OpenSylo Marketplace API
    OpenSylo Marketplace API
    • Introduction
    • Getting Started
    • OAuth 2.0 Flow
    • Webhook Integration
    • Sandbox Testing
    • Error Reference
    • Marketplace Dashboard
      • Login to the marketplace dashboard
        POST
      • View OAuth credentials
        GET
      • Regenerate client secret
        POST
    • OAuth 2.0
      • Start OAuth authorization
        GET
      • Exchange code or refresh token
        POST
      • Revoke a token
        POST
      • OAuth discovery / client metadata
        GET
    • Data Ingestion
      • Submit single merchant data
        POST
      • Submit bulk merchant data
        POST
      • Get merchant credit score
        GET
      • Integration health check
        GET
    • Loan API
      • Get active loans for a merchant
        GET
      • Get loan status
        GET
      • Validate deduction amounts
        POST
      • Bulk loan status check
        POST
    • Inbound Webhooks
      • Send repayment webhook
        POST
      • Send settlement webhook
        POST
    • Sandbox
      • Sandbox environment info
        GET
      • Get sandbox test credentials
        GET
      • Get sandbox test merchants
        GET
    • Schemas
      • DashboardLoginRequest
      • DashboardLoginResponse
      • CredentialsResponse
      • RegenerateSecretResponse
      • TokenRequest
      • TokenResponse
      • RevokeRequest
      • ClientMetadataResponse
      • MerchantIdentity
      • SalesPerformance
      • RevenueConsistency
      • FulfillmentMetrics
      • PayoutCashFlow
      • PlatformDependency
      • HistoricalCredit
      • BehavioralRisk
      • MerchantDataRequest
      • ScoreBreakdown
      • CreditScore
      • MerchantDataResponse
      • BulkMerchantDataRequest
      • BulkMerchantDataResponse
      • CreditScoreResponse
      • HealthResponse
      • ActiveLoansResponse
      • LoanStatusResponse
      • ValidateDeductionsRequest
      • ValidateDeductionsResponse
      • BulkLoanStatusRequest
      • BulkLoanStatusResponse
      • RepaymentWebhookRequest
      • SettlementWebhookRequest
      • WebhookAckResponse
      • SandboxInfoResponse
      • SandboxCredentialsResponse
      • SandboxMerchantsResponse
      • OAuthError
      • ApiError

    Getting Started

    Prerequisites#

    Before you begin integration, ensure you have the following:
    RequirementDescription
    Admin invitationAn OpenSylo admin must invite your marketplace. You'll receive an email with a registration link.
    Registration completeComplete the multi-step onboarding (business info, phone verification, signatory details, documents).
    OAuth credentialsAfter registration, your client_id and client_secret are available in the dashboard. The secret is shown only once at creation — store it securely.
    Redirect URI(s)One or more callback URLs registered with OpenSylo where authorization codes will be sent.
    Webhook endpoint (optional)An HTTPS endpoint on your server to receive loan lifecycle events from OpenSylo.
    Webhook secret (optional)An API secret configured on your marketplace for signing inbound webhooks you send to OpenSylo.

    Step 1 — Accept the Invitation#

    You will receive an email from OpenSylo with a registration link:
    https://opensylo.com/marketplace/register?token=inv_<token>
    The invitation token is valid for 7 days and can only be used once. Complete the registration form to create your marketplace account and activate your credentials.

    Step 2 — Login to the Dashboard#

    Use the dashboard login endpoint to obtain a JWT:
    Response:
    {
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "tokenType": "Bearer",
  "expiresIn": 86400,
  "marketplace": {
    "id": "uuid",
    "platformName": "yourmarketplace",
    "displayName": "Your Marketplace",
    "status": "ACTIVE"
  },
  "user": {
    "id": "uuid",
    "email": "tech@yourmarketplace.com",
    "firstName": "Jane",
    "lastName": "Doe",
    "role": "OWNER"
  }
}
    The accessToken is a JWT valid for 24 hours. Use it in the Authorization: Bearer header for all dashboard endpoints.

    Step 3 — View Your OAuth Credentials#

    Response:
    {
  "clientId": "yourmarketplace_client_a1b2c3d4",
  "clientSecretMasked": "cs_secret_***...c3d4",
  "redirectUris": ["https://yourmarketplace.com/oauth/callback"],
  "allowedScopes": [
    "data.share.sales",
    "data.share.fulfillment",
    "data.share.payouts",
    "data.share.risk",
    "data.share.profile",
    "credit.score.read",
    "repayment.report"
  ],
  "authorizationUrl": "https://api.opensylo.com/oauth/authorize",
  "tokenUrl": "https://api.opensylo.com/oauth/token",
  "dataIngestionUrl": "https://api.opensylo.com/api/marketplace/data/merchant"
}
    The client secret is masked in this response. It was only shown in full when initially created (during the admin invitation) or after regeneration.

    Step 4 — Regenerate Secret (If Needed)#

    If you lose your client secret, regenerate it:
    Response:
    {
  "success": true,
  "message": "Client secret regenerated successfully. Store it securely - it will not be shown again.",
  "clientSecret": "cs_secret_<new_secret_hex>",
  "regeneratedAt": "2026-01-29T12:00:00.000Z"
}
    The new secret is shown only once in this response. The old secret is immediately invalidated. Existing OAuth access/refresh tokens remain valid.

    Authentication Summary#

    MethodUsed ForHow to ObtainLifetime
    Dashboard JWTDashboard endpoints (/marketplace-dashboard/*)POST /marketplace-dashboard/login24 hours
    OAuth Access TokenData and Loan API endpointsOAuth Authorization Code + PKCE flow1 hour
    OAuth Refresh TokenRefreshing expired access tokensReturned with initial token exchange30 days
    Webhook SignatureInbound webhooks (/api/v1/webhooks/marketplace/*)HMAC-SHA256 using your API secretPer-request

    Available Scopes#

    When requesting OAuth authorization, include the scopes your integration needs:
    ScopeDescription
    data.share.salesShare sales and GMV data with OpenSylo
    data.share.fulfillmentShare order fulfillment and delivery metrics
    data.share.payoutsShare payout and cash flow information
    data.share.riskShare account status and risk information
    data.share.profileShare merchant business profile information
    credit.score.readAccess credit scores calculated by OpenSylo
    repayment.reportReport loan repayments collected from merchant sales

    Next Steps#

    1.
    Implement the OAuth 2.0 flow to obtain merchant consent and tokens
    2.
    Submit merchant data via the Data Ingestion API
    3.
    Set up webhook handlers for loan lifecycle events
    4.
    Use the Loan API to query active loans and validate deductions
    5.
    Test everything in the sandbox environment before going live
    Modified at 2026-01-29 23:21:00
    Previous
    Introduction
    Next
    OAuth 2.0 Flow
    Built with