From zero to a live authorization in five minutes. All calls hit https://api.rmous.org/v1.
A shared Public Sandbox tenant is ready to go. Use these exact strings for every request in this quickstart.
# Add these to your shell or env file. RMO_API_KEY="pk_test_publicsandbox_2026" RMO_BEARER="sk_test_publicsandbox_2026_anyone_can_use_this" RMO_BASE="https://api.rmous.org"
Need fresh creds or want to understand sandbox limits? See Test Credentials.
A GET /v1/me confirms the keys are wired correctly.
curl $RMO_BASE/v1/me \ -H "X-API-Key: $RMO_API_KEY" \ -H "Authorization: Bearer $RMO_BEARER"
Should return your tenant's identity ("title": "Public Sandbox"). A 401 means the keys are wrong; a 403 means the API key isn't registered in API Gateway.
RMO cards never expose a raw PAN to merchants — you always work with a 17-character opaque panToken. Below we use a fixture token; in production your terminal SDK generates one from the chip/swipe.
curl $RMO_BASE/v1/authorizations \ -H "X-API-Key: $RMO_API_KEY" \ -H "Authorization: Bearer $RMO_BEARER" \ -H "Idempotency-Key: $(uuidgen)" \ -H "Content-Type: application/json" \ -d '{ "panToken": "TOKEN_FROM_TERMINAL", "amount": 12.99, "currency": "USD", "channel": "POS", "mcc": "5812", "merchantNameRaw": "RMO Coffee Shop", "mode": "01" }'
Successful response:
{
"authorizationId": "7421589",
"recordId": "A1b2C3d4E5f6G7h8I",
"status": "approved",
"amount": 12.99,
"approvalCode": "A7B2C3",
"expires": "2026-05-21T16:53:05Z"
}
When the customer takes possession of the goods, capture the authorization. Omit amount to capture the full remaining hold.
curl $RMO_BASE/v1/authorizations/7421589/capture \ -H "X-API-Key: $RMO_API_KEY" \ -H "Authorization: Bearer $RMO_BEARER" \ -H "Idempotency-Key: $(uuidgen)" \ -H "Content-Type: application/json" \ -d '{}' # Response: { "authorizationId": "7421589", "status": "charged", "amountCaptured": 12.99, "settled": "2026-05-14T16:53:42Z" }
Register a webhook subscription so RMO POSTs events to your server in real time. Save the returned secret — it’s shown only once.
curl $RMO_BASE/v1/webhook-subscriptions \ -H "X-API-Key: $RMO_API_KEY" \ -H "Authorization: Bearer $RMO_BEARER" \ -H "Idempotency-Key: $(uuidgen)" \ -H "Content-Type: application/json" \ -d '{ "url": "https://your-app.example.com/webhooks/rmo", "events": ["authorization.approved", "authorization.captured"], "description": "Production receiver" }' # Response (secret returned ONCE - persist it): { "id": "sub_abc123...", "url": "https://your-app.example.com/webhooks/rmo", "events": ["authorization.approved", "authorization.captured"], "secret": "whsec_xxx...", "secretLast4": "xxxx", "status": "active" }
Every event we POST to your URL carries X-RMO-Signature + X-RMO-Timestamp — verify the HMAC before trusting the body. See Webhooks for the canonical verification snippet.
The three-layer model: API key + bearer + optional HMAC signing.
Full reference for auth / capture / reverse / increment.
10-character code + 7-character PIN for no-card-present payments.
Signature verification, retry policy, and event payloads.
ISO-8583-style decline codes and the canonical error envelope.
Download the full 3.1 spec for any client generator or docs tool.