Hexolus Payment Gateway API
The Hexolus Payment Gateway is a multi-tenant payment API that lets hosting clients accept Indonesian payments (Virtual Account, QRIS, E-Wallet) through Hexolus's underlying Xendit account. Hexolus handles upstream KYC, settlement reconciliation, and webhook fan-out; you ship one HTTP integration and receive disbursements minus the Xendit tariff and a flat 0.1% Hexolus markup.
This reference documents the public v1 HTTP surface served by hexolus-go.
It is the contract that every reseller integration is built against.
Base URLs
| Environment | Preferred base URL | Apex fallback | Notes |
|---|---|---|---|
| Staging | https://api-staging.hexolus.com |
https://staging.hexolus.com |
Backed by Xendit sandbox keys. |
| Production | https://api.hexolus.com |
https://hexolus.com |
Live Xendit. Requires an approved client + API key. |
Both hosts in each row serve the same /v1/* and /webhooks/xendit routes
identically — the dedicated api.* subdomain is the recommended target so
your integration is unaffected by future marketing-site changes. Apex hosts
are kept as a backward-compatible fallback.
All endpoints are prefixed with /v1. Requests are JSON in, JSON out;
timestamps are RFC 3339 in UTC; amounts are integers in IDR minor units
(IDR has no minor unit, so the value equals rupiah).
Quick start
Create a BCA Virtual Account for Rp 50.000 and read the account number from the response (staging shown — swap host for production):
curl -sS -X POST https://api-staging.hexolus.com/v1/payments \
-H "Authorization: Bearer hxk_xxxxxxxx_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: order-2026-05-30-0001" \
-d '{"method":"virtual_account","channel_code":"BCA","amount":50000,"currency":"IDR","external_reference":"order-0001"}' \
| jq -r '.payment_destination'
The payment_destination you receive is the VA number the customer transfers
into via mobile banking. When the customer pays, Hexolus delivers a
payment.succeeded webhook to your registered URL.
Reference
| Document | Covers |
|---|---|
| Authentication | hxk_* bearer tokens, rotation, reveal-once policy. |
| Payments | Create, list, fetch, and cancel payment intents (VA, QRIS, E-Wallet). |
| Balance and settlements | Reading your pending / available balance and listing settlements. |
| Webhooks | Event types, headers, HMAC-SHA256 signature verification, retries. |
| Errors | Error envelope, code taxonomy, HTTP status mapping. |
Conventions
- Identifiers are UUID strings.
- Amounts are
int64minor units ("amount": 50000= Rp 50.000). - Currency is always
IDRat MVP. The query/body field exists so that future multi-currency support is non-breaking. - Pagination is page-based with
page(1-indexed) andper_page(default25, max100). - Tenancy is enforced server-side: every list and fetch is scoped to the
authenticated client. Cross-tenant ID guessing returns
404, never403, so you cannot enumerate other clients' resources.