PPOB integration for partner companies — check Poin, top up, and purchase products.
Download Postman CollectionThe Open API lets partner companies integrate with the MBT PPOB platform. Every product purchase is funded by your company's Poin (prepaid balance), which you can top up and monitor through these endpoints.
https://tokoatlas.com/api/partner
Authenticate every request with your API Key and Secret, sent as HTTP headers. You can find and regenerate these in your company dashboard under Poin Perusahaan → Kredensial Open API.
| Header | Description |
|---|---|
X-Api-Key | Your company API key. |
X-Api-Secret | Your company API secret. |
curl https://tokoatlas.com/api/partner/saldo \ -H "X-Api-Key: mbtk_xxxxxxxxxxxxxxxx" \ -H "X-Api-Secret: mbts_xxxxxxxxxxxxxxxx"
Responses use standard HTTP status codes and a consistent JSON shape:
{
"success": false,
"message": "Invalid API credentials."
}
| Code | Meaning |
|---|---|
| 200 / 201 | Success. |
| 401 | Missing or invalid API credentials. |
| 402 | Insufficient Poin. |
| 403 | Account not allowed to use the API (e.g. MBT). |
| 404 | Resource not found. |
| 422 | Validation error. |
GET /saldo
Returns your company's current balance.
curl https://tokoatlas.com/api/partner/saldo \ -H "X-Api-Key: ..." -H "X-Api-Secret: ..."Response
{
"success": true,
"data": {
"company": "Partner Co",
"balance": 1500000
}
}
POST /saldo/topup
Adds balance to your company's Poin.
success immediately.
| Field | Type | Description | |
|---|---|---|---|
amount |
number | required | Amount to add. Minimum 10,000. |
curl -X POST https://tokoatlas.com/api/partner/saldo/topup \
-H "X-Api-Key: ..." -H "X-Api-Secret: ..." \
-H "Content-Type: application/json" \
-d '{"amount": 500000}'
Response
{
"success": true,
"message": "Top up berhasil.",
"data": {
"topup_code": "TOP2205260000001123",
"amount": 500000,
"balance": 2000000
}
}
GET /products
Lists available PPOB products with their selling price.
| Query | Type | Description | |
|---|---|---|---|
q | string | optional | Search term (product name/code). |
provider | string | optional | Filter by provider. |
page | number | optional | Page number (default 1). |
rows | number | optional | Rows per page (default 100). |
curl "https://tokoatlas.com/api/partner/products?q=tri&rows=20" \ -H "X-Api-Key: ..." -H "X-Api-Secret: ..."Response
{
"success": true,
"data": [
{
"product_code": "TRS2",
"name": "REGULER TRI 2K",
"provider": "THREE REGULER",
"price": 2294,
"active": true,
"disrupted": false
}
],
"pagination": { "more": false }
}
POST /transactions
Purchases a PPOB product. The product's price is deducted from your Poin.
| Field | Type | Description | |
|---|---|---|---|
product_code |
string | required | Product code (from /products). |
target_number |
string | required | Destination (phone number / meter id). |
partner_reference |
string | optional | Your own reference. Used as an idempotency key — repeating it returns the existing transaction instead of charging again. |
curl -X POST https://tokoatlas.com/api/partner/transactions \
-H "X-Api-Key: ..." -H "X-Api-Secret: ..." \
-H "Content-Type: application/json" \
-d '{
"product_code": "TRS2",
"target_number": "0895347740321",
"partner_reference": "ORDER-1001"
}'
Response (201)
{
"success": true,
"message": "Transaction submitted.",
"data": {
"code": "2205260000001123",
"partner_reference": "ORDER-1001",
"product_code": "TRS2",
"product_name": "REGULER TRI 2K",
"target_number": "0895347740321",
"amount": 2294,
"payment_status": "PAID",
"transaction_status": "PROCESS",
"created_at": "2026-05-22T12:00:00+07:00",
"balance": 1997706
}
}
402 with the
required amount and your current balance — no transaction is created.
GET /transactions/{code}
Returns the current status of a transaction you created.
curl https://tokoatlas.com/api/partner/transactions/2205260000001123 \ -H "X-Api-Key: ..." -H "X-Api-Secret: ..."Response
{
"success": true,
"data": {
"code": "2205260000001123",
"partner_reference": "ORDER-1001",
"product_code": "TRS2",
"product_name": "REGULER TRI 2K",
"target_number": "0895347740321",
"amount": 2294,
"payment_status": "PAID",
"transaction_status": "PROCESS",
"created_at": "2026-05-22T12:00:00+07:00"
}
}
Register a webhook URL in your company dashboard under
Poin Perusahaan → Webhook URL. We send a
POST request to that URL whenever a relevant
event happens — for example when a Poin top-up settles.
| Event | When it fires |
|---|---|
topup.success | A Poin top-up has been received and credited. |
topup.expired | A Poin top-up ticket expired or was cancelled before payment. |
{
"event": "topup.success",
"data": {
"topup_code": "TOP2205260000001123",
"amount": 500000,
"credited_amount": 500328,
"status": "success",
"balance": 2000000
},
"timestamp": "2026-05-22T12:00:00+07:00"
}
Every request carries an X-Mbt-Signature header: an
HMAC-SHA256 of the raw request body, keyed by your API Secret.
The event name is also sent as X-Mbt-Event.
Recompute the signature and compare to confirm the request came from us.
// PHP example
$payload = file_get_contents('php://input');
$expected = hash_hmac('sha256', $payload, $apiSecret);
$signature = $_SERVER['HTTP_X_MBT_SIGNATURE'] ?? '';
if (! hash_equals($expected, $signature)) {
http_response_code(401);
exit;
}
2xx status to acknowledge receipt.
Non-2xx responses (or timeouts after 5 seconds) are logged on our side; delivery
is best-effort and is not retried.