply various rate limits depending on the type of HTTP request or GraphQL query being executed, as well as the number of such requests. The rate-limiting mechanism is quite dynamic and is based on the IP address(es), error rates, HTTP headers, and the GraphQL queries.

We do not disclose the exact limits due to their complexity and our security policy. However, it's nearly impossible to reach the limits if your requests are properly formed.

When one of the numerous limits exceeds the API typically responds with

the HTTP status 429
the HTTP header:
and a JSON body:

Here are the common situations when you might get yourself temporarily blocked:

When your requests produce numerous errors, e.g. malformed header, JSON body, or a GraphQL query.
When you send too many requests without a valid Authorization header.
When you send too many requests within a very short period.

Please contact our support team via the established communication channels. We will manually reset the counters for you.

API change log

History of changes to this API schema

2026-06-17

Added

New RFI status CANCELLED and a new rfi_cancelled webhook event.

Our compliance team can now withdraw their request for information when it is no longer needed — the RFI moves to CANCELLED, you are notified by email and webhook, no response is required, and any linked deposits, withdrawals, or payments are left unaffected.

New Address Cleanser API. You can now validate and standardise physical addresses against multiple geocoding providers directly via the API — useful before processing payments and for keeping your address data consistent.

New mutation — submits an address for cleansing. The result is returned synchronously with a suggested recommendation (approve, review, reject) and a score.
New and queries — retrieve your past requests with optional filters by recommendation and date range.

Charged per request — 1,000 requests per month are free. Please contact support to have this API enabled for your account.

New API. When our compliance review flags one of your transactions, we raise an RFI — you can now receive, answer, and decline RFIs programmatically instead of (or alongside) the secure form sent by email.

New and queries — retrieve your RFIs with optional filters by status and date range.
New mutation — answers a single RFI question with text and/or documents. Files are sent inline as base64; no separate upload step.
New mutation — declines an RFI when you cannot provide the requested information.

The RFI API is available to all clients — no enablement step is required.

New query. You can now programmatically retrieve the users registered on your client account — their contact details, roles, access controls and statuses — information previously only available via the Flash Connect portal.

Optional filters: status, roles, access. A member matches if it holds at least one of the listed values.
Results are always scoped to your own client account.

New Adverse Media Search (AMS) API. You can now screen individuals and organisations against web-based adverse media sources directly via the API.

New mutation — submits a search for an individual or organisation. The scan runs in the background; use the returned id to track progress.
New and queries — retrieves your AMS requests with optional filters by status, date range, name, and country.
Four new : ams_initialised, ams_pending

Please contact support to have this API enabled for your account.

New mutation. Confirmation of Payee (CoP) is a name-verification service for Australian domestic accounts. You can use it to check whether the recipient's name matches the account details held by their financial institution. The service currently supports Australian BSB accounts.

Two new objects to mutation. You can change a sub-client's address and postalAddress. The updated address will be re-verified, so please make sure to include all its components, even if some fields, like the country, remain unchanged.

New rail and railService properties to Withdrawal and Deposit payloads. You can now see exactly which payment infrastructure (such as NPP or BECS) and specific schemes (such as NPP IFTI) are used to route your transactions.

New currnecy property to the StatementQueryInput, which allows you to retrieve any currency balance, not just the default AUD.

New eventScheduledAt property to all payloads.

New sub-client (aka Virtual Account Number, VAN) .

Previously a sub-client could be in 2 statuses: ACTIVE and DEACTIVATED.

Now there are 6: INITIATED, ACTIVE, UNAPPROVED, DEACTIVATED, FAILED_KYC, DISABLED.

A set of new webhook events become available. See . A webhook is sent when a sub-client status gets changed.

A new rejectCode when we your payout - SOURCE_OF_FUNDS_INADEQUATE. You'll receive it if we sent you an RFI (request for information) but your response contained a low quality data.

Please note, that a sibling property statusMessage will be hand crafted so that you know what exactly is wrong with your RFI reply (within the legal bounds). Please use the text to improve your KYC processes.

A new rejectCode when we your payout - DATA_ENQUIRY_RESPONSE_INADEQUATE. You'll receive it if we sent you an RFI (request for information) but your response contained a low quality data.

The FX Payments createPayment can accept sender and recipient as JSON objects now too.

This means that when you need to do an orchestrated FX payment you need to submit only one HTTP request (createPayment) instead of 3 (createSender, createRecipient, and createPayment).

A high demand long awaited feature. You don't need to pre-create senders/recipients before submitting a payout using createWithdrawal .

This means that when you need to do a remittance payment (aka payout) you need to submit only one HTTP request (createWithdrawal) instead of 3 (createSender, createRecipient, and createWithdrawal).

Example:

Enum WithdrawalReason is renamed to TransactionReason. The reason field inside CreateWithdrawalInput and Withdrawal type now uses TransactionReason instead of WithdrawalReason.

The validation logic for the bic field in the createRecipient mutation has been relaxed:

When accountIdType is set to IBAN, BSB, or PAYID, the bic field is not required any more.
When accountIdType is set to ABA

Three new fields to the Withdrawal type:

clearedAt - the timestamp when the withdrawal become CONFIRMED.
rejectedAt - the timestamp when the it was rejected by Flash Payments. See the rejectCode and statusMessage fields to understand the rejection reason.

The new optional field called reason was added to the createWithdrawal mutation and Withdrawal type.

If you have a payment/transaction/payout purpose - you must submit it to us via the API. See all the possible purpose codes (aka reason values) in the (click the link in the header of this website), look inside the "docs" by the word "reason". You need to find the GraphQL enum called WithdrawalReason.

An optional affiliation field has been added to the login mutation. This field accepts the Affiliation enum values FP_AUS or FP_LUX, allowing users to specify which Flash Payments subsidiary account to access when multiple contractual agreements exist. It is only required if your have more than one such agreement with us.

Removed depositDetails query as deprecated and non-functioning since March 2024.

Improved validation rules for the following mutations: , , , , , and Affected fields: idDoc.docNumber idDoc.issuer legalName businessNumber legalName externalId. These fields allow only the ASCII characters now.

Also, the first, last, and middle names are limited to 75 chars now.

Also, FQDN-like names will be rejected. Examples: "Aaron x.com", "Ben.eu", "Visit as at URL:example.com/about", etc.

New fields have been added to the , , and mutations. You can now provide idDoc.country, idDoc.issueDate, and idDoc.expiryDate. The idDoc.issuer field now only stores additional information about the issuer, while idDoc.country holds the country code of the country that issued the document. To avoid creating a breaking change, we currently allow you to provide idDoc.country and/or idDoc.issuer. In the future, we plan to make idDoc.country a required field.

New mutation. You can change a sub-client's externalId now, but nothing else.

New the feature.

New mutation createConversion. New queries conversion and conversions.
The FromCurrency enum used to have only one item AUD. Now there are 8: AUD CAD CHF EUR GBP NZD SGD USD.

The bankInfo was not returning information about BICs and IBANs. It works now.

Improved validation of recipient, sender, withdrawal, institution related mutations. From now on email, companyName, legalName, businessNumber, externalReference must include only the ASCII characters.

Removed AccountIdType.PH_CASH, Recipient.phCashoutNetwork with RecipientInput.phCashoutNetwork and the corresponding enum type PhCashoutNetwork from the GraphQL schema. These were not working for more than a year.

Removed AccountIdType.RIPPLE, Recipient.rippleAddress with Recipient.destTag from the GraphQL schema. These were deprecated 2.5 years ago.

Removed Sender.isRipple and CurrencyIso3.XRP from the GraphQL schema. These were deprecated 2.5 years ago.

New introduced for rejected (aka cancelled) withdrawals. When withdrawals you can clearly see why using the new rejectCode and statusMessage. Available in the Withdrawal type and sent to your application via the webhook.

Improved to respond with appropriate error message when trying to change the recipient's accountIdType which is not allowed by design.

Added to the CreateWithdrawalInput.

Fields acceptingInstructionInstitutionSenderId and acceptingMoneyInstitutionSenderId were removed from the CreateWithdrawalInput.

Instead instructingInstitutionId was added. (A new API for creating "institutions" is coming soon, but at the moment they can be created via the Flash Connect.)

query.
- This query returns the same data as the Download CSV button on the Account Statement page of the . It explains every change of you primary balance.
- Currently it returns exactly 1 day of data. We plan to make date range selection more flexible in the future.

Changed links from to domain. Old domain will continue working unit future notice.

Our system always allowed accountNo to have letter. However, our API forced digits only. So, from now on, when you use createRecipient, your accountNo can have both letters and digits.

Improved mobile phone validation. Now if mobile starts with "00" it's treated as if it starts with "+".
Quote size accepts positive numbers only.

The recipient.mobile and sender.mobile can accept only valid international phone numbers.

Added the withdrawal_pending . Invoked after the transaction is sent to the recipient bank for processing.
Added for the withdrawal_pending .

idempotencyKey to createPayment input.
idempotencyKey to createWithdrawal input.

Fixed the withdrawal_reviewing . It was never sent before even though declared on the Flash Connect website.
Added for the withdrawal_reviewing .

Removed the auto-creation of id for embedded senders and recipients. This means that if you (or FlashFX system) have created withdrawals and payments without explicitly providing sender or recipient ID then from now on the sender.id or recipient.id will be null. But, if you create payments or withdrawals via this API then you will always have payment.sender.id or withdrwal.recipient.id.

Missing expireAt property to the Quote object returned by the quote query.

New REVIEWING status to deposit and withdrawal status enum.
- REVIEWING : deposit/withdrawal is being internally checked by our compliance team before proceeding.

New event type: deposit_initiated to notify that we received a deposit but not yet cleared it.
- Previously only the deposit_cleared was sent and customers had no idea we are holding (reviewing) the deposit.

New item in deposit and related webhooks:
- recipient - deposit recipient information as specified by deposit sender for this transaction:

Additional validation for dob field introduced for Senders, Recipients and Sub-clients to enforce the data is entered in YYYY-MM-DD format. The field will also allow for only the data after 1900-01-01 and individuals of 18 years of age or older.

Added validation of address fields. From now on, any address submitted as a part of any transaction should only include ASCII characters.

Added deposit.sender.accountName so that you can query who deposited money to your Virtual Account Number (VAN).

Additional validation for lastName, middleName and firstName introduced allowing only for latin alphabetical characters and special symbols:

FundingAccount type has been extended to include all deposit details you need to bring money to Australia. Your account address can now be retrieved using accountAddress property along with name and address fields which identify the accepting financial institution associated with your account.

lastName and firstName fields of Sender and Recipient objects can now be one symbol long to allow for initials. Please note that such single symbols have to be alphabetic.

Occasionally Payment objects do not have sender or recipient properties. Thus these properties are now marked at "not required" (exclamation mark was removed) when querying payments.
We have added rate limiting. You can receive HTTP 429 error code and get temporary blocked if abusing the API too much.

Removed XRP currency form the list of supported currencies.

While creating sub-clients the address of the person/company was not required. It was a bug which was fixed. To create a sub-client you would also need their: street address, suburb/city, state/region, postcode, and country.

Allow accountNo to be 4 digits long. Some old Japanese bank accounts could be just 4 digits.

The ability to query deposits, withdrawals, payments by the associated sub-client (subClientId).
The payments can also have sub-clients now. Added the Payment.subClient field.

The totalFee property to both Deposit and Withdrawal types as well as webhook payloads.

The bankInfo reference query. You can now validate your BSB for existence, check if we support your BIC, and retrieve BIC (aka SWIFT code) by IBAN.

The fundingAccounts and SubClient.fundingAccounts queries. It returns international bank account numbers you can deposit in order to bring money to Australia. See for more details.

The senderId was always required when creating withdrawals via createWithdrawal. But now, if you provided the subClientId and didn't provide the senderId the sub-client becomes the sender, and will be reported to the government as the sender. However, you still must provide the senderId if your sub-client moves funds for other people/companies.

Replaced docIssuer, docType and docNumber fields from CreateSubClientInput with idDoc nested field instead.

RecipientAccountIdType was fully duplicating the AccountIdType. Replace the former with the latter. This might break your auto-generated code in strongly typed languages. But won't change any API queries or responses. So, this change is not considered to be a breaking.

Added ability to disable and activate sub-clients
- mutation disableSubClient(id: ID!): MutateSubClientReply
- mutation activateSubClient(id: ID!): MutateSubClientReply

Added deposit queries
- query deposits(input: DepositQueryInput): [Deposit]
- query deposit(id: ID!): Deposit

These types and fields were never used by anyone for couple of years.

Removed enum DepositMechanism.
PaymentInput and ConfirmPaymentInput fields:

New item in BsbDepositDetails
- accountName - Australian account name.
New item in Withdrawal

New items in both query type and mutation input Senders.
- legalName
- tradingAsName

Fixed typo in RecipientQueryInput field name. snaps -> cnaps

New compliance-related fields to the CreateWithdrawalInput input:
- acceptingMoneyInstitutionSenderId - you must pre-create this Sender and submit every time if you are not the FI who collected the money for this withdrawal.

Fixed typo in the WithdrawalStatus enum item. INITIALISING -> INITIALISED

callbackUri to Payment, Withdrawal, CreateWithdrawalInput. Now you can query the callback/webhook URI you have supplied earlier. Also, this allows you to receive webhooks when you create a withdrawal (aka local payout).

New items in RecipientQueryInput. This means that recipients can be searched by:
- firstName
- lastName

Introduced Withdrawals - send money from your account (FlashFX digital wallet) to local banks.
- query withdrawal(id: ID): Withdrawal
- query withdrawals(input: WithdrawalQueryInput): [Withdrawal]

Removed the unused enum PaymentType. It has no sense and was deprecated a year ago.
- Simultaneously removed properties Payment.paymentType, PaymentQueryInput.paymentTypes, PaymentInput.paymentType.

Flash Payments Developer API

Overview

General information

Complete API docs

High level feature overview

Instant local Australian deposit (aka pay-in)

Basics

Why GraphQL

GraphQL Playground

Sending data as JSON

Required fields

Ad hoc webhooks

Example

Regular webhooks

Event notifications with webhooks

Building webhook endpoint

Accounts

Master Balance

Statement

Virtual account numbers

Sub-client statuses

Moving funds

Payouts

Withdrawal statuses

Withdrawal outcomes simulation

1. Too long in the REVIEWING status

Rejection codes

Deposits

Deposit statuses

Query deposits

Query all deposits

Query deposit by ID

Refund deposits

Delivery methods

List all the available payment delivery methods

List some of the delivery methods

FX

Conversions

Conversion statuses

FX Payments

Payment statuses

COMPLIANCE

Request for Information

RFI statuses

Decline an RFI

RFI response codes

Confirmation of Payee

CoP response codes

Adverse Media Search

Address Cleanser

Other

Reference data

Rate limiting

Limits

Ad hoc webhooks

Example

Generating signatures

Verifying signatures

Overview

General information

Complete API docs

High level feature overview

Instant local Australian deposit (aka pay-in)

Local Australian withdrawal (aka pay-out)

Send or receive money internationally

Security

How to start

Important notes

Breaking changes

Sub-client statuses

Payouts

Conversions

Conversion statuses

Why GraphQL

GraphQL Playground

Required fields

Deposit statuses

FX Payments

Adverse Media Search

Master Balance