Merchant Onboarding
Get from sign-up to live verification keys. Sandbox access is instant; live access follows a quick business review. All endpoints below use your merchant JWT (Authorization: Bearer …).
1. Register
/v1/merchants/registerCreate a merchant account and owner user
curl -X POST 'https://api.mobid.io/v1/merchants/register' \
-H 'Content-Type: application/json' \
-d '{
"businessName": "Acme Payments Ltd",
"contactName": "Ada Obi",
"email": "ada@acme.com",
"password": "••••••••",
"entityType": "Limited Liability Company",
"registrationNumber": "RC1234567",
"dateRegistered": "2021-03-01",
"industry": "Fintech"
}'MID verifies the submitted RC number, registered name, and registration date with Mono before creating the account. A successful response returns a token (merchant JWT), sends a 6-digit phone OTP, and emails a one-time verification link.
2. Verify email and phone
/v1/merchants/email/verify-linkConfirm the token from the emailed link
/v1/merchants/email/resendSend a new email verification link
/v1/merchants/phone/verifyConfirm the 6-digit SMS code
/v1/merchants/phone/resendSend a new phone OTP
curl -X POST 'https://api.mobid.io/v1/merchants/phone/verify' \
-H 'Authorization: Bearer <merchant_jwt>' \
-H 'Content-Type: application/json' \
-d '{ "code": "123456" }'Dashboard status
3. Complete your business profile
/v1/merchants/businessSave profile and run Corporate Affairs verification
MID verifies your registration number, registered name, and date against the Corporate Affairs registry. Include your representative's identity and your use case — both are required for approval.
curl -X PATCH 'https://api.mobid.io/v1/merchants/business' \
-H 'Authorization: Bearer <merchant_jwt>' \
-H 'Content-Type: application/json' \
-d '{
"registeredName": "Acme Payments Ltd",
"registrationNumber": "RC1234567",
"dateRegistered": "2021-03-01",
"address": "12 Marina Road, Lagos",
"usecase": "Verify customers during account opening",
"description": "Acme provides digital payments to SMEs…",
"identityType": "nin",
"identityNumber": "12345678901"
}'4. Upload documents
/v1/merchants/documentsUpload verification documents
| type | Document |
|---|---|
| business_registration | Business registration certificate (required) |
| representative_id | Representative's government ID (required) |
| tax_document | Tax document (optional) |
| address_proof | Proof of address (optional) |
curl -X POST 'https://api.mobid.io/v1/merchants/documents' \
-H 'Authorization: Bearer <merchant_jwt>' \
-H 'Content-Type: application/json' \
-d '{
"type": "business_registration",
"fileName": "cac-certificate.pdf",
"mimeType": "application/pdf",
"size": 184320,
"contentBase64": "<base64>"
}'5. Create an application
/v1/merchants/applicationsGet instant sandbox API keys
Applications are the unit of API access. Each application has its own client ID, callback configuration, enabled request types, and sandbox/live credentials. Include OAUTH in requestTypes to enable QR + biometric claim sharing.
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | A recognizable name for the integration |
| callbackUrl | string | Yes | Default signed webhook destination |
| redirectUris | string[] | No | Allowed browser return URLs |
| requestTypes | string[] | No | LOGIN, TRANSACTION, SIGNATURE, and/or OAUTH; all four by default |
curl -X POST 'https://api.mobid.io/v1/merchants/applications' \
-H 'Authorization: Bearer <merchant_jwt>' \
-H 'Content-Type: application/json' \
-d '{
"name": "Acme Onboarding",
"callbackUrl": "https://acme.com/api/mid/webhook",
"redirectUris": ["https://acme.com/mid/callback"],
"requestTypes": ["LOGIN", "OAUTH"]
}'{
"error": false,
"message": "Application created",
"application": {
"id": "665f…",
"merchantId": "665e…",
"clientId": "acmeonboar_a1b2c3d4e5",
"name": "Acme Onboarding",
"callbackUrl": "https://acme.com/api/mid/webhook",
"redirectUris": ["https://acme.com/mid/callback"],
"requestTypes": ["LOGIN", "OAUTH"],
"environment": "sandbox",
"liveStatus": "sandbox",
"credentials": {
"sandbox": {
"apiKey": "mk_test_…",
"secret": "…",
"generatedAt": "2026-06-19T10:30:00.000Z"
},
"live": { "apiKey": null, "generatedAt": null }
},
"createdAt": "2026-06-19T10:30:00.000Z",
"updatedAt": "2026-06-19T10:30:00.000Z"
}
}Save the secret now
6. Rotate an API key
/v1/merchants/applications/:id/rotate-keyReplace an active sandbox or live API key
Owners, admins, and developers can rotate an application key. Rotation invalidates the old key immediately and keeps the existing secret, so update the API key used in both the request header and HMAC payload.
curl -X POST 'https://api.mobid.io/v1/merchants/applications/665f…/rotate-key' \
-H 'Authorization: Bearer <merchant_jwt>' \
-H 'Content-Type: application/json' \
-d '{ "environment": "sandbox" }'{
"error": false,
"message": "API key rotated successfully",
"credential": {
"environment": "sandbox",
"apiKey": "mk_test_…",
"generatedAt": "2026-06-19T11:15:00.000Z"
}
}| environment | Availability | Result |
|---|---|---|
| sandbox | Available immediately | Returns a new mk_test_… key |
| live | Only after live credentials are active | Returns a new mk_live_… key |
Rotation does not reveal or replace the secret
`${newApiKey}:${timestamp}:${JSON.stringify(body)}`; requests signed with the old API key fail with 401 Invalid API key.7. Request live access
/v1/merchants/go-liveSubmit for review
An admin can approve live access only once all of the following are complete:
| Requirement | From |
|---|---|
| Business description | Business profile |
| Use case | Business profile |
| Verified registration number | Corporate Affairs verification |
| Business address | Business profile |
| Business registration certificate | Documents |
| Representative identity type & number | Business profile |
| Representative identity document | Documents |
| Verified email | Email verification link |
| Verified phone | SMS OTP |
On approval
mk_live_…) are issued for each application and your documents are marked verified. Swap your sandbox keys for live keys and start verifying real customers.