Licensed crypto payment gateway: accept BTC, ETH, USDC, USDT and stablecoin payments via hosted payment links, redirect checkout, or REST API, with automatic settlement to fiat or crypto.
- 01merchant crypto checkout
- 02hosted payment links
- 03stablecoin acceptance with fiat settlement
- 04Web3 / digital goods payments
- 05regulated payment processor (MAS, FinCEN registered)
| Variable | Scope | Description |
|---|---|---|
| TRIPLEA_CLIENT_ID | Server | Triple-A OAuth2 client id used to obtain a bearer access token from `/api/v2/oauth/token`. |
| TRIPLEA_CLIENT_SECRET | Server | OAuth2 client secret paired with `TRIPLEA_CLIENT_ID`. Server-only. |
| TRIPLEA_MERCHANT_KEY | Server | Merchant key passed in the request body when creating payments. Identifies the receiving merchant account. |
| TRIPLEA_NOTIFICATION_SECRET | Server | Webhook secret used to verify the `X-Signature` HMAC-SHA256 header on incoming notifications before crediting orders. |
Use Triple-A for hosted crypto checkout. Server-side, exchange `TRIPLEA_CLIENT_ID` / `TRIPLEA_CLIENT_SECRET` for a bearer token at `POST https://api.triple-a.io/api/v2/oauth/token`, then create a payment with `POST /api/v2/payment` (body: `merchant_key`, `order_currency`, `order_amount`, `notification_url`, `cancel_url`, `success_url`). Redirect the customer to the returned `hosted_url`. On success Triple-A POSTs to your `notification_url` with payment status; verify the `X-Signature` HMAC against the raw body using `TRIPLEA_NOTIFICATION_SECRET` before fulfilling the order. For payouts use `POST /api/v2/payout` with the recipient crypto address, asset, and network.
- ⚑Access tokens from the OAuth endpoint expire (typically 1h) — cache and refresh server-side; do not request a new token per payment or you will hit rate limits.
- ⚑Webhook signature is HMAC-SHA256 over the raw JSON body — frameworks that re-serialize the body (Express default `body-parser`) produce a different string and fail verification. Capture the raw buffer.
- ⚑Hosted checkout URLs expire (default ~15 minutes) and the on-chain payment window is short — surface the countdown to the user; expired payments must be re-quoted, not retried.
- ⚑Sandbox (`sandbox.triple-a.io`) is gated — request access via support and use a separate merchant key; live keys silently 401 against sandbox endpoints.
- ⚑Underpayments and overpayments are common with on-chain UTXO payments (BTC) — handle `payment_status` of `partial` and `overpaid` explicitly rather than treating anything non-`completed` as failed.
- ⚑Geo and asset availability is region-locked by Triple-A's licenses (MAS in SG, FinCEN MSB in US, etc.) — the merchant account configuration determines which fiat settlement currencies and chains are usable.