Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.privataswap.com/llms.txt

Use this file to discover all available pages before exploring further.

The Privata Partner Dashboard (dashboard.privataswap.com) is the control plane for your integration. Use it to issue API keys, configure webhooks, monitor live orders, track earnings, and manage your team - all without contacting Privata support for routine operations.

Sign up and complete onboarding

Register, verify your email, and finish the KYB-lite onboarding to receive your first API keys.

Create API keys

Issue scoped live and test keys, configure IP allowlists, and rotate without downtime.

Configure webhooks

Register your HTTPS endpoint, rotate secrets, and inspect delivery logs.

Monitor orders

Search, filter, inspect event timelines, and trigger refund actions.

Set up alerts

Configure email and in-app notifications for operational events.

Manage payouts

Add verified payout addresses and request revenue withdrawals.

1. Sign up and complete onboarding

1

Create an account

Go to dashboard.privataswap.com/signup. Enter your business email and choose a password (minimum 12 characters).A 6-digit verification code is sent to your email. Enter it to confirm your address. The code is valid for 10 minutes.
2

Complete KYB-lite

Before your live API key is issued, you must complete a four-step onboarding form:
  1. Company - Legal name, registered country, business type, website.
  2. Volume - Expected monthly order count and primary integration method.
  3. Jurisdictions - Countries where your end-users are located, plus AML compliance acknowledgement.
  4. Technical contact - Name, email, and optional Telegram handle for ops notifications.
The dashboard cannot issue a live key until onboarding is complete. If your intended jurisdictions include FATF high-risk countries, the flow will redirect you to contact Privata directly.
3

Receive your test key

After completing onboarding, a pk_test_... key is displayed once. Copy it immediately - it will not be shown again. Your live key is issued from API Keys → Create key once your account is reviewed.Use the test key with sandbox scenarios to validate your integration before going live:
GET /partner/v1/estimate?from=BTC&to=XMR&amount=0.05
X-API-Key: pk_test_...
See the Sandbox guide for available test scenarios.
4

Enable two-factor authentication

Navigate to Settings → Security and enroll TOTP (Google Authenticator, Authy, 1Password) or a FIDO2/WebAuthn passkey. 2FA is strongly recommended; it is required before a live key can be issued to an account with payouts:trigger scope.

2. Create and manage API keys

Key types

PrefixEnvironmentCounts toward payouts
pk_test_...SandboxNo
pk_live_...ProductionYes
Read endpoints (/currencies, /pairs, /estimate, /limits) work without a key at 60 req/min per IP. With a key: 600 req/min. Write endpoints require a key. See Authentication for full scope and rate-limit details.

Creating a key

1

Open API Keys

Navigate to API Keys → Create key.
2

Configure the key

  • Name - Internal label (e.g., “Production mobile app”).
  • Environment - Live or Test.
  • Scopes - Select only the scopes your integration requires:
ScopeWhat it allows
orders:rwAll /order/* endpoints (default)
webhook:adminResume a paused webhook; configure webhook URLs
payouts:read/me and payout history
payouts:triggerOn-demand payout request (minimum $500)
  • IP allowlist - Optional. Enter CIDR blocks to restrict the key to specific server IPs (e.g., 203.0.113.0/24). Leave empty to allow all IPs.
  • Expiry - Optional. The key auto-revokes at midnight UTC on the selected date.
3

Copy the key

The full key value is displayed once. Copy it to your secrets manager before closing the modal. Click “I have copied this key” to confirm.
Never commit API keys to source control. Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler). The JS SDK enforces a runtime warning when a live key is detected in a browser bundle.

Rotating a key without downtime

Key rotation uses a 5-minute dual-sign grace window: both the old and new key are accepted by the API during this period.
1

Start rotation

On the key’s detail page, click Rotate. A new key is generated and displayed once - copy it immediately.
2

Deploy the new key

Update your environment variable or secrets manager with the new key value and deploy. You have 5 minutes before the old key is revoked.
3

Grace window expires

After 5 minutes, the old key is automatically revoked. A countdown timer in the dashboard shows the remaining window. If you need more time, click Cancel rotation (available until the window closes).
If you rotate your webhook secret at the same time as your API key, both dual-sign windows run concurrently. See Webhooks → Secret rotation below.

3. Configure webhooks

Privata sends signed HTTP POST requests to your registered endpoint on every order status change and on operational events. See the Webhooks guide for full signature verification, retry schedule, and event payload documentation.

Adding an endpoint

1

Open Webhooks

Navigate to Webhooks → Add endpoint.
2

Enter the URL

Provide your HTTPS endpoint URL. Requirements:
  • Must use HTTPS (HTTP only permitted for localhost with a pk_test_ key).
  • Must be publicly reachable (private IP ranges are blocked as an SSRF guard).
  • Must return a 2xx response within 5 seconds per delivery.
3

Select endpoint type

  • Order events - Receives order.* lifecycle events (status changes, refund_required, etc.).
  • Ops events - Receives webhook_paused, api_key_locked, sla_breach_threshold, and similar operational alerts.
You can point the Ops URL at a Slack incoming webhook - Privata detects hooks.slack.com and formats the payload as a Slack Block Kit message automatically.
4

Copy the webhook secret

A secret (whsec_...) is generated and displayed once. Store it in your secrets manager. Use it to verify the X-Privata-Signature header on every incoming request:
import { verifyWebhook } from "@privata/wallet-api/webhooks";

app.post("/webhooks/privata", express.raw({ type: "*/*" }), (req, res) => {
  const ok = verifyWebhook(
    req.body,
    req.header("x-privata-signature"),
    process.env.WHSEC!
  );
  if (!ok) return res.status(401).end();
  // Deduplicate on x-privata-event-id before processing.
  res.status(200).end();
});
Always use the raw body for verification. Parsing JSON before verification will fail.

Rotating the webhook secret

Navigate to Webhooks → [endpoint] → Secret → Rotate. A 5-minute dual-sign window activates: both old and new secrets are valid. Deploy your updated secret value within this window.

Inspecting delivery logs

Navigate to Webhooks → [endpoint] → Deliveries to view all delivery attempts with HTTP status codes, response bodies, and retry timestamps. From a delivery detail page you can:
  • Retry - Re-enqueue the delivery for immediate re-attempt (new delivery record, new signature).
  • Replay - Re-send the exact original payload with the current secret (use this to re-trigger processing of a specific event).
Replay re-delivers the original event_id. Ensure your endpoint handles duplicate event_id values idempotently to avoid double-processing.

Resuming a paused endpoint

After 50 delivery failures within 6 hours, your endpoint is auto-paused. You receive a webhook_paused ops event. To resume: Option 1 - Dashboard: Navigate to Webhooks and click Resume on the paused endpoint. Option 2 - API: Call POST /partner/v1/webhook/resume with an API key that has webhook:admin scope: 
POST https://api.privataswap.com/partner/v1/webhook/resume
X-API-Key: pk_live_... (webhook:admin scope required)
Events queued during the pause are not dropped - they replay on resume in order.

4. Monitor orders

Searching orders

Navigate to Orders to access the order table. Available filters:
FilterType
Order IDExact (prv-... prefix)
Partner order refExact (your internal ID)
StatusMulti-select
Trading pairToken picker
ProviderMulti-select
Date rangeDate picker
Amount (USD)Numeric range
Export up to 10,000 rows as CSV from the filter bar. Larger exports are processed asynchronously and delivered by email.

Order detail

Click any order to open its detail page.
Displays pair, provider, markup applied (bps), current status badge, and all amounts:
  • amount_from - What the user sent.
  • amount_to_expected - Rate at order creation.
  • amount_to_actual - Final delivered amount (available on completed orders). If actual differs from expected by more than 0.5%, a slippage delta is shown.

Triggering a refund action

When an order reaches refund_required status and the provider supports programmatic refunds (refund_capability: programmatic), a Refund action panel appears on the order detail page.
1

Check the window

A countdown timer shows the remaining refund_window_hours. After this window, the order auto-applies your refund_preference.default (set at order creation).
2

Choose an action

  • Refund to address - Returns funds to the refund_address provided at order creation.
  • Convert to stable - Converts funds to a stablecoin before returning. Select target: USDT-TRC20, USDT-ERC20, USDC-ERC20, or USDC-SOL.
3

Confirm

A confirmation dialog summarizes the action. Click Confirm to submit. The dashboard calls POST /partner/v1/order/{id}/refund-action on your behalf.
See Refund flow for full programmatic refund documentation.

5. Set up alerts and notifications

Email notifications

The technical contact email (set during onboarding) receives email alerts for operational events. Navigate to Settings → Organization to update this address.
EventRecipientsCan opt out
Webhook endpoint pausedTechnical contactNo
SLA breach detectedTechnical contact + OwnersNo
API key expiring in 7 daysKey creator + AdminsNo
API key expiring in 24 hoursKey creator + AdminsNo
Payout sentFinance + OwnerYes
New login from unrecognized deviceThe affected userNo

In-app notifications

The dashboard displays banners and toasts for the following conditions:
  • Webhook paused - Banner on the Webhooks page with a direct Resume button.
  • SLA breach - Persistent banner on all pages linking to the SLA details page.
  • API key expiry approaching - Banner on the API Keys page for keys expiring within 7 days.
  • Payout confirmed - Toast notification when a payout transaction is sent.

Monitoring your SLA

Navigate to SLA to view:
  • Live uptime percentage for the current calendar month, measured by your registered external prober against GET /partner/v1/health.
  • Compensation accrual - If uptime falls below your tier’s target, the accrued SLA credit for the month is displayed and applied automatically to your next payout.
  • Incident log - All historical incidents with duration and RCA links.
Your uptime tier depends on your contract phase:
PhaseTarget
Pilot (day 0 - 30)99.5% with tiered compensation
Post-pilot (day 31+)99.9% contractual
Enterprise tier99.9% from day 1
See the SLA guide for compensation tables and the probe contract.
Subscribe to status.privataswap.com via RSS, email, or Slack to receive incident notifications independently of the dashboard.

6. Manage payouts

Revenue earned through rev-share and markup is visible in the Revenue section. Payouts are processed to your registered and verified cryptocurrency address.

Adding a payout address

1

Open Revenue → Payout Addresses

Navigate to Revenue → Payout Addresses → Add address.
2

Enter address and currency

Select the target currency (USDT-TRC20, USDT-ERC20, USDC-ERC20, or USDC-SOL) and enter the address. The dashboard validates the address format and checksum before saving.
3

Verify ownership

A micro-payment of 0.01 USDT is sent to the address. Confirm receipt in the dashboard within 24 hours. Unverified addresses cannot receive payouts.
4

Set as default

Once verified, you can set the address as the default for that currency. All payout requests default to this address unless you select another.

Requesting a payout

Minimum payout: 500(configurablebyagreement).Maximumsinglerequest:500 (configurable by agreement). Maximum single request: 50,000.
1

Open Revenue → Request Payout

Navigate to Revenue → Request Payout. The current pending balance is displayed.
2

Enter amount and select address

Enter the amount or click Request full balance. Select a verified payout address.
3

Complete HMAC confirmation

To prevent unauthorized withdrawals, the dashboard requires you to prove control of your webhook secret:
  1. The dashboard displays a one-time challenge string.
  2. Compute HMAC-SHA256(your_webhook_secret, challenge_string) and paste the result.
  3. Click Confirm.
If you do not have access to the webhook secret, select Confirm via email instead - a 6-digit OTP is sent to your account email (valid 10 minutes).
This step is not a formality. It verifies that the payout requestor controls the integration credentials, not just the dashboard session. If this check fails, the request is rejected and logged.
4

Track payout status

The payout appears in Revenue → Payout History with status pending → processing → sent → confirmed. You receive an email notification when the transaction is sent, including the blockchain tx hash.

Team management

Navigate to Team to invite members and assign roles.
RoleTypical userKey permissions
OwnerCompany account ownerFull access, billing, delete org
AdminTechnical leadAll except billing and payout initiation
DeveloperBackend engineerAPI keys, webhooks, orders, SSE
FinanceFinance team memberRevenue view, payout addresses, payout requests, order read
Read-onlyAuditor, external reviewerView orders, webhook logs, SLA
Invite a new member at Team → Invite. Select their role and enter their email - they receive an invitation link valid for 7 days.

Audit log

Every action taken in the dashboard - key creation, role changes, payout requests, webhook replays - is recorded in the Audit Log with the actor’s identity, IP address, and timestamp. The log is append-only at the database level and retained for 2 years. Export as NDJSON or CSV for compliance reporting.

Authentication

API key scopes, prefixes, rotation, and lockout behavior.

Webhooks

Signature verification, retry schedule, ops events, and sandbox behavior.

Order lifecycle

All order statuses, transitions, and terminal states.

Refund flow

Programmatic vs. ticket refunds, window handling, stable conversion.

SSE streaming

Real-time order status via Server-Sent Events and reconnection with Last-Event-ID.

SLA

Uptime tiers, compensation tables, probe contract.