Overview

RohoPay is a single REST API (api.rohopay.com) that sits between your application and two payment providers — Relworx (mobile money + card) and Iotec (mobile money). You interact only with the RohoPay API; provider selection, failover, and commission tracking are handled automatically. 
Your Application

      │  POST /api/v1/collect   (Bearer {api_key})
      │  POST /api/v1/checkout  (api_key in body)

 api.rohopay.com

      ├── Mobile Money → Iotec / Relworx
      └── Card (Visa/MC) → Relworx


        User's phone / bank


      Webhook → your callback_url

Request Flows

Mobile Money Collection

  1. You call POST /api/v1/collect with phone + amount
  2. RohoPay creates a transaction record and calls the provider
  3. Provider sends a USSD prompt to the user’s phone
  4. User approves or rejects
  5. Provider sends a webhook to RohoPay
  6. RohoPay updates the transaction and fires deposit.successful (or similar) to your callback_url

Card Payment (3D Secure)

  1. You call POST /api/v1/checkout with card details + return_url
  2. RohoPay creates a card order and returns a payment_url
  3. You redirect the user to payment_url (bank’s 3DS page)
  4. User authenticates with their bank
  5. User is redirected back to your return_url
  6. Provider sends a webhook confirming the final status
  7. RohoPay fires deposit.successful to your callback_url

Provider Routing

Each project has a preferred_provider setting. If the preferred provider is unavailable, RohoPay automatically routes to the other provider. The failover_reason field on the transaction records why.
ProviderMobile MoneyCard
Relworx
Iotec

Platform URLs

ServiceURLPurpose
APIapi.rohopay.comREST API — what you call
Dashboardpayments.rohopay.comManage projects, wallet, keys
Digital checkoutproducts.rohopay.comBuyer-facing payment pages
WordPressplugins.rohopay.comWooCommerce plugin management
Websiterohopay.comMarketing / public site

Authentication Model

CallerAuth typeScope
Your server / appAuthorization: Bearer {api_key}Per-project API access
Card checkout (browser)api_key in request bodySingle checkout initiation
RohoPay → your serverx-rohopay-signature HMAC headerWebhook delivery verification

Key Security Properties

  • API keys are hashed before storage — the raw key is shown once at creation
  • Key rotation is atomic — new key issued and old one revoked simultaneously
  • Webhooks are signed with HMAC-SHA256 — always verify before processing
  • Idempotency keys prevent duplicate charges on network retries