Welcome to the Kaito APIs. This portal provides OpenAPI specs, quickstarts, and security details so you can build, test, and launch on Kaito.
Kaito provides API-based connectivity as a payment rail to move value across regions and rails:
- FIAT <-> FIAT — Cross-border fiat transfers
- FIAT <-> CRYPTO — On-ramp to crypto
- CRYPTO <-> FIAT — Off-ramp to fiat
- CRYPTO <-> CRYPTO — On-chain transfers
You integrate once with the Kaito API, and Kaito handles routing, provider selection, fallbacks, and settlement orchestration.
| Option | Description | Use Case |
|---|---|---|
| API Direct | Full control via REST API | Backend integrations |
| JavaScript SDK | @kaito/checkout-sdk | Web applications |
| Hosted Checkout | Redirect to Kaito | Quick integration |
| iFrame Embed | Widget in your app | Custom UI |
| Environment | Base URL | Purpose |
|---|---|---|
| Production | https://api.kaito.io | Live transactions |
| Sandbox | https://sandbox.api.kaito.io | Testing with mock data |
Machine-to-machine API for partners to discover corridors, manage destination accounts, and run quote/order flows.
| Feature | Description |
|---|---|
| Rails | List enabled corridors for the authenticated client (GET /v1/rails) |
| Accounts | Manage destination bank accounts (/v1/accounts, includes validate) |
| Quotes | Create a quote against a destination account (POST /v1/quotes) |
| Orders | Convert a quote into an order and track its lifecycle (/v1/orders, /v1/orders/{orderId}) |
| Deposit reporting | Body-less client action: deposit sent (POST /v1/orders/{orderId}/deposit-reported) |
Supported flow types (selected by request body shape, not by URL): kaito → kaito, kaito → soyfri, crypto → kaito, crypto → soyfri.
Spec: core.yaml
Identity verification and wallet management.
| Feature | Description |
|---|---|
| Identity (KYC) | Individual identity verification |
| Identity (KYB) | Business verification |
| Wallets | Custodial wallet creation and management |
Spec: users.yaml
| Mechanism | Description |
|---|---|
| Transport | All API communication is over HTTPS (TLS). Plain HTTP is rejected. |
| API key | x-kaito-api-key — public Rail API key identifier (rk_test_… / rk_live_…). Identifies the calling client. |
| Per-request signature | x-kaito-signature — hex HMAC-SHA256 of the canonical request, signed with the per-key secret. The secret never leaves your side. |
| Replay window | x-kaito-timestamp — Unix timestamp; signatures older than ±300s are rejected. |
| Trace id | x-kaito-trace-id — caller-generated id, echoed in the response header and in error envelopes. |
| Body hash | x-kaito-content — hex SHA-256 of the raw body; required for POST/PATCH, optional for GET/DELETE. |
| Webhook signature | Outbound webhooks are signed by Kaito with Kaito-Timestamp + Kaito-Signature (HMAC-SHA256). Verify on your side. |
See Kaito as a Payment Rail — Authentication for the canonical signature format and a runnable Node.js example.
// Sign one request to POST /v1/quotes
import crypto from 'node:crypto';
const apiKey = 'rk_test_...';
const secret = 'sk_...';
const baseUrl = 'https://api.kaito.io/v1';
const path = '/quotes';
const body = JSON.stringify({
sourceCountry: 'GT',
targetAccountId: '019e4c4b-...-ba-...',
amount: 20,
});
const timestamp = Math.floor(Date.now() / 1000).toString();
const traceId = `trc_${Date.now().toString(36)}_${crypto.randomBytes(4).toString('hex')}`;
const contentSha256 = crypto.createHash('sha256').update(body).digest('hex');
const canonical = [timestamp, 'POST', path, '', traceId, contentSha256].join('.');
const signature = crypto.createHmac('sha256', secret).update(canonical).digest('hex');
await fetch(`${baseUrl}${path}`, {
method: 'POST',
headers: {
'content-type': 'application/json',
'x-kaito-api-key': apiKey,
'x-kaito-timestamp': timestamp,
'x-kaito-trace-id': traceId,
'x-kaito-content': contentSha256,
'x-kaito-signature': signature,
},
body,
});For a ready-to-use cookbook, import the Kaito Rail API Postman collection — fill in apiKeyId, hmacSecret, and targetAccountId under the collection's Variables tab, and every request is signed automatically by the collection-level pre-request script.
| Channel | Details |
|---|---|
| sales@kaito.io — initial contact, credentials request | |
| 💬 Slack | Shared channel for technical integration support — request an invite at sales@kaito.io |
- Auto-generate clients from OpenAPI specs (TypeScript, Python, Java, Go)
- Import specs into Postman/Insomnia
- Overview — Key concepts and architecture
- Payment Rail — How Kaito works as a rail
- Embedded Experiences — SDK, Checkout, iFrame
- Use Cases — Example flows
- Webhooks — Event delivery and signatures
- Errors & Tracing — Error handling
Last updated: 2026-05-19