Open API Documentation

PPOB integration for partner companies — check Poin, top up, and purchase products.

Download Postman Collection

Overview

The Open API lets partner companies integrate with the MBT PPOB platform. Every product purchase is funded by your company's Poin (prepaid balance), which you can top up and monitor through these endpoints.

This API is available to partner companies only

Base URL

https://tokoatlas.com/api/partner

Authentication

Authenticate every request with your API Key and Secret, sent as HTTP headers. You can find and regenerate these in your company dashboard under Poin Perusahaan → Kredensial Open API.

HeaderDescription
X-Api-KeyYour company API key.
X-Api-SecretYour company API secret.
curl https://tokoatlas.com/api/partner/saldo \
  -H "X-Api-Key: mbtk_xxxxxxxxxxxxxxxx" \
  -H "X-Api-Secret: mbts_xxxxxxxxxxxxxxxx"

Errors

Responses use standard HTTP status codes and a consistent JSON shape:

{
  "success": false,
  "message": "Invalid API credentials."
}
CodeMeaning
200 / 201Success.
401Missing or invalid API credentials.
402Insufficient Poin.
403Account not allowed to use the API (e.g. MBT).
404Resource not found.
422Validation error.

Check Poin

GET /saldo

Returns your company's current balance.

curl https://tokoatlas.com/api/partner/saldo \
  -H "X-Api-Key: ..." -H "X-Api-Secret: ..."
Response
{
  "success": true,
  "data": {
    "company": "Partner Co",
    "balance": 1500000
  }
}

Top Up Poin

POST /saldo/topup

Adds balance to your company's Poin.

The payment gateway step is currently stubbed — top-ups settle to success immediately.
FieldTypeDescription
amount number required Amount to add. Minimum 10,000.
curl -X POST https://tokoatlas.com/api/partner/saldo/topup \
  -H "X-Api-Key: ..." -H "X-Api-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{"amount": 500000}'
Response
{
  "success": true,
  "message": "Top up berhasil.",
  "data": {
    "topup_code": "TOP2205260000001123",
    "amount": 500000,
    "balance": 2000000
  }
}

List Products

GET /products

Lists available PPOB products with their selling price.

QueryTypeDescription
qstringoptionalSearch term (product name/code).
providerstringoptionalFilter by provider.
pagenumberoptionalPage number (default 1).
rowsnumberoptionalRows per page (default 100).
curl "https://tokoatlas.com/api/partner/products?q=tri&rows=20" \
  -H "X-Api-Key: ..." -H "X-Api-Secret: ..."
Response
{
  "success": true,
  "data": [
    {
      "product_code": "TRS2",
      "name": "REGULER TRI 2K",
      "provider": "THREE REGULER",
      "price": 2294,
      "active": true,
      "disrupted": false
    }
  ],
  "pagination": { "more": false }
}

Buy Product

POST /transactions

Purchases a PPOB product. The product's price is deducted from your Poin.

FieldTypeDescription
product_code string required Product code (from /products).
target_number string required Destination (phone number / meter id).
partner_reference string optional Your own reference. Used as an idempotency key — repeating it returns the existing transaction instead of charging again.
curl -X POST https://tokoatlas.com/api/partner/transactions \
  -H "X-Api-Key: ..." -H "X-Api-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "product_code": "TRS2",
    "target_number": "0895347740321",
    "partner_reference": "ORDER-1001"
  }'
Response (201)
{
  "success": true,
  "message": "Transaction submitted.",
  "data": {
    "code": "2205260000001123",
    "partner_reference": "ORDER-1001",
    "product_code": "TRS2",
    "product_name": "REGULER TRI 2K",
    "target_number": "0895347740321",
    "amount": 2294,
    "payment_status": "PAID",
    "transaction_status": "PROCESS",
    "created_at": "2026-05-22T12:00:00+07:00",
    "balance": 1997706
  }
}
If your Poin is insufficient the API returns 402 with the required amount and your current balance — no transaction is created.

Check Transaction Status

GET /transactions/{code}

Returns the current status of a transaction you created.

curl https://tokoatlas.com/api/partner/transactions/2205260000001123 \
  -H "X-Api-Key: ..." -H "X-Api-Secret: ..."
Response
{
  "success": true,
  "data": {
    "code": "2205260000001123",
    "partner_reference": "ORDER-1001",
    "product_code": "TRS2",
    "product_name": "REGULER TRI 2K",
    "target_number": "0895347740321",
    "amount": 2294,
    "payment_status": "PAID",
    "transaction_status": "PROCESS",
    "created_at": "2026-05-22T12:00:00+07:00"
  }
}

Webhooks

Register a webhook URL in your company dashboard under Poin Perusahaan → Webhook URL. We send a POST request to that URL whenever a relevant event happens — for example when a Poin top-up settles.

Events

EventWhen it fires
topup.successA Poin top-up has been received and credited.
topup.expiredA Poin top-up ticket expired or was cancelled before payment.

Payload

{
  "event": "topup.success",
  "data": {
    "topup_code": "TOP2205260000001123",
    "amount": 500000,
    "credited_amount": 500328,
    "status": "success",
    "balance": 2000000
  },
  "timestamp": "2026-05-22T12:00:00+07:00"
}

Verifying the signature

Every request carries an X-Mbt-Signature header: an HMAC-SHA256 of the raw request body, keyed by your API Secret. The event name is also sent as X-Mbt-Event. Recompute the signature and compare to confirm the request came from us.

// PHP example
$payload   = file_get_contents('php://input');
$expected  = hash_hmac('sha256', $payload, $apiSecret);
$signature = $_SERVER['HTTP_X_MBT_SIGNATURE'] ?? '';

if (! hash_equals($expected, $signature)) {
    http_response_code(401);
    exit;
}
Respond with a 2xx status to acknowledge receipt. Non-2xx responses (or timeouts after 5 seconds) are logged on our side; delivery is best-effort and is not retried.
Beranda
Masuk