API documentation

Fynvoice exposes registry, verification, financing-request, offers and partner-routing primitives. Sandbox responses are realistic mock records and do not trigger live financing, payment or partner systems.

Create a sandbox API key in the developer dashboard, then register an invoice.

curl https://sandbox-api.fynvoice.com/api/invoices \
  -H "Authorization: Bearer fyn_sandbox_..." \
  -H "Content-Type: application/json" \
  -d '{"sellerId":"cmp-lum","debtorId":"cmp-nor","invoiceNumber":"LO-2026-0418","amount":84200,"currency":"EUR"}'

Use a bearer API key in the Authorization header. Keys are scoped by action, shown once, and retained as SHA-256 digests. When Supabase is configured, workspace access uses authenticated HTTP-only cookie sessions and tenant-scoped RLS policies.

Generate sandbox keys, select allowed scopes, copy the secret once, and revoke stale credentials from the developer dashboard.

Register endpoints and test signed delivery-shaped payloads from the dashboard. Signing secrets and logs are placeholders in local demo mode.

Errors use a stable envelope with a machine-readable code, message and request identifier. Initial codes: invalid_request, authentication_required, insufficient_scope, resource_not_found, rate_limit_exceeded.

{
  "error": {
    "code": "invalid_request",
    "message": "invoiceNumber is required",
    "requestId": "req_sandbox_01HY..."
  },
  "mode": "sandbox_mock"
}

Sandbox placeholder: 120 requests per minute per key. Live limits will be tiered by partner contract. Use response headers and exponential backoff when rate limits are enforced.

POST /api/invoices registers structured invoice metadata. GET /api/invoices lists accessible records. GET /api/invoices/{id} retrieves one registry record.

POST /api/verification/run returns checklist workflow states. Sandbox checks remain mock and clearly labelled.

POST /api/financing-requests creates a request. GET /api/financing-requests lists routed requests.

POST /api/offers records an indicative offer. GET /api/offers lists offers accessible to the caller.

POST /api/partners/route applies demo mandate filters. It does not connect to a live partner network.

POST /api/registry/fingerprint generates a SHA-256 value from canonical invoice fields to support duplicate-risk workflows.

Use synthetic entities only. Register invoices, run verification, create requests, submit offers, and trigger webhook tests. Treat every response containing mode: sandbox_mock as non-production data.