Skip to main content
This section covers the essential requirements for integrating with the Tonder Withdrawals API, including authentication, security best practices, and data format specifications.

Base URLs

The Withdrawals API is available in two environments:
EnvironmentBase URL (v1)Purpose
Stagehttps://stage.tonder.io/api/v1Development and testing
Productionhttps://prod.tonder.io/api/v1Live transactions
Always use the correct base URL for your environment. Using production URLs in stage or vice-versa will result in authentication errors.

Authentication

Authentication Required for All RequestsEvery single request to the Withdrawals API requires authentication using a token in the Authorization header. This applies to:
  • All API requests (cURL, HTTP clients, SDKs)
  • All Postman requests
  • All testing requests
  • All production requests
Requests without proper authentication will return a 401 Unauthorized error.

Header Format

Include your API token in the Authorization header with the following format: 
Authorization: Token 304fbdd63113c009b6ac14c7d230b13909ae11221
Getting Your API TokenThis is a sample token. You need to use the one provided by Tonder in the Developers section of our platform. Log in to your Tonder dashboard and navigate to the Developers section to retrieve your API key.

Example Request (cURL)

curl -X POST https://stage.tonder.io/api/v1/withdrawals/ \
  -H "Authorization: Token YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": 12345,
    "amount": 1000.00,
    "currency": "MXN",
    "transfer_method": "SPEI",
    ...
  }'

Using Postman

When making requests in Postman:
  1. Set the Authorization Header:
    • Go to the Headers tab
    • Add a new header:
      • Key: Authorization
      • Value: Token YOUR_API_KEY (replace YOUR_API_KEY with your actual token)
  2. Alternative: Use Postman Authorization Tab:
    • Go to the Authorization tab
    • Select Type: No Auth (then manually add header) OR use a custom type
    • Add header: Authorization: Token YOUR_API_KEY
  3. Example Postman Setup: 
    Method: POST
URL: https://stage.tonder.io/api/v1/withdrawals/
Headers:
  Authorization: Token 304fbdd63113c009b6ac14c7d230b13909ae11221
  Content-Type: application/json
Body: (raw JSON with your request data)
Token FormatThe token must be prefixed with the word “Token” followed by a space, then your actual API key. The format is: Token <your_api_key>
Security Best Practices
  • Always use HTTPS for communications
  • Never expose your secret API key in client-side code
  • Store API keys securely on your server
  • Set up alerts for unusual withdrawal patterns

Data Format Requirements

Timestamps

All timestamps must be in ISO 8601 format. Examples:
  • 2024-07-26T10:30:00Z
  • 2024-07-26T10:30:00+00:00

Currency Amounts

Currency amounts must be provided as decimal numbers. Examples:
  • 1000.00 (correct)
  • 1000 (correct)
  • "1000.00" (incorrect - should not be a string)

JSON Content Type

All requests with a body must include the Content-Type: application/json header.

Next Steps