1 of 40

Flash Payments Developer API

Overview

Flash Payments Developer API documentation

General information

Flash Payments API is GraphQL-based, offering simple and developer-friendly querying experience. All data is exchanged in JSON format.

Flash Payments API playground is located here: https://api.uat.flash-payments.com.au/

Complete API docs

This documentation website does not have full list of API fields and methods. This is intentional. The full list of the API calls you can performs and the data fields you can send/receive is listed in the API Playground (click "DOCS" on the right hand side).

High level feature overview

You can search, visualise, or extract your data using our FlashConnect interface.

Instant local Australian deposit (aka pay-in)

Once registration is complete, a dedicated BSB and Virtual Account Number (VAN) for use within Australia will be assigned to you.

IMPORTANT: Your Australian VAN will be restricted to local Australian transfers. For international payments (aka FX payments), we offer different solutions.

Any funds deposited to your VAN would increase your Flash Payments balance. We store and retain the reference attached to each deposit (e.g., an invoice number) to support your reconciliation or reporting needs.

By default, only you can deposit into your VAN. Third-party deposits are also supported, but this feature must be enabled separately

Deposits are typically processed in real time, but depending on the bank, there may be a delay of up to 24 hours.

You can configure webhook notifications to receive alerts for every deposit made to your VAN. Please visit FlashConnect to set up your deposit webhook.

You can manually reject unwanted deposits via the FlashConnect interface. The funds will be returned to the original sender bank account.

Local Australian withdrawal (aka pay-out)

The Flash Payments API enables you to withdraw funds from your Flash Payments balance. By default, only you are authorized to receive these withdrawals. Third-party withdrawals (also known as payouts) are available upon request and require separate activation.

If your payout involves a foreign exchange (FX) payment, it must be processed using the Australian Direct Entry system in accordance with legal requirements. Processing time may vary from immediate to a few hours. Other payouts are credited instantly.

If a payout fails, you will receive a webhook notification detailing the reason for the failure.

The payout remitter name is configurable. You can give us the remitter name as withdrawal.sender data property. This is especially useful for FX-linked payouts. If a Brazilian mama Katarina Oreiro sends money to her son in Australia, he will see his mom's name in the bank statement - "Payment from Katarina Oreiro".

Payouts can also be done via the FlashConnect interface.

Send or receive money internationally

You can send your Flash Payments balance internationally via our API and benefit from instant delivery to many countries with local instant payment systems (e.g. Philippines)

To initiate a payment, you must pre-create the sender and recipient via the API.

All entities in our database, including withdrawals, payments, senders, and recipients, can store your system’s unique identifier. Please refer to the externalId field in the API docs.

Payment delivery times depend on the recipient's country. While many are processed quickly, some may take additional time. You’ll be notified via webhook whenever the payment status changes.

You can send funds through an international payment to your Flash Payments account. A webhook notification will be triggered when we detect payments from other countries.

Security

The API token you generate expires in 4 hours. You can always use logout GraphQL mutation to expire it earlier.

You can't reset your own password until we verify your identity.

The FlashConnect interface supports Google and One-Time-Password logins.

Webhooks have cryptographic signatures.

IP address whitelisting feature is available from FlashConnect interface allowing login to our APIs from only preapproved addresses that you specify.

API rate limiting is in place to ensure stable performance of our service and prevent its potential abuse.

How to start

Contact with us via this page or by clicking the Intercom button on the bottom right of this page.
Explain what kind of services you are looking from Flash Payments.
We will examine your needs and explain how to get access to our UAT environment.

For more detailed instructions head to the Basics page.

Important notes

Breaking changes

While we will endeavour to not introduce any breaking changes they might still occur in the future. In that case we will communicate about the upcoming changes via your registered email.

Basics

General information how to start using Flash Payments API

Assumptions

The examples below assume you are a verified customer of Flash Payments and have been enabled for API access.

GraphQL Playground

All the GraphQL queries can be sent via the GraphQL Playground or as a HTTP POST request to https://api.uat.flash-payments.com.au. Example:

echo '{
  "query":
    "{
       quote(input: {
         fromCurrency: AUD, toCurrency: USD, size: 9.9, currency: AUD
       })
       {
         bid ask symbol timestamp inverted
       }
     }"
}' | curl -X POST 'https://api.uat.flash-payments.com.au' \
-H 'authorization: Bearer YOUR_TOKEN' \
-H 'content-type: application/json' \
-d @-

All the responses are JSON and have at least one property data and optional property errors.

{
  "data": { ... },
  "errors": [ ... ]
}

Tip

In GraphQL Playground query editor press Cmd+Space or Ctrl+Space or Opt+Space or Alt+Space or Shift+Space to show context help and possible options.

Some of the GraphQL query parameters are required, others are optional. To understand if a variable/property is required you would need to check the API schema.

Go to the GraphQL Playground and click the button "DOCS" on the right.
Browse through queries, mutations, input and output types. Find a variable/property which have an exclamation mark at the end. E.g. fromCurrency: FromCurrency!.
The exclamation mark denotes that the variable/property is mandatory.

Data cleansing is your responsibility

Do not ever send us "N/A" or "NA" or "NULL" or "null" or "nil" or any other dummy string values in any of the API fields.

The user-agent HTTP header

It is a good idea to always send custom user-agent HTTP header value when doing requests to Flash Payments API. Here is why:

In case of troubleshooting we will be able to trace and mitigate your support questions faster.
You might be blocked by our automated firewall if your user agent is something generic like curl, Java-http-client, python-requests, Ruby, etc.

429 Too many requests

Our API have smart monitoring. It might temporary block your IP address if it thinks you are abusing the system. There are many various scenarios when you can be blocked, but we won't going to disclose them at any point of time due to security reasons.

Sending data as JSON

Here is how to send your data to us as JSON instead of embedding it into the GraphQL queries.

For your initial tests, it may be easier and more practical to send data by embedding values directly into the GraphQL queries and mutations, as shown in the example below.

echo '{
  "query":
    "{
       quote(input: {
         fromCurrency: AUD, toCurrency: USD, size: 9.9, currency: AUD
       })
       {
         bid ask symbol timestamp inverted
       }
     }"
}' | curl -X POST 'https://api.uat.flash-payments.com.au' \
-H 'authorization: Bearer YOUR_TOKEN' \
-H 'content-type: application/json' \
-d @-

At the same time, to enable efficient and accurate handling of complex queries in code, we support sending GraphQL queries as JSON objects that consist of two properties: "query" and "variables". Here is how you can do it:

Declare the $input variable in the QraphQL "query" string. The technology also requires you to declare the type of your input(s). See the QueryInput in the example below.
Provide the "variables" object with the "input" property. The value of it must be a JSON object structured exactly as the QueryInput type.

Only include the top-level input argument in your GraphQL queries. Including additional types may lead to compatibility issues when schema changes are deployed in production.

If you're using third-party tools or libraries to construct GraphQL queries, be aware that they may generate unsupported structures. We recommend avoiding GraphQL libraries to reduce this risk.

echo '{
  "query":
    "query ($input: QuoteInput!) {
       quote(input: $input) { bid ask symbol timestamp inverted }
     }",
  "variables": { 
    "input": { "fromCurrency": "AUD", "toCurrency": "USD", "size": 9.9, "currency": "AUD" }
  }
}' | curl -X POST 'https://api.uat.flash-payments.com.au' \
-H 'authorization: Bearer YOUR_TOKEN' \
-H 'content-type: application/json' \
-d @-

Here is a screenshot of how a typical mutation looks like in the API Playground:

Same request as cURL:

echo '{
  "query":
    "mutation ($input: RecipientInput!) {
      createRecipient(input: $input) { code message recipient { id } }
    }",
  "variables": {
    "input": {
      "firstName": "Test",
      "lastName": "Lastest",
      "currency": "PHP",
      "accountIdType": "PH_CASH",
      "mobile": "+63 9121231234",
      "phCashoutNetwork": "MLHUILLIER",
      "address": {
        "building": "12th Floor Centerpoint Building",
        "street": "Julia Vargas Avenue corner Garnet Street",
        "suburb": "Pasig",
        "state": "manila",
        "country": "PH",
        "postcode": "1605"
      }
    }
  }
}' | curl 'https://api.uat.flash-payments.com.au' \
-H 'authorization: Bearer YOUR_TOKEN' \
-H 'content-type: application/json' \
-d @-

Required fields

Here is how to identify the required input fields for your GraphQL queries and mutations.

Most documentation examples utilise typical GraphQL input data for successfully executing queries.

It's strongly encouraged that you always submit complete and accurate data, as this reduces our compliance team's reviewing efforts and, as a result, speeds up transactions and provides a great experience for your customers.

At the same time, we recognise that gathering complete customer information can be technically challenging, particularly regarding country-specific address details or account information. As a result, our API documentation emphasises the required input fields based on the principle of minimal necessity.

Please pay attention to the exclamation mark ( ! ) next to the field type in the API schema specification from the "DOCS" section of our API Playground. Those are the required fields as it's demonstated on the screenshot below:

Please always verify that you have all required data to initiate a successful mutation or query.

Authentication

Get your access token

Before doing any other API calls you have to obtain an auth token. It's a standard JWT token carrying the following payload:

Tip: Use this handy website to parse the token contents:

The token lifetime is 4 hours at this time. We might change this value in the future.

Warning! You can't log in more than once per second. This limit is in place to maintain platform stability.

To be more future-proof, it is recommended to parse the token payload and compare current time to the token's expiration time. JavaScript code:

This login mutation is a subject to change in the future.

Getting a token

After we enable you, go to the , click "DOCS" on the right to explore the possibilities.
Find there the login mutation. Execute it to obtain your access token. For example: mutation { login(input: {email: "YOUR_EMAIL" password: "YOUR_PWD"}) {token message} }
Click the "HTTP HEADERS" on the bottom and add this: {"authorization": "Bearer YOUR_TOKEN"}. Replace the YOUR_TOKEN with the token you just got.
Execute any other queries.

Here is an example of the login query.

We suggest always sending your queries and related data separately using the "QUERY VARIABLES" tab in the or programmatically by .

If using then click the "HTTP HEADERS" on the bottom left and paste there the following (replace the YOUR_TOKEN with the value you have just received form the above mutation):

Affiliation

Clients that have contractual agreements with more than one subsidiary of Flash Payments, can use the optional field affiliation to control which account to log into.

The affiliation field accepts one of two constant values - FP_AUS or FP_LUX - which are passed unquoted.

If the affiliation value does not correspond to an existent account, authentication will fail with code UNREGISTERED even if an account exists with another affiliation and the credentials are correct.

If the user has multiple affiliations and the field affiliation is omitted, authentication will fail with code NEED_AFFILIATION.

Quote

Quote the current bid and ask for a currency pair and size.

Consider requesting an indicative quote to understand the current currency trading rates before deciding to take action. Please be aware that market makers are not required to honor indicative quotes.

Paste this query to the API Playground to request an indicative quote.

const bodyJSON = {
  variables: {
    input: {
      fromCurrency: "AUD",
      toCurrency: "USD",
      size: "10000",
      currency: "AUD",
    },
  },
  query: `
query ($input: QuoteInput!) { 
  quote(input: $input) {   
    bid ask symbol timestamp inverted 
  }
}`,
};

query($input: QuoteInput!) {
  quote(input: $input) {
    bid
    ask
    symbol
    timestamp
    inverted
  }
}

{
  "input": { 
    "fromCurrency": "AUD", 
    "toCurrency": "USD", 
    "size": "10000", 
    "currency": "AUD"
  }
}

{
  "data": {
    "quote": {
      "bid": 0.61104,
      "ask": 0.62077,
      "symbol": "USDAUD",
      "timestamp": "2018-08-13T07:54:54.993Z",
      "inverted": true
    }
  }
}

In contrast to an indicative quote, a tradable quote is guaranteed by the market maker.

Paste this query to the GraphQL Playground to request a tradable quote. It is important to consider the expireAt date and time, and preserve the id of a tradable quote for future createPayment and createConversion calls.

const bodyJSON = {
  variables: {
    input: {
      fromCurrency: "AUD",
      toCurrency: "USD",
      size: "10000",
      currency: "AUD",
      tradable: true,
    },
  },
  query: `
query ($input: QuoteInput!) { 
  quote(input: $input) {   
    bid ask symbol timestamp inverted expireAt id
  }
}`,
};

query($input: QuoteInput!) {
  quote(input: $input) {
    bid
    ask
    symbol
    timestamp
    inverted
    expireAt
    id
  }
}

 {
  "input": { 
    "fromCurrency": "AUD", 
    "toCurrency": "USD", 
    "size": "10000", 
    "currency": "AUD",
    "tradeable": true 
  }
}

{
  "data": {
    "quote": {
      "bid": 0.61339,
      "ask": 0.63101,
      "symbol": "AUDUSD",
      "timestamp": "2025-03-04T01:53:08.829Z",
      "inverted": false,
      "expireAt": "2025-03-04T01:55:08.830Z",
      "id": "67c65d04e5086d18751617ba"
    }
  }
}

Conversions

Convert between your multi-currency balances

If you use our multi-currency feature, you can exchange currency and convert funds between your master accounts in real-time.

Conversion fees are detailed in your contract and vary based on your use case and risk assessment.

Convert funds

Convert between your multi-currency balances

To convert between, say, AUD and EUR you should:

Request a tradeable quote with applicability: CONVERSION.
Retrieve the quote ID from the response.
Reference the quote ID when creating the conversion.

Get a tradable quote ID:

Convert funds:

Query conversions

You can query all your past conversions

Retrieving all your conversions

const bodyJSON = {
  variables: {
    input: {
    },
  },
  query: `
query ($input: ConversionQueryInput!) {
  conversions(input: $input) {   
    id fromCurrency toCurrency rate 
  }
}`,
};

 query($input: ConversionQueryInput!) {
  conversions(input: $input) {
    id
    fromCurrency
    toCurrency
    rate
    # there are many other properties
  }
}

 {
  "input": { 
  }
}

{
  "data": {
    "conversions": [
      {
        "id": "6b04c62ec0bf606bf216ae21",
        "fromCurrency": "AUD",
        "toCurrency": "EUR",
        "rate": 0.71
      },
      {
        "id": "6b04c6bfc0bf606bf216af06",
        "fromCurrency": "AUD",
        "toCurrency": "USD",
        "rate": 0.70
      },
      {
        "id": "6b04c8e3c0bf606bf216b026",
        "fromCurrency": "EUR",
        "toCurrency": "AUD",
        "rate": 0.71
      }
    ]
  }
}

Retrieving some of your conversions

const bodyJSON = {
  variables: {
    input: {
      statuses: "CONVERTED",
      toCurrencies: ["EUR","USD"], 
    },
  },
  query: `
query ($input: ConversionQueryInput!) {
  conversions(input: $input) {   
    id fromCurrency toCurrency rate 
  }
}`,
};

query($input: ConversionQueryInput!) {
  conversions(input: $input) {
    id
    fromCurrency
    toCurrency
    # there are many other properties
  }
}

{
  "input": { 
    "statuses": "CONVERTED",
    "toCurrencies": ["EUR","USD"]
  }
}

{
  "data": {
    "conversions": [
      {
        "id": "6833ad9b4e94acce5d4a031b",
        "fromCurrency": "AUD",
        "toCurrency": "USD"
      },
      {
        "id": "678a18bb2879c374b378ee71",
        "fromCurrency": "AUD",
        "toCurrency": "EUR"
      }
    ]
  }
}

Retrieving a single conversion by ID

const bodyJSON = {
  variables: {
    input: "6b04c62ec0bf606bf216ae21",
  },
  query: `
query ($input: ID) {  
  conversion(id: $input) {
    status createdAt fromAmount toAmount 
  }
}`,
};

query($input: ID) {
  conversion(id: $input) {
    status
    createdAt
    fromAmount
    toAmount
    # there are many other properties
  }
}

{
  "input": "6b04c62ec0bf606bf216ae21"
}

{
  "data": {
    "conversion": {
      "status": "CONVERTED",
      "createdAt": "2024-08-13T05:45:28.698Z",
      "fromAmount": 1000,
      "toAmount": 710.01
    }
  }
}

Conversion statuses

The GraphQL schema defines statuses like this:

The status of a conversion can be any of the following:

INITIALISED — A conversion record was created, but no further action has been taken. This status typically does not occur via the API.
PENDING — The conversion is in progress. This is the usual status immediately after creation.
CONVERTED — The conversion completed successfully. Your balances have been updated accordingly.
FAILED — An error occurred during the conversion. This is usually a temporary state.
CANCELLED — The conversion was not completed and has been cancelled. This action is typically performed by the Flash Payments operations team.

Balance

Query your account balances

Paste this query to the GraphQL Playground

The cleared is the Primary balance you see on the Flash Connect website.

The pending balance is typically not shown on the Flash Connect interface because it's rather short lived. If your Pending balance is not 0 then you can see it right next to the Primary balance.

If you omit the currencies input argument then the query would return all the currency balances you have. Contact us to enable more than just the default AUD currency.

Top up your UAT account balance

If you need to increase your UAT account balance please sign in to the Flash Connect website, open Deposits page, and click Send Test Deposit.

Statement

Understand every movement of your primary balance

This query returns the same data as the Download CSV button on the Account Statement page of the Flash Connect.

The dates must be any ISO 8601 formatted dates.

const bodyJSON = {
  variables: {
    input: {
        fromDate: "2023-08-28T00:00:00+03:00",
    },
  },
  query: `
query ($input: StatementQueryInput!) {
  statement(input: $input) {
    succes code message fromDate toDate 
      rows {
        debit credit
    }
  }  
}`,
};

query($input: StatementQueryInput!) {
  statement(input: $input) {
    success
    code
    message
    fromDate
    toDate
    rows {
      debit
      credit
      # and many other fields
    }
  }
}

{
  "input": {
    "fromDate": "2023-08-28T00:00:00+03:00"
  }
}

{
  "data": {
    "statement": [
      {
        "success": true,
        "code": "GENERATED",
        "message": "Statement generated",
        "fromDate": "2023-08-27T21:00:00Z",
        "toDate": "2023-08-28T21:00:00Z",
        "rows": {
          [
            {
              "debit": 123.45,
              "credit": 0
            }
          ]
        }
      }
    ]
  }
}

The response dates are aways UTC. Timezones are always taken into account.

Recipients

CRUD queries for your payment recipients

We are legally obliged to collect the actual recipient details. Please, do not send us an intermediate organisation details such as exchanges, banks, gateways, etc.

Please, send us the final funds recipient. If sending to self then please provide your own details. See the DOCS in for other recipient details options.

recipient and recipients queries - read your address book.
createRecipient - creates a new record in the Flash Payments database.
updateRecipient - updates an existing recipient.
deleteRecipient - deletes an existing recipient.

Query a single recipient

Query multiple recipients

Create a recipient

In addresses thesuburbfield is an Australian suburb. For other countries you should put the city (e.g. Manila or London) or any other small administrative area name.

If you find it technically challenging to submit all components of the recipients’s address, we would appreciate it if you could at least collect the recipients’s country along with a complete address string that includes the postcode and put them into the country and street fields, respectively. In this case, you can skip the postcode, suburb, and state fields, and the recipient record will still be created.

Create an Individual recipient

Create a Company recipient

Update recipient

Please note the recipient'saccountIdTypecan't be changed

Delete recipient

Delivery methods

Different countries support different account types, transfer mechanisms, payment delivery methods.

Please verify that you have all the required data to initiate a successful payment transfer.

List all the available payment delivery methods

const bodyJSON = {
  variables: {
    input: {
    },
  }, 
  query: `
query ($input: AvailableDeliveryMethodsInput!) {
  availableDeliveryMethods(input: $input) {
    country currency method requiredFields
  }
}`,
};

query($input: AvailableDeliveryMethodsInput!) {
  availableDeliveryMethods(input: $input) {
    country
    currency
    method
    requiredFields
  }
}

{ 
  "input": {
  }
}

{
  "data": {
    "availableDeliveryMethods": [
      {
        "country": "AE",
        "currency": "AED",
        "method": "ACC_NO",
        "requiredFields": [
          "bic",
          "accountNo"
        ]
      },
      {
        "country": "AT",
        "currency": "EUR",
        "method": "IBAN",
        "requiredFields": [
          "bic",
          "iban"
        ]
      },
...

The response above means that if you want to send euros to Austria (AT) then you'd need a BIC (aka SWIFT) code and an IBAN.

List some of the delivery methods

const bodyJSON = {
  variables: {
    input: {
      country: "FR",
      currency: "EUR",
    },
  }, 
  query: `
query ($input: AvailableDeliveryMethodsInput!) {
  availableDeliveryMethods(input: $input) {
    country currency method requiredFields
  }
}`,
};

query($input: AvailableDeliveryMethodsInput!) {
  availableDeliveryMethods(input: $input) {
    country
    currency
    method
    requiredFields
  }
}

{
  "input": {
    "country": "FR", 
    "currency": "EUR" 
  }
}

{
  "data": {
    "availableDeliveryMethods": [
      {
        "country": "FR",
        "currency": "EUR",
        "method": "ACC_NO",
        "requiredFields": [
          "bic",
          "accountNo"
        ]
      },
      {
        "country": "FR",
        "currency": "EUR",
        "method": "IBAN",
        "requiredFields": [
          "bic",
          "iban"
        ]
      }
    ]
  }
}

The response above means that to send euros to France (FR) you have to have ether of:

BIC and an account number, or
BIC and an IBAN.

Senders

CRUD queries for your payment senders

We are legally obliged to collect the actual sender details. Please, do not send us an intermediate organisation details such as exchanges, banks, gateways, etc.

If you want to receive funds from yourself then please provide your own details. See the DOCS in for other sender details options.

sender and senders queries - read your address book.
createSender - creates a new record in the Flash Payments database.
updateSender - updates an existing sender.
deleteSender - deletes an existing sender.

Query single sender

Query multiple senders

Create a sender

In addresses thesuburbfield is an Australian suburb. For other countries you should put the city (e.g. Manila or London) or any other small administrative area name.

If you find it technically challenging to submit all components of the sender’s address, we would appreciate it if you could at least collect the sender’s country along with a complete address string that includes the postcode and put them into the country and street fields, respectively. In this case, you can skip the postcode, suburb, and state fields, and the sender record will still be created.

The date of birth (dob) is not mandatory. However, if it is not provided, your transactions may undergo additional compliance reviews, which can lead to longer processing times—potentially several hours or days instead of seconds. Please also be aware that this may result in additional fees to cover the extra effort involved.

Create an Individual sender

Create a Company sender

Update sender

Delete sender

Payments

Convert your balance and send it as one FX payment instruction

You can retrieve all or some of your payments. If you are an organisation with multiple users then you have access to all their payments.

You can create payments. But before you need to:

Have a recipient ID (see Recipients to query your address book); otherwise
Understand the supported delivery methods using the availableDeliveryMethods query and create a new recipient

Once you have the recipient ID, you can initiate a withdrawal.

Payment statuses

The GraphQL schema defines statuses like this:

enum PaymentStatus {
  INITIALISING
  OPEN
  CLOSED
  FAILED
  CANCELLED
}

The status of a payment can be any of the following:

Payment Statuses:

INITIALISING – a draft payment. It may or may not have all required information to be executed. Typically, this never happens through the API. Can be created via the Flash Payments app under certain circumstances.
OPEN – The payment is in progress.
CLOSED – The payment was successfully delivered.
FAILED – An error occurred during processing.
CANCELLED – The payment did not complete and was cancelled, usually by the Flash Payments operations team.

Important to understand that the Payment.history is a transfer logs and is not related to payment status at all. Sometimes the history may contain half a dozen entries, however your payment will go through only two steps: OPEN and CLOSED.

Query payments

Retrieving all your payments

const bodyJSON = {
  variables: {
    input: {
    },
  },
  query: `
query ($input: PaymentQueryInput!) {
  payments(input: $input) {   
    id fromCurrency toCurrency 
  }
}`,
};

 query($input: PaymentQueryInput!) {
  payments(input: $input) {
    id
    fromCurrency
    toCurrency
    # there are many other properties
  }
}

 {
  "input": { 
  }
}

{
  "data": {
    "payments": [
      {
        "id": "5b04c62ec0bf606bf216ae21",
        "fromCurrency": "AUD",
        "toCurrency": "EUR"
      },
      {
        "id": "5b04c6bfc0bf606bf216af06",
        "fromCurrency": "AUD",
        "toCurrency": "USD"
      },
      {
        "id": "5b04c8e3c0bf606bf216b026",
        "fromCurrency": "EUR",
        "toCurrency": "AUD"
      }
    ]
  }
}

Retrieving some of your payments

const bodyJSON = {
  variables: {
    input: {
      statuses: "CLOSED",
      toCurrencies: ["EUR","USD"], 
    },
  },
  query: `
query ($input: PaymentQueryInput!) {
  payments(input: $input) {   
    id fromCurrency toCurrency 
  }
}`,
};

  query($input: PaymentQueryInput!) {
  payments(input: $input) {
    id
    fromCurrency
    toCurrency
    # there are many other properties
  }
}

 {
  # there are more query parameters available, see the API schema
  "input": { 
    "statuses": "CLOSED",
    "toCurrencies": ["EUR","USD"]
  }
}

{
  "data": {
    "payments": [
      {
        "id": "5b04c62ec0bf606bf216ae21",
        "fromCurrency": "AUD",
        "toCurrency": "EUR"
      },
      {
        "id": "5b04c6bfc0bf606bf216af06",
        "fromCurrency": "AUD",
        "toCurrency": "USD"
      }
    ]
  }
}

Retrieving a single payment

const bodyJSON = {
  variables: {
    input: "5b04c62ec0bf606bf216ae21",
  },
  query: `
query ($input: ID) {  
  payment(id: $input) {
    status createdAt size
  }
}`,
};

query($input: ID) {
  payment(id: $input) {
    status
    createdAt
    size
    # there are many other properties
  }
}

{
  # there are more query parameters available, see the API schema
  "input": "5b04c62ec0bf606bf216ae21"
}

{
  "data": {
    "payment": {
      "status": "CLOSED",
      "createdAt": "2018-08-13T05:45:28.698Z",
      "size": 1000
    }
  }
}

Send funds

To make a payment from AUD to a different currency, you need to execute the createPayment mutation as below.

Note that you must have enough AUD balance to make an outbound AUD payment.

Recipient - `recipientId`

You should and send us their ID.

We are legally obliged to collect the actual sender and beneficiary details. Please do not send us intermediate organisation details such as exchanges, banks, gateways, etc.

If it is an intermediate, please see instead.

Please always send us the ultimate sender and recipient. If sending funds to yourself, please provide your own details. See the schema in for other recipient details options.

If sending funds from yourself, there's an option to use your company's Flash account details as sender by default. Please consider the examples below.

Sender - `senderId` or `subClientId` , or neither

In the above createPayment example, you had to and use senderId as an input. Alternatively, if your account is configured to make FX payments on behalf of your , you may provide us with the sub-client ID, and the FX payment created will be linked to that sub-client. In this case, the subClientId will be used as the sender and will be reported to the government.

To use subClientId as the sender for your payments, please execute the createPayment mutation as below.

If your company is the ultimate sender for an FX payment, you can skip both the senderId and subClientId. In this situation, we will use your company’s Flash account as the sender for the payment. Please note that a new sender record will not be created in this case.

Please execute the following createPayment mutation to use your company's Flash account details as sender.

Callback (aka ) URI

We recommend against continuous polling for payment status changes. Instead, please use callbackUri.

The optional callbackUri will be invoked several times during the processing of a payment. These callbacks will usually occur soon (within several seconds) after the initial create payment call - but may be delayed in some cases. The example JSON payloads can be found on the .

Please note that toAmount (or fromAmount) and other fluctuating payment properties can change during payment execution.

Security note

The callback (aka ) endpoint URI can be invoked by anyone in the internet. Thus opening up a potential attack vector. See page to secure your data properly.

Auto receive funds

Automatically receive and convert funds from other countries and currencies

Some customers can automatically receive funds from overseas. Meaning, if we detect an overseas deposit to the Flash Payments controlled bank account(s) then we can automatically create an inbound payment, convert funds, and top up your Flash Payments balance with AUD.

Note! For sub-clients, a complete real-world address is mandatory. All address fields must be provided when creating a sub-client in our system. Additionally, funds must be sent from a bank account registered under your name or your sub-client’s name. In some cases, but not always, the payment must include the specific payment reference we provide. See below for more details.

Here is how it looks step by step.

We would need to enable the foreign currency auto-receiving feature for you.
You, or your Sub-client, would have a special bank account in, say, SEPA zone. Find the details below.
- The account number and payment reference depends on the currency and country you wish to deposit to. E.g. the EUR currency account is usually a British IBAN (starts with "GB").
You, or your Sub-client, would deposit money to it. Make sure to submit the exact payment reference we told you! Otherwise, your funds will be returned.
The Flash Payments would detect the account funding event and automatically create a EUR->AUD payment for you.
You would receive at least two webhook notifications - payment_created and payment_complete.
Your Flash Payments AUD balance would increase accordingly.

To find which foreign currency bank account you would need to deposit to, please go to the FlashConnect and find there the list of inbound currencies we support and the corresponding bank account numbers. It's called the "Funding Accounts" throughout the user interface.

Tip. You can simulate and test an international inbound payment with the FlashConnect tool in the UAT environment. Just go to the FX Payments page and click "SEND TEST INBOUND PAYMENT". Additionally, you can test an international inbound payment sent by your sub-client in the UAT. Just go to the Sub-clients page, find the sub-client, and click "SEND TEST INBOUND PAYMENT".

To find out the Funding Accounts via API please use the fundingAccounts query.

You should deposit your foreign currency to:

const bodyJSON = {
  variables: {
    input: {
      currencies: ["EUR","USD","HKD","CNY"],
      },
  },
  query: `
query ($input: FundingAccountQueryInput!) {
  fundingAccounts(input: $input) {
    iban accountNo accountName accountAddress bic currency externalReference
  }
}`,
};

  query($input: FundingAccountQueryInput!) {
  fundingAccounts(input: $input) {
    iban
    accountNo
    accountName
    accountAddress
    bic
    currency
    externalReference
  }
}

 {
  "input": { 
    "currencies": ["EUR", "USD", "HKD", "CNY"] 
  }
}

{
  "data": {
    "fundingAccounts": [
      {
        "iban": "GB91 BARC 2006 0565 4685 66",
        "accountNo": "65468566",
        "bic": "BARCGB22",
        "currency": "USD",
        "externalReference": "191127-99999"
      },
      {
        "iban": "GB05 BARC 2006 0574 7412 77",
        "accountNo": "74741277",
        "bic": "BARCGB22",
        "currency": "EUR",
        "externalReference": "191127-99999"
      },
      {
        "iban": null,
        "accountNo": "87135588",
        "bic": "BARCGB22",
        "currency": "CNY",
        "externalReference": "191127-99999"
      },
      {
        "iban": "GB87 BARC 2006 0546 9946 00",
        "accountNo": "46994600",
        "bic": "BARCGB22",
        "currency": "HKD",
        "externalReference": "191127-99999"
      }
    ]
  }
}

Your sub-clients should deposit their foreign currency to:

const bodyJSON = {
  variables: {
    sc: {
      externalId: "991188227733",
    },
    fa: {
      currencies: ["EUR","USD","CNY"],
    },
  },
  query: `
query ($sc: SubClientQueryInput!, $fa: FundingAccountQueryInput!) {
  subClients(input: $sc) {
    id externalId 
    fundingAccounts(input: $fa) {
      iban accountNo accountName accountAddress bic currency externalReference
    }
  }
}`,
};

query($sc: SubClientQueryInput!, $fa: FundingAccountQueryInput!) {
  subClients(input: $sc) {
    id
    externalId
    fundingAccounts(input: $fa) {
      iban
      accountNo
      accountName
      accountAddress
      bic
      currency
      externalReference
    }
  }
}

 {
  "sc": { 
    "externalId": "991188227733" 
  },
  "fa": {
    "currencies": ["EUR", "USD", "CNY"] 
  }
}

{
  "data": {
    "subClients": [
      {
        "id": "60a1e9e76eaedbf66964a323",
        "externalId": "991188227733",
        "fundingAccounts": [
          {
            "iban": "GB91 BARC 2006 0565 4685 66",
            "accountNo": "65468566",
            "bic": "BARCGB22",
            "currency": "USD",
            "externalReference": "210616-99999"
          },
          {
            "iban": "GB05 BARC 2006 0574 7412 77",
            "accountNo": "74741277",
            "bic": "BARCGB22",
            "currency": "EUR",
            "externalReference": "210616-99999"
          },
          {
            "iban": null,
            "accountNo": "87135588",
            "bic": "BARCGB22",
            "currency": "CNY",
            "externalReference": "210616-99999"
          },
        ]
      }
    ]
  }
}

Institutions

CRUD queries for Institutions

Instructing Institution

Institution entity is a piece of information about the party who instructed you to make the withdrawal. This data is important for compliance within Australia. This is not the sender. If there is no other institution who has instructed this withdrawal, leave this blank and your own details will be used for compliance and auditing purposes.

Creating institutions

via Flash Connect (you can copy an ID of an existing Institution).
via API by invoking createInstitution mutation.
by providing instructingInstitution object into createWithdrawal mutation.

Please avoid creating multiple Institutions for the same organisation because they are used for compliance reporting and subject to review.

Before creating or updating an institution we will try to find an existing one by:

By instructingInstitution.externalId
By instructingInstitution.businessNumber AND instructingInstitution.address.country
By instructingInstitution.legalName AND instructingInstitution.address.country

Creating institution example

Withdrawals

Disburse your money to Australian bank account(s)

You can retrieve all or some of your withdrawals.

You can create withdrawals. By default you can withdraw only to your personal Virtual Account Number (VAN).

If you are a fully verified customer you can payout to any bank account number in Australia. You'd need to:

have a recipient ID (see Recipients to query your address book); otherwise
understand the supported delivery methods using the availableDeliveryMethods query and create a new recipient

Once you have the recipient ID, you can initiate a withdrawal.

Withdraw funds

Send money from your Flash Payments balances to Australian bank accounts or internationally per your approved use case.

To make a withdrawal, you need to execute the createWithdrawal mutation as below.

You must have enough balance in your account for the chosen currency to make a withdrawal.

const bodyJSON = {
  variables: {
    input: {
      amount: 1000, 
      currency: "AUD",
      externalReference: "invoice #1234",
      recipientId: "5ba89a6b35a2b327b81ffc3b",
      senderId: "5eaf71a1cb328c56f94f9375",
      externalId: "12344321",
      idempotencyKey: "12344321",
    },
  }, 
  query: ` 
mutation ($input: CreateWithdrawalInput!) {
  createWithdrawal(input: $input) {
    success code message    
    withdrawal {
      id status amount currency    
    }  
  }
}`,
};

mutation($input: CreateWithdrawalInput!) {
  createWithdrawal(input: $input) {
    success
    code
    message
    withdrawal {
      id
      status
      amount
      currency
    }
  }
}

{ 
    "input": {
      "amount": 1000,
      "currency": "AUD",
      "externalReference": "invoice #1234",
      "recipientId": "5ba89a6b35a2b327b81ffc3b",
      "senderId": "5eaf71a1cb328c56f94f9375",
      "externalId": "12344321",
      "idempotencyKey": "12344321"
    }
}

{
  "data": {
    "createWithdrawal": {
      "success": true,
      "code": "OK",
      "message": "Scheduled for immediate execution",
      "withdrawal": {
        "id": "60711af8c078ba061f623531",
        "status": "PENDING",
        "amount": 1000,
        "currency": AUD
      }
    }
  }
}

Payment reference - `externalReference`

Arbitrary text, which will be seen in the ultimate recipient's bank statement. E.g. "invoice #123". Will be eventually truncated to 18 ASCII chars if delivered via Australia's old (DE, Direct Entry) payment system. However, if you choose to use the real-time NPP network, then the maximum length is 280 chars.

Recipient - `recipientId`

You should pre-create recipients and provide us with their ID. The recipient's Australian account must be either BSB or PAYID (coming soon).

Sender - `senderId` or `subClientId` , or neither

In the above createWithdrawal example, you had to first pre-create a sender and use senderId as an input. Alternatively, if your account is configured to disburse funds on behalf of your sub-clients, you may provide us with the sub-client ID, and the withdrawal created will be linked to that sub-client. In this case, the subClientId will be used as the sender and will be reported to the government.

To use subClientId as the sender for your withdrawal, please execute the createWithdrawal mutation as below.

const bodyJSON = {
  variables: {
    input: {
      amount: 1000, 
      currency: "AUD",
      externalReference: "invoice #1234",
      recipientId: "5ba89a6b35a2b327b81ffc3b",
      subClientId: "3fbj71b1dc328d56g94g9375",
      externalId: "123443212",
      idempotencyKey: "123443212",
    },
  }, 
  query: ` 
mutation ($input: CreateWithdrawalInput!) {
  createWithdrawal(input: $input) {
    success code message    
    withdrawal {
      id status amount currency    
    }  
  }
}`,
};

 mutation($input: CreateWithdrawalInput!) {
  createWithdrawal(input: $input) {
    success
    code
    message
    withdrawal {
      id
      status
      amount
      currency
    }
  }
}

 { 
    "input": {
      "amount": 1000,
      "currency": "AUD",
      "externalReference": "invoice #1234",
      "recipientId": "5ba89a6b35a2b327b81ffc3b",
      subClientId: "3fbj71b1dc328d56g94g9375",
      "externalId": "123443212",
      "idempotencyKey": "123443212"
    }
}

 {
  "data": {
    "createWithdrawal": {
      "success": true,
      "code": "OK",
      "message": "Scheduled for immediate execution",
      "withdrawal": {
        "id": "60711af8c078ba061f623531",
        "status": "PENDING",
        "amount": 1000,
        "currency": AUD
      }
    }
  }
}

We are legally obliged to collect the actual sender and beneficiary details. Please do not send us intermediate organisation details such as exchanges, banks, gateways, etc.

If it is an intermediate, please see Instiutions instead.

Please always send us the ultimate sender and recipient. If sending funds to yourself, please provide your own details. See the schema in Playground for other recipient details options.

If sending funds from yourself, there's an option to use your company's Flash account details as sender by default. Please consider the example below.

If your company is the ultimate sender for a withdrawal, you can skip both the senderId and subClientId. In this situation, we will use your company’s Flash account as the sender for the transaction. Please note that a new sender record will not be created in this case.

Please execute the following createWithdrawal mutation to use your company's Flash account details as sender.

const bodyJSON = {
  variables: {
    input: {
      amount: 500, 
      currency: "AUD",
      externalReference: "invoice #123",
      recipientId: "661e293b14a0e678c37fa327",
      externalId: "1234567890",
      idempotencyKey: "0987654321",
    },
  }, 
  query: ` 
mutation ($input: CreateWithdrawalInput!) {
  createWithdrawal(input: $input) {
    success code message    
    withdrawal {
      id status amount currency
      sender {
        firstName lastName companyName    
      }  
    }
  }
}`,
};

 mutation($input: CreateWithdrawalInput!) {
  createWithdrawal(input: $input) {
    success
    code
    message
    withdrawal {
      id
      status
      amount
      currency
      sender {
        firstName 
        lastName 
        companyName    
      }
    }
  }
}

 { 
    "input": {
      "amount": 500,
      "currency": "AUD",
      "externalReference": "invoice #123",
      "recipientId": "661e293b14a0e678c37fa327",
      "externalId": "1234567890",
      "idempotencyKey": "0987654321"
    }
}

{
  "data": {
    "createWithdrawal": {
      "success": true,
      "code": "SUCCESS",
      "message": "Withdrawal was created",
      "withdrawal": {
        "id": "67cb69f2ee6c254315bb1c3d",
        "status": "INITIALISED",
        "amount": 500,
        "currency": "AUD",
        "sender": {
          "firstName": "John",
          "lastName": "Smith",
          "companyName": "Smith Consulting Pty Ltd"
      }
    }
  }
}

Instructing Institutions

An organisation that instructed you to make a withdrawal. This data is mandatory if you submit this withdrawal on behalf of another financial institution.

For more information please see Institutions.

Using existing institutions `instructingInstitutionId`

This optional field refers to an existing Institution that was created earlier in the Flash Connect interface or via this API.

Create institutions on the fly using the `instructingInstitution` field

Optional field that allows you to provide Institution details without pre-creating one. Once passed, Flash Payments will create the Institution for you. Before creating an institution, we will try to find an existing one:

By instructingInstitution.externalId if present.
By instructingInstitution.businessNumber AND instructingInstitution.address.country

Callback (aka Webhook) URI

We recommend against continuous polling for withdrawal status changes. Instead, please use callbackUri.

The optional callbackUri will be invoked several times during the processing of a withdrawal. These callbacks will usually occur soon (within several seconds) after the initial create withdrawal call - but may be delayed in some cases. The example JSON payloads can be found on the Webhooks page.

Security note

The callback (aka webhook) endpoint URI can be invoked by anyone on the internet. Thus opening up a potential attack vector. See Webhooks page to secure your data properly.

Withdrawal statuses

Withdrawal processing statuses

You create a withdrawal. Your balance goes down by the withdrawal amount plus fee. INITIALISED
1. We might internally review the transaction. INITIALISED-> REVIEWING
2. If review goes well it will become pending. REVIEWING→ PENDING
3. Otherwise it gets cancelled. REVIEWING→ CANCELLED
The transaction is sent to the recipient bank for processing. INITIALISED → PENDING
PENDING →
- CONFIRMED - the recipient bank has the money now. Does not mean the beneficiary account number was credited though. Mostly FINAL status. Except when bank decides to return the funds, the withdrawal gets refunded (see step 4).
- FAILED - NOT FINAL status. Depending on the processing error we have three scenarios now.
  - REFUNDED - see step 4 below.
  - CANCELLED - manual action. Your balance goes up by the amount, Flash Payments keeps the fee. FINAL status.
  - PENDING - rare case - retrying. Sometimes it might work. Go to item 3.
The recipient bank decided to return this transaction back to Flash Payments.CONFIRMED → FAILED → REFUNDED - usual way - automatic refunding. Your balance goes up by the withdrawal amount, Flash Payments keeps the fee. FINAL status.

The REVIEWING is an optional action by Flash Payments Compliance team. Occasionally we pick some transactions for extended AML/CT review. Most transactions do not ever get into the REVIEWING status.

Most common status transitions

Happy path

INITIALISED→REVIEWING→PENDING→CONFIRMED

Unhappy paths

Recipient bank accepts the payout but then returns it:

INITIALISED→PENDING→CONFIRMED→FAILED→REFUNDED

Recipient bank rejects the payout:

INITIALISED→PENDING→FAILED→REFUNDED

Flash Payments Compliance team rejects the payout:

INITIALISED→REVIEWING→CANCELLED

Testing/simulating unhappy paths

Typically, you want to adapt your system to handle the following common withdrawal scenarios:

1. Too long in the REVIEWING status

If your withdrawal is in this status this means that we are doing an internal review of it. It happens occasionally when you trigger our monitoring rules. Also, this means that we have sent your Compliance Team (or else) an email message requesting more information. You must respond. In other words, if there is a delay - it's on you. Because Flash Payments delivers all your transactions in real-time 24/7.

Please always provide accurate and information, including the full address, to prevent delays associated with internal compliance reviews on our side.

Sender and recipient addresses are automatically validated when a transaction is created. If the address cannot be verified, the transaction will be flagged for review by our Compliance team, resulting in processing delays. To help ensure smooth and timely processing, please provide complete and accurate address details.

You can simulate the behaviour. Your externalReference must include this text: HALT_AML. For example: "testing HALT_AML attempt 2". The withdrawal will get stuck in REVIEWING forever.

2. Fails AML and gets cancelled

We checked the data you sent us for withdrawal. We didn't like it. So we cancel it immediately.

You can simulate the behaviour. Your externalReference must include this text: FAIL_AML. For example: "testing FAIL_AML attempt 4". The withdrawal will be cancelled next moment after you submit it.

3. Recipient bank rejects the money

A common scenario in the Australian domestic payment system involves a transaction that appears successful initially, but is later reversed by the recipient’s bank—sometimes days after processing. This can happen for various reasons, such as an invalid or closed account number, an account in the wrong currency, or other account-related issues.

You can simulate the behaviour. Your externalReference must include this text: FAIL_ACC. For example: "testing FAIL_ACC attempt 8". The withdrawal will be completed, and next moment failed and refunded.

Query withdrawals

Retrieving all your withdrawals

const bodyJSON = {
  variables: {
    input: {
    },
  },
  query: `
query ($input: WithdrawalQueryInput!) {
  withdrawals(input: $input) {   
    id
    recipient {
     firstName lastName
    }
  }
}`,
};

query($input: WithdrawalQueryInput!) {
  withdrawals(input: $input) {
    id
    recipient {
      firstName
      lastName
    } 
    # there are many other properties
  }
}

{ 
  "input": {
  }
}

{
  "data": {
    "withdrawals": [
      {
        "id": "5b04c62ec0bf606bf216ae21",
        "recipient": {
          "firstName": "John"
          "lastName": "Smith"
        }
      },
      {
        "id": "5b04c6bfc0bf606bf216af06",
        "recipient": {
          "firstName": "John"
          "lastName": "Smith"
        }
      },
      {
        "id": "5b04c8e3c0bf606bf216b026",
        "recipient": {
          "firstName": "John"
          "lastName": "Smith"
        }
      }
    ]
  }
}

Retrieving some of your withdrawals

const bodyJSON = {
  variables: {
    input: {
      statuses: "CONFIRMED",
      maxCreatedAt: "2020-01-29",
    },
  },
  query: `
query ($input: WithdrawalQueryInput!) {
  withdrawals(input: $input) {   
    id createdAt 
  }
}`,
};

query($input: WithdrawalQueryInput!) {
  withdrawals(input: $input) {
    id
    createdAt 
    # there are many other properties
  }
}

{    
  # there are more query parameters available, see the API schema
  "input": {
    "statuses": "CONFIRMED",
    "maxCreatedAt": "2020-01-29"
  }  
}

{
  "data": {
    "withdrawals": [
      {
        "id": "5b04c62ec0bf606bf216ae21",
        "createdAt": "2020-01-17T07:21:20.247Z"
      },
      {
        "id": "5b04c6bfc0bf606bf216af06",
        "createdAt": "2018-08-13T05:45:28.698Z"
      }
    ]
  }
}

Retrieving a single withdrawal

const bodyJSON = {
  variables: {
    input: "5b04c62ec0bf606bf216ae21",
  },
  query: `
query ($input: ID) {  
  withdrawal(id: $input) {
    status createdAt amount
  }
}`,
};

query($input: ID) {
  withdrawal(id: $input) {
    status
    createdAt
    amount
    # there are many other properties
  }
}

{
  # there are more query parameters available, see the API schema
  "input": "5b04c62ec0bf606bf216ae21"
}

{
  "data": {
    "withdrawal": {
      "status": "CONFIRMED",
      "createdAt": "2020-01-17T07:21:20.247Z",
      "amount": 1000
    }
  }
}

Deposits

Explains how to accept deposits programmatically

After fully registering with us, you get a BSB and a dedicated Virtual Account Number (VAN).

IMPORTANT: Your Australian VAN will be restricted to local Australian transfers. For international payments (aka FX payments), we offer different solutions.

Every deposit to your VAN would increase your Flash Payments balance.

Every deposit can trigger a notification, keeping you informed in real time

The deposit data includes the payment reference (we call it externalReference in this API).

By default, only you are permitted to make deposits. However, we can enable third-party deposits for your account upon request. Once enabled, your account number functions as a local collection account, allowing others to deposit funds on your behalf.

We can also enable the feature. It allows you to programmatically create client accounts with dedicated BSB and account number for transactional purposes. You can give these bank account details to your clients to accept deposits. Once funds arrive, we will increase your account balance, and you will see a deposit with sub-client information linked to it.

To browse your deposits, you can use our interface.

Tip. You can simulate and test a deposit with the FlashConnect tool in the UAT environment. Just go to the Deposits page and click "SEND TEST DEPOSIT". Additionally, you can test a deposit sent by your in the UAT. Just go to the Sub-clients page, find the sub-client, and click "SEND TEST DEPOSIT".

Deposit statuses

Deposit processing statuses

Upon detecting a deposit in a Flash Payments Virtual Account Number (VAN), we immediately record it as a deposit in our system.

The status of a successful deposit goes through the following lifecycle

INITIALISED->REVIEWING→CONFIRMED

If you choose to reject a deposit, its status goes through the following lifecycle instead:

INITIALISED->REVIEWING→CONFIRMED→REFUNDING→REFUNDED

If Flash Payments Compliance choose to reject a deposit, its status lifecycle goes through following stages:

INITIALISED→REVIEWING→REFUNDING→REFUNDED

Query deposits

Query all deposits

const bodyJSON = {
  variables: {
    input: {
    },
  },
  query: `
query ($input: DepositQueryInput!) {
  deposits(input: $input) {
    id amount currency status statusMessage externalId externalReference
    subClient {
      id fullName status clientType
    }    
    createdAt
  }
}`,
};

query($input: DepositQueryInput!) {
  deposits(input: $input) {
    id
    amount
    currency
    status
    statusMessage
    externalId
    externalReference
    subClient {
      id
      fullName
      status
      clientType
    }
    createdAt
    # more fields available, see API schema
  }
}

{ 
  "input": {
  }
}

{
  "data": {
    "deposits": [
      {
        "id": "6053d4e0e3bc655e0598a742",
        "amount": 2000,
        "currency": "AUD",
        "status": "CONFIRMED",
        "statusMessage": "Transaction Confirmed",
        "externalId": "PR.1vcl",
        "externalReference": "FX1111",
        "subClient": null,
        "createdAt": "2021-03-18T22:32:01.010Z"
      },
      {
        "id": "6053d3319588389e1443587e",
        "amount": 40,
        "currency": "AUD",
        "status": "CONFIRMED",
        "statusMessage": "Transaction Confirmed",
        "externalId": "PR.1vci",
        "externalReference": "FX2121",
        "subClient": {
          "id": "5fb314cb9224595df522db61",
          "fullName": "John Doe",
          "status": "ACTIVE",
          "clientType": "INDIVIDUAL"
        },
        "createdAt": "2021-03-18T22:24:49.096Z"
      },
    ]
  }
}

Query deposit by ID

const bodyJSON = {
  variables: {
    input: "6053d4e0e3bc655e0598a742",
  },
  query: `
query ($input: ID) {  
  deposit(id: $input) {
    id 
    amount currency status statusMessage externalId externalReference createdAt
  }
}`,
};

query($input: ID) {
  deposit(id: $input) {
    id
    amount
    currency
    status
    statusMessage
    externalId
    externalReference
    createdAt
    # more fields available, see API schema
  }
}

{
  # there are more query parameters available, see the API schema
  "input": "6053d4e0e3bc655e0598a742"
}

{
  "data": {
    "deposit": {
      "id": "6053d4e0e3bc655e0598a742",
      "amount": 2000,
      "currency": "AUD",
      "status": "CONFIRMED",
      "statusMessage": "Transaction Confirmed",
      "externalId": "PR.1vcl",
      "externalReference": "KX23249",
      "createdAt": "2021-03-18T22:32:01.010Z"
    }
  }
}

Refund deposits

Return the funds back to the original sender

Refund deposit by ID

const bodyJSON = {
  variables: {
    id: "6053d4e0e3bc655e0598a742",
    input: {
      amount: 10,
      reason: "sent by mistake",
    },
  }, 
  query: `
mutation ($id: ID!, $input: RefundDepositInput!) {
  refundDeposit(id: $id, input: $input) {
    success code message
  }
}`,
};

mutation($id: ID!, $input: RefundDepositInput!) {
  refundDeposit(id: $id, input: $input) {
    success
    code
    message
  }
}

{ 
  "id": "6053d4e0e3bc655e0598a742",
  "input": { 
    "amount": 10, 
    "reason": "sent by mistake"
  }
}

{
  "data": {
    "refundDeposit": {
      "success": true,
      "code": "REFUND_SENT",
      "message": "Refund initiated successfully"
    }
  }
}

Sub-clients

Generate Virtual Account Numbers for your clients for collection

The sub-client (aka merchant) feature allows you to create client accounts for deposit collection purposes. These virtual accounts can be issued to individuals, companies, or other organisations.

Note: This feature is disabled by default. Contact us if you want it.

Each sub-client will receive a dedicated BSB and Vitrual Account Number (VAN) that you or your clients can use to accept and withdraw domestic AUD transfers within Australia.

IMPORTANT: Your Australian VAN will be restricted to local Australian transfers. For international payments (aka FX payments), we offer different solutions.

The account name is your sub-client's name. For companies - it's their tradingAsName or legalName. For individuals - it's their fullName (firstName + middleName + lastName).

If your Flash account has a multi-currency feature enabled, each of your sub-clients will also have access to virtual accounts in the selected currencies for which you hold balances.

All sent to your sub-client Virtual Account Numbers (VANs) are booked on your (master-client's) corresponding account balances. Sub-clients can't have their own balances.

You can and on behalf of your sub-clients by providing the sub-client ID when you create withdrawals or payments. This sub-client record will then be used as the sender, linked to the transaction, and reported to the government.

Notifications via will provide important sub-client information as well.

Create sub-clients

There are two types of sub-clients: company and individual.

For every company registered as a sub-client, there must be one contact person for individual data submitted. Ideally, the contact person should be a company director or have a similar role. Therefore, if you are creating a sub-client of the company type, we require you to provide extra details:

legalName - company legal name
businessNumber - company business number (e.g. ABN in Australia)

If the above fields are not set, the sub-client will be created as individual type.

This action creates a real account number. If you ever submit fake, unreal, testing, or incorrect data - you will be immediately blocked from Flash Payments services.

Please add all possible precautions, processes, staff training, warning messages, and validation checks to your system(s) before creating a sub-client.

Please follow our latest requirements for the proper sub-client data submission:

Provide properfirstNameandlastName
Provide propermobilenumber
Provide proper dob : the person must be under 65 years of age
Provide proper residential address Including unit and street number. The sub-client address should correspond to your approved use case from the contract. By default, you're only allowed to have local Australian sub-accounts. Any non-Australian entities will undergo extended due diligence based on their location and industry relevance for Flash Payments.
Provide properidDoc (type, docNumber, issuer (optional), issueDate (optional), expiryDate (optional), and country ) based on the sub-client contact person's address. For Australian residents, either a driver’s license or a passport is accepted. For non-Australian residents, only a passport is accepted as a document type.
Sometimes, we ask our partners to provide “instructing institution” information, but only if you are creating this VAN on behalf of another financial institution. More about institutions here. You may provide the ID of the already created institution via the field instructingInstitutionId or as a full object via the instructingInstitution field.

The above personal data submission requirements should be as equally followed for the company contact person, with the exception of address property, which can be a company address in this case.

To create a sub-client, you need to execute the createSubClient mutation as below. You can find the description of each field in the GraphQL API schema.

const bodyJSON = {
  variables: { 
    input: {
      legalName: "Chineese Tradings", 
      businessNumber: "330782000329701", 
      firstName: "John", 
      lastName: "Smith", 
      email: "[email protected]",
      mobile: "+61422832849",
      dob: "1979-05-12",
      address: {
        building: "25",
        street: "Xihu Road, Yuexiu District",
        suburb: "Guangzhou City",
        state: "Guangdong Province",
        postcode: "510030",
        country: "CN",
      },
      idDoc: {
        type: "passport",
        docNumber: "FF1948394",
        issuer: "Australian Passport Office (APO)",
        issueDate: "2000-01-01",
        expiryDate: "2045-01-01",
        country: "AU",
      },
      externalId: "991188227733",
    },
  },
  query: `
mutation ($input: CreateSubClientInput!) {
  createSubClient(input: $input) {
    success code message
    subClient {
      id legalName businessNumber fullName clientType status
      primaryContact {
        firstName lastName email mobile dob
      }
      address {
        country
      }      
      bsb accountNo externalId
    }
  }
}`,
};

mutation($input: CreateSubClientInput!) {
  createSubClient(input: $input) {
    success
    code
    message
    subClient {
      id
      legalName
      businessNumber
      fullName
      clientType
      status
      primaryContact {
        firstName
        lastName
        email
        mobile
        dob
      }
      address {
        country
      }
      bsb
      accountNo
      externalId
      # more properties available, see API schema
    }
  }
}

{ 
  "input": {
    "legalName": "Chineese Tradings",
    "businessNumber": "330782000329701",
    "firstName": "John",
    "lastName": "Smith",
    "email": "[email protected]",
    "mobile": "+61422832849",
    "dob": "1979-05-12",
    "address": {
      "building": "25",
      "street": "Xihu Road, Yuexiu District",
      "suburb": "Guangzhou City",
      "state": "Guangdong Province",
      "postcode": "510030",
      "country": "CN"
    },
    "idDoc": {
      "type": "passport",
      "docNumber": "FF1948394",
      "issuer": "Australian Passport Office (APO)",
      "issueDate": "2000-01-01",
      "expiryDate": "2045-01-01",
      "country": "AU"     
    },
    "externalId": "991188227733"
  }
}

{
  "data": {
    "createSubClient": {
      "success": true,
      "code": "SUBCLIENT_CREATED",
      "message": "Sub-client was successfully created",
      "subClient": {
        "id": "606d28675a2d931bc925fec2",
        "legalName": "Chineese Tradings",
        "businessNumber": "330782000329701",
        "fullName": "John Smith",
        "clientType": "INDIVIDUAL",
        "status": "ACTIVE",
        "primaryContact": {
          "firstName": "John",
          "lastName": "Smith",
          "email": "[email protected]",
          "mobile": "+61 422 832 849",
          "dob": "1979-05-12"
        },
        "address": {
          "country": "CN"
        },
        "bsb": "802919",
        "accountNo": "1066419",
        "externalId": "991188227733"
      }
    }
  }
}

Disable, Activate and Update sub-clients

You can disable and activate sub-clients. Deposits sent to a disabled sub-client will no longer be booked against your balance.

Disabling a sub-client

const bodyJSON = {
  variables: {
    input: "606128f24bf29139b2cf74ef",
  },
  query: `
mutation ($input: ID!) {
  disableSubClient(id: $input) {
    success code message 
    subClient {
      id status
    }
  }
}`,
};

mutation($input: ID!) {
  disableSubClient(id: $input) {
    success
    code
    message
    subClient {
      id
      status
    }
  }
}

{ 
   "input": "606128f24bf29139b2cf74ef"
}

{
  "data": {
    "disableSubClient": {
      "success": true,
      "code": "SUCCESS",
      "message": "Sub-client was successfully disabled",
      "subClient": {
        "id": "606128f24bf29139b2cf74ef",
        "status": "DISABLED"
      }
    }
  }
}

Activating a sub-client

const bodyJSON = {
  variables: {
    input: "606128f24bf29139b2cf74ef",
  },
  query: `
mutation ($input: ID!) {
  activateSubClient(id: $input) {
    success code message 
    subClient {
      id status
    }
  }
}`,
};

mutation($input: ID!) {
  activateSubClient(id: $input) {
    success
    code
    message
    subClient {
      id
      status
    }
  }
}

{ 
   "input": "606128f24bf29139b2cf74ef"
}

{
  "data": {
    "activateSubClient": {
      "success": true,
      "code": "SUCCESS",
      "message": "Sub-client was successfully activated",
      "subClient": {
        "id": "606128f24bf29139b2cf74ef",
        "status": "ACTIVE"
      }
    }
  }
}

Updating sub-clients

At this point, you can update the externalId property only because each sub-client has a set of linked domestic and international Virtual Account Numbers to send and receive funds.

const bodyJSON = { 
  variables: {
    id: "660fef8e1f3b5452bd6945ec",
    input: {
      externalId: "my_system_id_29f-ae0978b00d09e",
    },
  }, 
  query: `
mutation ($id: ID!, $input: UpdateSubClientInput!) {
  updateSubClient(id: $id, input: $input) {
    success code message
    subClient {
      id status externalId
    }
  }
}`,
};

mutation($id: ID!, $input: UpdateSubClientInput!) {
  updateSubClient(id: $id, input: $input) {
    success
    code
    message
    subClient {
      id
      status
      externalId
    }
  }
}

{ 
  "id": "660fef8e1f3b5452bd6945ec", 
  "input": {
    "externalId": "my_system_id_29f-ae0978b00d09e"
  }
}

{
  "data": {
    "updateSubClient": {
      "success": true,
      "code": "SUCCESS",
      "message": "Sub-client was successfully updated",
      "subClient": {
        "id": "660fef8e1f3b5452bd6945ec",
        "status": "ACTIVE",
        "externalId": "my_system_id_29f-ae0978b00d09e"
      }
    }
  }
}

Query sub-clients

Available queries

Query for a single sub-client

const bodyJSON = {
  variables: {
    id: "606d28675a2d931bc925fec2",
      input: {
        currencies: ["EUR","USD","HKD","CNY"],
      },
  },
  query: `
query ($id: ID!, $input: FundingAccountQueryInput!) {
  subClient(id: $id) {
    id fullName legalName tradingAsNam clientType status 
    primaryContact {
      firstName middleName lastName email dob mobile
    }
    address {
      building street suburb state country postcode
    }
    postalAddress {
      building street suburb state country postcode
    } 
    businessNumber bsb accountNo externalId
    fundingAccounts(input: $input) {
      iban accountNo bic currency externalReference
    }
  }
}`,
};

query($id: ID!, $input: FundingAccountQueryInput!) {
  subClient(id: $id) {
    id
    fullName
    legalName
    tradingAsName
    clientType
    status
    primaryContact {
      firstName
      middleName
      lastName
      email
      dob
      mobile
    }
    address {
      building
      street
      suburb
      state
      country
      postcode
    }
    postalAddress {
      building
      street
      suburb
      state
      country
      postcode
    }
    businessNumber
    bsb
    accountNo
  	externalId
    fundingAccounts(input: $input) {
      iban
      accountNo
      bic
      currency
      externalReference
    }
  }
}

{ 
  "id": "606d28675a2d931bc925fec2",
  "input": {
    "currencies": ["EUR", "USD", "HKD", "CNY"] 
  }
}

{
  "data": {
    "subClient": {
      "id": "606d28675a2d931bc925fec2",
      "fullName": "ACME Corp",
      "legalName": "ACME Corp",
      "tradingAsName": null,
      "clientType": "COMPANY",
      "status": "ACTIVE",
      "primaryContact": {
        "firstName": "John",
        "middleName": null,
        "lastName": "Smith",
        "email": "[email protected]",
        "dob": "1980-12-12",
        "mobile": "+61 422 832 849"
      },
      "address": {
        "building": "25",
        "street": "Moore St",
        "suburb": "Waterloo",
        "state": "NSW",
        "country": "AU",
        "postcode": "2017"
      },
      "postalAddress": {
        "building": "25",
        "street": "Moore St",
        "suburb": "Waterloo",
        "state": "NSW",
        "country": "AU",
        "postcode": "2017"
      },
      "businessNumber": "91383840265",
      "bsb": "802919",
      "accountNo": "1066419",
      "externalId": "991188227733"
    }
  }
}

Query for multiple sub-clients

const bodyJSON = {
  variables: {
    input: {
    },
  },
  query: `
query ($input: SubClientQueryInput!) {
  subClients(input: $input) {   
    id fullName legalName clientType status businessNumber
    bsb accountNo externalId
  }
}`,
};

query($input: SubClientQueryInput!){
  subClients(input: $input) {
    id
    fullName
    legalName
    clientType
    status
    businessNumber
    bsb
    accountNo
    externalId
    # any other set of properties
  }
}

 {
 "input": {
  }
}

{
  "data": {
    "subClients": [
      {
        "id": "5fb314cb9224595df522db61",
        "fullName": "Richard Smith",
        "legalName": null,
        "clientType": "INDIVIDUAL",
        "status": "ACTIVE",
        "businessNumber": null,
        "bsb": "802919",
        "accountNo": "1963041",
        "externalId": null
      },
      {
        "id": "60612f00a4d7dd5c96e37676",
        "fullName": "ABC Capital",
        "legalName": "ABC Co",
        "clientType": "COMPANY",
        "status": "ACTIVE",
        "businessNumber": "839399923932",
        "bsb": "802919",
        "accountNo": "1914920",
        "externalId": null
      }
    ]
  }
}

Query for multiple sub-clients with filters

const bodyJSON = {
  variables: {
    input: {
      clientType: "INDIVIDUAL",
      status: "ACTIVE",
      firstName: "John",
      lastName: "Smith",
      address: { 
        country: "AU", 
      },
    },
  },
  query: `
query ($input: SubClientQueryInput!) {
  subClients(input: $input) {   
    id fullName clientType status 
    primaryContact {
      firstName lastName
    }
    address {
      country
    }
  }
}`,
};

query($input: SubClientQueryInput!){
  subClients(input: $input) {
    id
    fullName
    clientType
    status   
    primaryContact {
      firstName
      lastName
    }
    address {
      country
    }
    # any other set of properties
  }
}

{   
# more filters available, see SubClientQueryInput in API schema
  "input": {
    "clientType": "INDIVIDUAL",
    "status": "ACTIVE",
    "firstName": "John",
    "lastName": "Smith",
    "address": { 
      "country": "AU" 
    }
  }
}

{
  "data": {
    "subClients": [
      {
        "id": "5fb314cb9224595df522db61",
        "fullName": "John Smith",
        "clientType": "INDIVIDUAL",
        "status": "ACTIVE",
        "primaryContact": {
          "firstName": "John",
          "lastName": "Smith"
        },
        "address": {
          "country": "AU"
        }
      }
    ]
  }
}

Webhooks

Two types of the webhooks

The primary triggers for all webhooks are status changes in payments, withdrawals, deposits, or conversions. For example, a webhook is sent when a withdrawal status changes from PENDING to CONFIRMED.

There are two types of webhooks in Flash Payments.

Regular webhooks - a URL would need to be saved to your FlashConnect settings. All types of events.
- You can lookup the history of all the HTTP requests and responses, their JSON bodies and headers.
- If there is no response we will show you what exactly the problem is: DNS issue, networking issue, 5XX response, etc.
- You can receive webhooks when a deposit lands to your Virtual Account Number (VAN).
Ad hoc webhooks - you would need to provide a callback URL per payment/withdrawal while creating them. Only "payment", "withdrawal", and "conversion" events are supported.

The webhooks HTTP POST calls will follow all the standard HTTP redirects (3XX codes).

Security

Cryptographic signature

All webhook HTTP requests carry a cryptographic signature. Ad hoc and regular webhooks do it slightly different though.

Flash Payments webhook request IP address

All webhook HTTP requests would be coming from these IP addresses:

Development environment: 52.62.195.119
UAT environment: 52.64.185.170 and 13.210.129.208
Production environment: 52.62.138.234 and 52.65.3.195

Example payloads

Deposits

deposit_initiated

{
  "event": "deposit_initiated",
  "id": "603f0198770d6595e3c83e0d",
  "amount": 100,
  "totalFee": 1,
  "currency": "AUD",
  "externalReference": "2233445566",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "statusMessage": "Deposit initiated",
  "recipient": {
    "accountName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387"
  },
  "sender": {
    "accountName": "ACME Inc",
    "companyName": "ACME Inc",
    "bankName": "Bank ACME",
    "bankCountry": "AU"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

deposit_reviewing

{
  "event": "deposit_reviewing",
  "id": "603f0198770d6595e3c83e0d",
  "amount": 100,
  "totalFee": 1,
  "currency": "AUD",
  "externalReference": "2233445566",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "statusMessage": "Awaiting manual compliance",
  "recipient": {
    "accountName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387"
  },
  "sender": {
    "accountName": "ACME Inc",
    "companyName": "ACME Inc",
    "bankName": "Bank ACME",
    "bankCountry": "AU"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

deposit_cleared

{
  "event": "deposit_cleared",
  "id": "603f0198770d6595e3c83e0d",
  "amount": 100,
  "totalFee": 1,
  "currency": "AUD",
  "externalReference": "2233445566",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "statusMessage": "Deposit cleared",
  "recipient": {
    "accountName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387"
  },
  "sender": {
    "accountName": "ACME Inc",
    "companyName": "ACME Inc",
    "bankName": "Bank ACME",
    "bankCountry": "AU"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

deposit_cancelled

{
  "event": "deposit_cancelled",
  "id": "603f0198770d6595e3c83e0d",
  "amount": 100,
  "totalFee": 1,
  "currency": "AUD",
  "externalReference": "2233445566",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "statusMessage": "Cancelled by: [email protected] : ",
  "recipient": {
    "accountName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387"
  },
    "sender": {
    "accountName": "ACME Inc",
    "companyName": "ACME Inc",
    "bankName": "Bank ACME",
    "bankCountry": "AU"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

deposit_refunding

{
  "event": "deposit_refunding",
  "id": "603f0198770d6595e3c83e0d",
  "amount": 100,
  "totalFee": 1,
  "refundAmount": 99,
  "currency": "AUD",
  "externalReference": "2233445566",
  "refundReason": "Client refund request",
  "statusMessage": "Deposit refunded",
  "refundedAt": "2021-03-03T03:28:43.936Z",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "recipient": {
    "accountName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387"
  },
    "sender": {
    "accountName": "ACME Inc",
    "companyName": "ACME Inc",
    "bankName": "Bank ACME",
    "bankCountry": "AU"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

deposit_refunded

{
  "event": "deposit_refunded",
  "id": "603f0198770d6595e3c83e0d",
  "amount": 100,
  "totalFee": 1,
  "refundAmount": 99,
  "currency": "AUD",
  "externalReference": "2233445566",
  "refundReason": "Client refund request",
  "statusMessage": "Deposit refunded",
  "refundedAt": "2021-03-03T03:28:43.936Z",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "recipient": {
    "accountName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387"
  },
    "sender": {
    "accountName": "ACME Inc",
    "companyName": "ACME Inc",
    "bankName": "Bank ACME",
    "bankCountry": "AU"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

Withdrawals

withdrawal_initiated

{
  "event": "withdrawal_initiated",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "currency": "AUD",
  "externalId": "12344321",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

withdrawal_reviewing

{
  "event": "withdrawal_reviewing",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "currency": "AUD",
  "statusMessage": "Awaiting manual compliance"
  "externalId": "12344321",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

withdrawal_pending

{
  "event": "withdrawal_pending",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "currency": "AUD",
  "statusMessage": "Sent to recipient bank"
  "externalId": "12344321",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

withdrawal_completed

{
  "event": "withdrawal_completed",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "currency": "AUD",
  "externalId": "12344321",
  "statusMessage": "Transaction Confirmed",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

withdrawal_failed

{
  "event": "withdrawal_failed",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "currency": "AUD",
  "externalId": "12344321",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

withdrawal_refunded

{
  "event": "withdrawal_refunded",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "refundAmount": 2000,
  "currency": "AUD",
  "externalId": "12344321",
  "refundReason": "No account or incorrect account number",
  "statusMessage": "Payout reversal",
  "refundedAt": "2021-03-04T15:21:11.920Z",
  "clearedAt": "2021-03-03T03:25:12.792Z",
  "recipient": {
    "displayName": "John Smith",
    "bsb": "012620",
    "accountNo": "89900998"
  },
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "John Smith",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

withdrawal_cancelled

{
  "event": "withdrawal_cancelled",
  "id": "51711af8c078ba061f623531",
  "amount": 2000,
  "totalFee": 1,
  "currency": "AUD",
  "externalId": "12344321",
  "rejectCode": "CANCELLATION_REQUESTED_BY_PARTICIPANT",
  "rejectedAt": "2025-07-24T21:41:14.581Z"
  "statusMessage": "The transaction is rejected upon request.",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

Payments

currency_converted

{
  "event": "currency_converted",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "externalId": "12344321"
}

payment_complete

{
  "event": "payment_complete",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "externalId": "12344321"
}

payment_failed

{
  "event": "payment_failed",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "externalId": "12344321"
}

payment_cancelled

{
  "event": "payment_cancelled",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "externalId": "12344321"
}

payment_created

{
  "event": "payment_created",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 3500,
  "fromCurrency": "EUR",
  "toAmount": 2501.94,
  "toCurrency": "AUD",
  "subClient": {
    "id": "203af01936410fd5d5e3c8f14d",
    "fullName": "ACME Inc",
    "accountNo": "1839394",
    "bsb": "809387",
    "externalId": "111222333"
  }
}

Conversions

conversion_initialised

{
  "event": "conversion_initialised",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "rate": 0.41104,
  "externalId": "12344321"
}

conversion_pending

{
  "event": "conversion_pending",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "rate": 0.41104,
  "externalId": "12344321"
}

conversion_converted

{
  "event": "conversion_pending",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "rate": 0.41104,
  "externalId": "12344321"
}

conversion_failed

{
  "event": "conversion_pending",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "rate": 0.41104,
  "externalId": "12344321"
}

conversion_cancelled

{
  "event": "conversion_pending",
  "id": "60711af8c078ba061f623531",
  "fromAmount": 1000,
  "fromCurrency": "AUD",
  "toAmount": 411.04,
  "toCurrency": "EUR",
  "rate": 0.41104,
  "externalId": "12344321"
}

Regular webhooks

How to setup web hooks for your integration

Event notifications with webhooks

Flash Payments uses webhooks to notify your application when a transaction event happens in your account. This includes status update of your withdrawal, clearing of the incoming deposit, and more.

With webhooks, you can subscribe to the events of interest to trigger a subsequent action within your integration.

There are two steps to begin using webhooks. Building a custom endpoint on your server and registering it via the settings.

Building webhook endpoint

Each time a transaction event happens, we will send a HTTP POST request to your endpoint(s) that are subscribed to that event. The payload with event data is in the JSON format and can be used immediately. Every webhook endpoint must acknowledge the request, and as we strongly advise, verify the webhook signature.

Acknowledging request

To acknowledge the receipt of the event, your endpoint must return 2xx HTTP status code. All other response codes, including 3xx codes, indicate that you did not receive the event.

If we do not receive 200 HTTP status code, we will make up to 3 more request attempts. There is 6, 60 and 600 seconds delay between each delivery attempt respectively. If all request attempts fail, we mark webhook request as failed and will no longer try to deliver it.

Each webhook request has a flashfx-request-id header with a string that uniquely identifies a webhook event. For example, if there are multiple delivery attempts for the webhook event, each request will hold the same flashfx-request-id. This can be used to check if the webhook event was already processed by your application.

We advise that you acknowledge webhook request as early as possible.

Securing the request

To ensure that webhook was sent by Flash Payments and not a third party, we include the cryptographic signature in each request’s flashfx-signature header.

Before you can verify a signature, you need to retrieve your endpoint’s secret from webhook settings in the . Each registered endpoint has a unique secret that is used to sign a payload delivered to you on each event. Steps to verify signature:

Extract signature from the request header
Compute HMAC with SHA256 function. Use your endpoint secret as key and JSON payload string as a message.
Compare signature in the header to the computed signature.

Here is a Node.js pseudo code to generate and compare signatures

And verifying signature

Testing your endpoint

To make sure your webhook endpoint is setup correctly, you can make a test HTTP request from the webhook settings. Click the "Send Test” button. You should receive a dummy request, which will need to be acknowledged the same way as your real webhook requests.

Subscribing to the events

Webhook requests come with event data. You can see all available event types in the settings. To subscribe, select which events you would like to receive and specify your endpoint. Please note, your endpoint must adhere to the HTTPS protocol for security reasons.

Ad hoc webhooks

How to secure your callback endpoints

When , or you can provide us a webhook (callback) URI - callbackUri. We will call it when a payment or withdrawal status changes.

We recommend API clients to generate and add ?signature=ASecretPerPaymentKey query to your callbackUri to make sure it's Flash Payments calling your webhook endpoint. For example:

To avoid storing the signatures in a database we recommend generating them on the fly using a strong hash function or any kind of cryptography.

Example

This is just an example. Feel free to sign your URLs the way you want.

You would need to implement two functions.

Function to generate "signature".
Function to verify the "signature".

Generating signatures

Node.js pseudo code for creating transfers in Flash Payments API.

The code above creates a callbackUri and externalId variables. Use both of them when creating a transfer in Flash Payments API.

Verifying signatures

Node.js pseudo code of the webhook endpoint HTTP request handler.

Reference data

- query bank information to validate if we support your BSB, IBAN, BIC (aka Swift code).
depositDetails - query the accounts you can send deposits to in order to increase your Flash Payments balance.
- query countries/currency combinations we support and what the required bank account details are.

Bank information

Ensuring bank details are correct

To validate BSB, BIC (aka SWIFT code) or IBAN use the bankInfo query.

The bankInfo query accepts only one of bsb, bic, or iban arguments. Otherwise, it will return an error.

The below sample queries will return null if the BSB, BIC, IBAN is not found.

Validate BSB

Validate BIC

Validate IBAN

Rejection codes

Transaction cancellation static codes and standard status messages

If your transaction is canceled by our Compliance team, the unique rejectCode and a corresponding standard statusMessage will be assigned to this transaction and sent to your application via proper webhook such as withdrawal_canceled to be used for a subsequent integration action such as field mapping or reconciliation.

Below is the latest list of our supported rejection codes and standard status messages. Please note, while the rejection codes are unique, you might see the corresponding free text status messages customized by our Compliance team for more accuracy and clarity of the information exchange.

rejectCode

statusMessage

CANCELLATION_REQUESTED_BY_PARTICIPANT

The transaction is rejected upon request.

CANCELLATION_BY_RECIPIENT_FI

The transaction is rejected by recipient's financial institution.

COMPLIANCE_DECLINED

The transaction is rejected as it doesn't meet our compliance requirements.

FRAUD

The transaction is rejected due to a fraud.

SENDER_INADEQUATE_DATA

The transaction is rejected as the sender name details are missing or invalid.

RECIPIENT_INADEQUATE_DATA

The transaction is rejected as the beneficiary name details are missing or invalid.

SENDER_INVALID_ADDRESS

The transaction is rejected as the sender address details are invalid.

SENDER_INCOMPLETE_ADDRESS

The transaction is rejected as the sender address details are missing.

RECIPIENT_INVALID_ADDRESS

The transaction is rejected as the beneficiary address details are invalid.

RECIPIENT_INCOMPLETE_ADDRESS

The transaction is rejected as the beneficiary address details are missing.

RECIPIENT_ACCOUNT_CLOSED

The transaction is declined due to blocked or closed account.

RECIPIENT_INVALID_ACCOUNT_NUMBER

The transaction is declined due to missing or invalid account number.

RECIPIENT_INVALID_BANK_CODE

The transaction is declined due to invalid BSB number.

RECIPIENT_INVALID_ACCOUNT

The transaction is declined as the currency cannot be applied to the specified account.

DUPLICATE_TRANSACTION

The transaction is declined as duplicate.

DATA_ENQUIRY_TIME_ELAPSED

The transaction is rejected due to no response received within the specified time.

TECHNICAL_ISSUE

The transaction is declined due to technical issue.

Please note: status CANCELLED is a final status for any withdrawal. Please do not retry a withdrawal if it was rejected by our Compliance team or by a beneficiary financial institution.

Only those withdrawals rejected with codesTECHNICAL_ISSUE may be re-submitted as new transactions.

Change log

History of changes to this API schema

2025-07-26

Added

Three new fields to the Withdrawal type:

clearedAt - the timestamp when the withdrawal become CONFIRMED.
rejectedAt - the timestamp when the it was rejected by Flash Payments. See the rejectCode and statusMessage fields to understand the rejection reason.
refundedAt - the timestamp when it was refunded. Very rare situation.

2025-07-25

Added

The new optional field called reason was added to the createWithdrawal mutation and Withdrawal type.

If you have a payment/transaction/payout purpose - you must submit it to us via the API. See all the possible purpose codes (aka reason values) in the GraphQL playground (click the link in the header of this website), look inside the "docs" by the word "reason". You need to find the GraphQL enum called WithdrawalReason.

2025-07-24

Added

An optional affiliation field has been added to the login mutation. This field accepts the Affiliation enum values FP_AUS or FP_LUX, allowing users to specify which Flash Payments subsidiary account to access when multiple contractual agreements exist. It is only required if your have more than one such agreement with us.

2025-05-02

Removed (BREAKING)

Removed depositDetails query as deprecated and non-functioning since March 2024.

2025-01-24

Changed

Improved validation rules for the following mutations: createSender, updateSender, createInstitution, createSubClient, createWithdrawal, and createPayment Affected fields: idDoc.docNumber idDoc.issuer legalName businessNumber legalName externalId. These fields allow only the ASCII characters now.

Also, the first, last, and middle names are limited to 75 chars now.

Also, FQDN-like names will be rejected. Examples: "Aaron x.com", "Ben.eu", "Visit as at URL:example.com/about", etc.

2025-01-18

Added

New fields have been added to the createSender, updateSender, and createSubClient mutations. You can now provide idDoc.country, idDoc.issueDate, and idDoc.expiryDate. The idDoc.issuer field now only stores additional information about the issuer, while idDoc.country holds the country code of the country that issued the document. To avoid creating a breaking change, we currently allow you to provide idDoc.country and/or idDoc.issuer. In the future, we plan to make idDoc.country a required field.

2024-12-09

Added

New updateSubClient mutation. You can change a sub-client's externalId now, but nothing else.

2024-10-22

Added

New the Conversions feature.

New mutation createConversion. New queries conversion and conversions.
The FromCurrency enum used to have only one item AUD. Now there are 8: AUD CAD CHF EUR GBP NZD SGD USD.
New property for the Quote type: applicability. It indicates if the quote can be used for payments or conversions.

2024-10-11

Fixed

The bankInfo query was not returning information about BICs and IBANs. It works now.

2024-10-01

Changed (BREAKING)

Improved validation of recipient, sender, withdrawal, institution related mutations. From now on email, companyName, legalName, businessNumber, externalReference must include only the ASCII characters.

2024-05-18

Removed (BREAKING)

Removed AccountIdType.PH_CASH, Recipient.phCashoutNetwork with RecipientInput.phCashoutNetwork and the corresponding enum type PhCashoutNetwork from the GraphQL schema. These were not working for more than a year.

2024-05-17

Removed (BREAKING)

Removed AccountIdType.RIPPLE, Recipient.rippleAddress with Recipient.destTag from the GraphQL schema. These were deprecated 2.5 years ago.

2024-04-16

Removed (BREAKING)

Removed Sender.isRipple and CurrencyIso3.XRP from the GraphQL schema. These were deprecated 2.5 years ago.

2024-03-13

Added

New static codes and standard status messages introduced for rejected (aka cancelled) withdrawals. When withdrawals get cancelled you can clearly see why using the new rejectCode and statusMessage. Available in the Withdrawal type and sent to your application via the withdrawal_cancelled webhook.

2024-02-05

Changed

Improved updateRecipient to respond with appropriate error message when trying to change the recipient's accountIdType which is not allowed by design.

2023-11-01

Added

Added instructingInstitution to the CreateWithdrawalInput.

2023-10-25

Removed (BREAKING)

Fields acceptingInstructionInstitutionSenderId and acceptingMoneyInstitutionSenderId were removed from the CreateWithdrawalInput.

Added

Instead instructingInstitutionId was added. (A new API for creating "institutions" is coming soon, but at the moment they can be created via the Flash Connect.)

2023-08-22

Added

statement query.
- This query returns the same data as the Download CSV button on the Account Statement page of the Flash Connect. It explains every change of you primary balance.
- Currently it returns exactly 1 day of data. We plan to make date range selection more flexible in the future.

2023-08-04

Changes

Changed links from flash-fx.com to flash-payments.com domain. Old domain will continue working unit future notice.

2023-07-28

Changes

Our system always allowed accountNo to have letter. However, our API forced digits only. So, from now on, when you use createRecipient, your accountNo can have both letters and digits.

2023-05-25

Changes

Improved mobile phone validation. Now if mobile starts with "00" it's treated as if it starts with "+".
Quote size accepts positive numbers only.

Changes (BREAKING)

The recipient.mobile and sender.mobile can accept only valid international phone numbers.

2023-03-15

Added

Added the withdrawal_pending webhook. Invoked after the transaction is sent to the recipient bank for processing.
Added example for the withdrawal_pending webhook.

2023-03-03

Added

idempotencyKey to createPayment input.
idempotencyKey to createWithdrawal input.
New sub-client status - UNAPPROVED.

2023-02-23

Added

Fixed the withdrawal_reviewing webhook. It was never sent before even though declared on the Flash Connect website.
Added example for the withdrawal_reviewing webhook.

2023-02-08

Removed (BREAKING)

Removed the auto-creation of id for embedded senders and recipients. This means that if you (or FlashFX system) have created withdrawals and payments without explicitly providing sender or recipient ID then from now on the sender.id or recipient.id will be null. But, if you create payments or withdrawals via this API then you will always have payment.sender.id or withdrwal.recipient.id.

2022-09-06

Added

Missing expireAt property to the Quote object returned by the quote query.

2022-09-02

Added

New REVIEWING status to deposit and withdrawal status enum.
- REVIEWING : deposit/withdrawal is being internally checked by our compliance team before proceeding.
- Added corresponding webhook event types: deposit_reviewing and withdrawal_reviewing.

2022-08-25

Added

New webhook event type: deposit_initiated to notify that we received a deposit but not yet cleared it.
- Previously only the deposit_cleared was sent and customers had no idea we are holding (reviewing) the deposit.
- The deposit_cleared will be sent immediately as we approve (clear) the deposits. So, no changes here.

2022-07-01

Added

New item in deposit and related webhooks:
- recipient - deposit recipient information as specified by deposit sender for this transaction:
  - accountName
  - accountNo
  - bsb
New item in deposit.sender:
- bankName
New mutation to refund deposits:
- refundDeposit(id:ID! input:RefundDepositInput): RefundDepositReply

2022-04-22

Changes

Additional validation for dob field introduced for Senders, Recipients and Sub-clients to enforce the data is entered in YYYY-MM-DD format. The field will also allow for only the data after 1900-01-01 and individuals of 18 years of age or older.

2022-04-12

Changes

Added validation of address fields. From now on, any address submitted as a part of any transaction should only include ASCII characters.

2022-02-25

Changes

Added deposit.sender.accountName so that you can query who deposited money to your Virtual Account Number (VAN).

2022-02-14

Changes

Additional validation for lastName, middleName and firstName introduced allowing only for latin alphabetical characters and special symbols:

2022-02-09

Changes

FundingAccount type has been extended to include all deposit details you need to bring money to Australia. Your account address can now be retrieved using accountAddress property along with name and address fields which identify the accepting financial institution associated with your account.

2022-01-12

Changes

lastName and firstName fields of Sender and Recipient objects can now be one symbol long to allow for initials. Please note that such single symbols have to be alphabetic.

2021-11-02

Changes

Occasionally Payment objects do not have sender or recipient properties. Thus these properties are now marked at "not required" (exclamation mark was removed) when querying payments.
We have added rate limiting. You can receive HTTP 429 error code and get temporary blocked if abusing the API too much.

2021-08-13

Changed (BREAKING)

Removed XRP currency form the list of supported currencies.

2021-07-22

Changed (BREAKING)

While creating sub-clients the address of the person/company was not required. It was a bug which was fixed. To create a sub-client you would also need their: street address, suburb/city, state/region, postcode, and country.

2021-07-14

Changes

Allow accountNo to be 4 digits long. Some old Japanese bank accounts could be just 4 digits.

2021-07-08

Added

The ability to query deposits, withdrawals, payments by the associated sub-client (subClientId).
The payments can also have sub-clients now. Added the Payment.subClient field.

2021-06-29

Added

The totalFee property to both Deposit and Withdrawal types as well as webhook payloads.

2021-06-22

Added

The bankInfo reference query. You can now validate your BSB for existence, check if we support your BIC, and retrieve BIC (aka SWIFT code) by IBAN.

2021-06-17

Added

The fundingAccounts and SubClient.fundingAccounts queries. It returns international bank account numbers you can deposit in order to bring money to Australia. See Auto receive funds for more details.

2021-05-25

Changed

The senderId was always required when creating withdrawals via createWithdrawal. But now, if you provided the subClientId and didn't provide the senderId the sub-client becomes the sender, and will be reported to the government as the sender. However, you still must provide the senderId if your sub-client moves funds for other people/companies.

2021-05-17

Changed (BREAKING)

Replaced docIssuer, docType and docNumber fields from CreateSubClientInput with idDoc nested field instead.

2021-04-26

Changed

RecipientAccountIdType was fully duplicating the AccountIdType. Replace the former with the latter. This might break your auto-generated code in strongly typed languages. But won't change any API queries or responses. So, this change is not considered to be a breaking.

2021-04-16

Added

Added ability to disable and activate sub-clients
- mutation disableSubClient(id: ID!): MutateSubClientReply
- mutation activateSubClient(id: ID!): MutateSubClientReply

2021-04-12

Added

Added deposit queries
- query deposits(input: DepositQueryInput): [Deposit]
- query deposit(id: ID!): Deposit
Introduced sub-client feature – transactional virtual account numbers for AUD processing in Australia.
- query subClients(input: SubClientQueryInput): [SubClient]
- query subClient(id: ID!): SubClient
- mutation createSubClient(input: CreateSubClientInput!): MutateSubClientReply
Deposit and withdrawal webhooks now include subClient object with sub-client information when present

2021-01-07

Removed (BREAKING)

These types and fields were never used by anyone for couple of years.

Removed enum DepositMechanism.
PaymentInput and ConfirmPaymentInput fields:
- removed depositMechanism
- removed depositReference
- removed depositAmount

2020-12-16

Added

New item in BsbDepositDetails
- accountName - Australian account name.
New item in Withdrawal
- statusMessage - a human readable message of the current status reason, like processing error messages.
New item in Payment and PaymentInput
- sourceOfFunds - mandatory field for some destinations.
New enum SourceOfFunds.

2020-10-14

Added

New items in both query type and mutation input Senders.
- legalName
- tradingAsName
- businessNumber - differs by country, e.g. ABN in Australia.
- acn - Australian Company Number. Should not be used for other countries.

2020-06-18

Changed (BREAKING)

Fixed typo in RecipientQueryInput field name. snaps -> cnaps

2020-05-04

Added

New compliance-related fields to the CreateWithdrawalInput input:
- acceptingMoneyInstitutionSenderId - you must pre-create this Sender and submit every time if you are not the FI who collected the money for this withdrawal.
- acceptingInstructionInstitutionSenderId - you must pre-create this Sender and submit every time if you were instructed by other FI to make this withdrawal.

2020-03-05

Changed (BREAKING)

Fixed typo in the WithdrawalStatus enum item. INITIALISING -> INITIALISED

2020-02-12

Added

callbackUri to Payment, Withdrawal, CreateWithdrawalInput. Now you can query the callback/webhook URI you have supplied earlier. Also, this allows you to receive webhooks when you create a withdrawal (aka local payout).

2020-02-11

Added

New items in RecipientQueryInput. This means that recipients can be searched by:
- firstName
- lastName
- middleName
- dob - date of birth
- companyName
- phCashoutNetwork
- payid
- bic
- iban
- aba
- bsb
- clabe
- cnaps
- sortCode
- ifsc
- accountNo
- rippleAddress
- externalId - ID in your system

2020-01-28

Added

Introduced Withdrawals - send money from your account (FlashFX digital wallet) to local banks.
- query withdrawal(id: ID): Withdrawal
- query withdrawals(input: WithdrawalQueryInput): [Withdrawal]
- mutation createWithdrawal(input: CreateWithdrawalInput!): CreateWithdrawalReply
PHP currency support.
middleName property in recipients and senders.
PAYID recipient type for Australian local payments or withdrawals.
- Recipient.payid new property.
PH_CASH recipient type for Philippines cash network payments.
- Recipient.phCashoutNetwork new property.
You can now query your recipients by accountIdType property. For example: recipients(input: {`` accountIdType: PH_CASH ``})

Removed (BREAKING)

Removed the unused enum PaymentType. It has no sense and was deprecated a year ago.
- Simultaneously removed properties Payment.paymentType, PaymentQueryInput.paymentTypes, PaymentInput.paymentType.
Removed the long deprecated PaymentInput.recipient object. The only way to provide a recipient for a payment is via PaymentInput.recipientId. You would need to pre-create the recipient beforehand.
Removed the never used AccountIdType enum values: BPAY, FIN_BTN, INTERAC.

Change log

History of changes to this API schema

2025-07-26

Added

Three new fields to the Withdrawal type:

clearedAt - the timestamp when the withdrawal become CONFIRMED.
rejectedAt - the timestamp when the it was rejected by Flash Payments. See the rejectCode and statusMessage fields to understand the rejection reason.
refundedAt - the timestamp when it was refunded. Very rare situation.

2025-07-25

Added

The new optional field called reason was added to the createWithdrawal mutation and Withdrawal type.

2025-07-24

Added

2025-05-02

Removed (BREAKING)

Removed depositDetails query as deprecated and non-functioning since March 2024.

2025-01-24

Changed

Also, the first, last, and middle names are limited to 75 chars now.

Also, FQDN-like names will be rejected. Examples: "Aaron x.com", "Ben.eu", "Visit as at URL:example.com/about", etc.

2025-01-18

Added

2024-12-09

Added

New updateSubClient mutation. You can change a sub-client's externalId now, but nothing else.

2024-10-22

Added

New the Conversions feature.

New mutation createConversion. New queries conversion and conversions.
The FromCurrency enum used to have only one item AUD. Now there are 8: AUD CAD CHF EUR GBP NZD SGD USD.
New property for the Quote type: applicability. It indicates if the quote can be used for payments or conversions.

2024-10-11

Fixed

The bankInfo query was not returning information about BICs and IBANs. It works now.

2024-10-01

Changed (BREAKING)

2024-05-18

Removed (BREAKING)

2024-05-17

Removed (BREAKING)

Removed AccountIdType.RIPPLE, Recipient.rippleAddress with Recipient.destTag from the GraphQL schema. These were deprecated 2.5 years ago.

2024-04-16

Removed (BREAKING)

Removed Sender.isRipple and CurrencyIso3.XRP from the GraphQL schema. These were deprecated 2.5 years ago.

2024-03-13

Added

2024-02-05

Changed

Improved updateRecipient to respond with appropriate error message when trying to change the recipient's accountIdType which is not allowed by design.

2023-11-01

Added

Added instructingInstitution to the CreateWithdrawalInput.

2023-10-25

Removed (BREAKING)

Fields acceptingInstructionInstitutionSenderId and acceptingMoneyInstitutionSenderId were removed from the CreateWithdrawalInput.

Added

Instead instructingInstitutionId was added. (A new API for creating "institutions" is coming soon, but at the moment they can be created via the Flash Connect.)

2023-08-22

Added

statement query.
- This query returns the same data as the Download CSV button on the Account Statement page of the Flash Connect. It explains every change of you primary balance.
- Currently it returns exactly 1 day of data. We plan to make date range selection more flexible in the future.

2023-08-04

Changes

Changed links from flash-fx.com to flash-payments.com domain. Old domain will continue working unit future notice.

2023-07-28

Changes

Our system always allowed accountNo to have letter. However, our API forced digits only. So, from now on, when you use createRecipient, your accountNo can have both letters and digits.

2023-05-25

Changes

Improved mobile phone validation. Now if mobile starts with "00" it's treated as if it starts with "+".
Quote size accepts positive numbers only.

Changes (BREAKING)

The recipient.mobile and sender.mobile can accept only valid international phone numbers.

2023-03-15

Added

Added the withdrawal_pending webhook. Invoked after the transaction is sent to the recipient bank for processing.
Added example for the withdrawal_pending webhook.

2023-03-03

Added

idempotencyKey to createPayment input.
idempotencyKey to createWithdrawal input.
New sub-client status - UNAPPROVED.

2023-02-23

Added

Fixed the withdrawal_reviewing webhook. It was never sent before even though declared on the Flash Connect website.
Added example for the withdrawal_reviewing webhook.

2023-02-08

Removed (BREAKING)

Removed the auto-creation of id for embedded senders and recipients. This means that if you (or FlashFX system) have created withdrawals and payments without explicitly providing sender or recipient ID then from now on the sender.id or recipient.id will be null. But, if you create payments or withdrawals via this API then you will always have payment.sender.id or withdrwal.recipient.id.

2022-09-06

Added

Missing expireAt property to the Quote object returned by the quote query.

2022-09-02

Added

New REVIEWING status to deposit and withdrawal status enum.
- REVIEWING : deposit/withdrawal is being internally checked by our compliance team before proceeding.
- Added corresponding webhook event types: deposit_reviewing and withdrawal_reviewing.

2022-08-25

Added

New webhook event type: deposit_initiated to notify that we received a deposit but not yet cleared it.
- Previously only the deposit_cleared was sent and customers had no idea we are holding (reviewing) the deposit.
- The deposit_cleared will be sent immediately as we approve (clear) the deposits. So, no changes here.

2022-07-01

Added

New item in deposit and related webhooks:
- recipient - deposit recipient information as specified by deposit sender for this transaction:
  - accountName
  - accountNo
  - bsb
New item in deposit.sender:
- bankName
New mutation to refund deposits:
- refundDeposit(id:ID! input:RefundDepositInput): RefundDepositReply

2022-04-22

Changes

Additional validation for dob field introduced for Senders, Recipients and Sub-clients to enforce the data is entered in YYYY-MM-DD format. The field will also allow for only the data after 1900-01-01 and individuals of 18 years of age or older.

2022-04-12

Changes

Added validation of address fields. From now on, any address submitted as a part of any transaction should only include ASCII characters.

2022-02-25

Changes

Added deposit.sender.accountName so that you can query who deposited money to your Virtual Account Number (VAN).

2022-02-14

Changes

Additional validation for lastName, middleName and firstName introduced allowing only for latin alphabetical characters and special symbols:

2022-02-09

Changes

FundingAccount type has been extended to include all deposit details you need to bring money to Australia. Your account address can now be retrieved using accountAddress property along with name and address fields which identify the accepting financial institution associated with your account.

2022-01-12

Changes

lastName and firstName fields of Sender and Recipient objects can now be one symbol long to allow for initials. Please note that such single symbols have to be alphabetic.

2021-11-02

Changes

Occasionally Payment objects do not have sender or recipient properties. Thus these properties are now marked at "not required" (exclamation mark was removed) when querying payments.
We have added rate limiting. You can receive HTTP 429 error code and get temporary blocked if abusing the API too much.

2021-08-13

Changed (BREAKING)

Removed XRP currency form the list of supported currencies.

2021-07-22

Changed (BREAKING)

While creating sub-clients the address of the person/company was not required. It was a bug which was fixed. To create a sub-client you would also need their: street address, suburb/city, state/region, postcode, and country.

2021-07-14

Changes

Allow accountNo to be 4 digits long. Some old Japanese bank accounts could be just 4 digits.

2021-07-08

Added

The ability to query deposits, withdrawals, payments by the associated sub-client (subClientId).
The payments can also have sub-clients now. Added the Payment.subClient field.

2021-06-29

Added

The totalFee property to both Deposit and Withdrawal types as well as webhook payloads.

2021-06-22

Added

The bankInfo reference query. You can now validate your BSB for existence, check if we support your BIC, and retrieve BIC (aka SWIFT code) by IBAN.

2021-06-17

Added

The fundingAccounts and SubClient.fundingAccounts queries. It returns international bank account numbers you can deposit in order to bring money to Australia. See Auto receive funds for more details.

2021-05-25

Changed

The senderId was always required when creating withdrawals via createWithdrawal. But now, if you provided the subClientId and didn't provide the senderId the sub-client becomes the sender, and will be reported to the government as the sender. However, you still must provide the senderId if your sub-client moves funds for other people/companies.

2021-05-17

Changed (BREAKING)

Replaced docIssuer, docType and docNumber fields from CreateSubClientInput with idDoc nested field instead.

2021-04-26

Changed

RecipientAccountIdType was fully duplicating the AccountIdType. Replace the former with the latter. This might break your auto-generated code in strongly typed languages. But won't change any API queries or responses. So, this change is not considered to be a breaking.

2021-04-16

Added

Added ability to disable and activate sub-clients
- mutation disableSubClient(id: ID!): MutateSubClientReply
- mutation activateSubClient(id: ID!): MutateSubClientReply

2021-04-12

Added

Added deposit queries
- query deposits(input: DepositQueryInput): [Deposit]
- query deposit(id: ID!): Deposit
Introduced sub-client feature – transactional virtual account numbers for AUD processing in Australia.
- query subClients(input: SubClientQueryInput): [SubClient]
- query subClient(id: ID!): SubClient
- mutation createSubClient(input: CreateSubClientInput!): MutateSubClientReply
Deposit and withdrawal webhooks now include subClient object with sub-client information when present

2021-01-07

Removed (BREAKING)

These types and fields were never used by anyone for couple of years.

Removed enum DepositMechanism.
PaymentInput and ConfirmPaymentInput fields:
- removed depositMechanism
- removed depositReference
- removed depositAmount

2020-12-16

Added

New item in BsbDepositDetails
- accountName - Australian account name.
New item in Withdrawal
- statusMessage - a human readable message of the current status reason, like processing error messages.
New item in Payment and PaymentInput
- sourceOfFunds - mandatory field for some destinations.
New enum SourceOfFunds.

2020-10-14

Added

New items in both query type and mutation input Senders.
- legalName
- tradingAsName
- businessNumber - differs by country, e.g. ABN in Australia.
- acn - Australian Company Number. Should not be used for other countries.

2020-06-18

Changed (BREAKING)

Fixed typo in RecipientQueryInput field name. snaps -> cnaps

2020-05-04

Added

New compliance-related fields to the CreateWithdrawalInput input:
- acceptingMoneyInstitutionSenderId - you must pre-create this Sender and submit every time if you are not the FI who collected the money for this withdrawal.
- acceptingInstructionInstitutionSenderId - you must pre-create this Sender and submit every time if you were instructed by other FI to make this withdrawal.

2020-03-05

Changed (BREAKING)

Fixed typo in the WithdrawalStatus enum item. INITIALISING -> INITIALISED

2020-02-12

Added

callbackUri to Payment, Withdrawal, CreateWithdrawalInput. Now you can query the callback/webhook URI you have supplied earlier. Also, this allows you to receive webhooks when you create a withdrawal (aka local payout).

2020-02-11

Added

New items in RecipientQueryInput. This means that recipients can be searched by:
- firstName
- lastName
- middleName
- dob - date of birth
- companyName
- phCashoutNetwork
- payid
- bic
- iban
- aba
- bsb
- clabe
- cnaps
- sortCode
- ifsc
- accountNo
- rippleAddress
- externalId - ID in your system

2020-01-28

Added

Introduced Withdrawals - send money from your account (FlashFX digital wallet) to local banks.
- query withdrawal(id: ID): Withdrawal
- query withdrawals(input: WithdrawalQueryInput): [Withdrawal]
- mutation createWithdrawal(input: CreateWithdrawalInput!): CreateWithdrawalReply
PHP currency support.
middleName property in recipients and senders.
PAYID recipient type for Australian local payments or withdrawals.
- Recipient.payid new property.
PH_CASH recipient type for Philippines cash network payments.
- Recipient.phCashoutNetwork new property.
You can now query your recipients by accountIdType property. For example: recipients(input: {`` accountIdType: PH_CASH ``})

Removed (BREAKING)

Removed the unused enum PaymentType. It has no sense and was deprecated a year ago.
- Simultaneously removed properties Payment.paymentType, PaymentQueryInput.paymentTypes, PaymentInput.paymentType.
Removed the long deprecated PaymentInput.recipient object. The only way to provide a recipient for a payment is via PaymentInput.recipientId. You would need to pre-create the recipient beforehand.
Removed the never used AccountIdType enum values: BPAY, FIN_BTN, INTERAC.

Flash Payments Developer API

Overview

General information

Complete API docs

High level feature overview

Instant local Australian deposit (aka pay-in)

Local Australian withdrawal (aka pay-out)

Send or receive money internationally

Security

How to start

Important notes

Breaking changes

Basics

Assumptions

GraphQL Playground

Tip

Data cleansing is your responsibility

The user-agent HTTP header

429 Too many requests

Sending data as JSON

Required fields

Authentication

Getting a token

Affiliation

Quote

Conversions

Convert funds

Query conversions

Retrieving all your conversions

Retrieving some of your conversions

Retrieving a single conversion by ID

Conversion statuses

Balance

Top up your UAT account balance

Statement

Recipients

Query a single recipient

Query multiple recipients

Create a recipient

Create an Individual recipient

Create a Company recipient

Update recipient

Delete recipient

Delivery methods

List all the available payment delivery methods

List some of the delivery methods

Senders

Query single sender

Query multiple senders

Create a sender

Create an Individual sender

Create a Company sender

Update sender

Delete sender

Payments

Payment statuses

Query payments

Retrieving all your payments

Retrieving some of your payments

Retrieving a single payment

Send funds

Recipient - recipientId

Sender - senderId or subClientId , or neither

Callback (aka ) URI

Auto receive funds

Institutions

Instructing Institution

Creating institutions

Creating institution example

Withdrawals

Withdraw funds

Payment reference - externalReference

Recipient - recipientId

Sender - senderId or subClientId , or neither

Instructing Institutions

Using existing institutions instructingInstitutionId

Create institutions on the fly using the instructingInstitution field

Callback (aka Webhook) URI

Withdrawal statuses

Most common status transitions

Recipient - `recipientId`

Sender - `senderId` or `subClientId` , or neither

Payment reference - `externalReference`

Recipient - `recipientId`

Sender - `senderId` or `subClientId` , or neither

Using existing institutions `instructingInstitutionId`

Create institutions on the fly using the `instructingInstitution` field