Developer Documentation

DrutoPay auto-verifies payments to your bKash / Nagad / Rocket personal number by reading the “money received” SMS on an Android phone and matching it to your order. Base URL: https://pay.api.drutoai.com

Introduction

Personal MFS accounts have no official payment API. DrutoPay solves this by capturing the payment SMS on a phone you own, parsing the amount / TrxID / sender, and matching it to a payment you created. There are two ways to confirm a payment:

Auto-match — create a payment for the expected amount; it flips to verified when the SMS arrives.
TrxID verify — the customer pastes their TrxID and you verify it directly.

Quickstart

Open the Dashboard → register a merchant → copy your API key (sk_…).
Register your Android phone as a device → copy the device token (dev_…).
Set up the SMS forwarder on that phone.
From your server, create a payment at checkout and poll or use a webhook.

Authentication

All merchant endpoints require your API key, sent as a header. Keep it on your server — never in browser JS.

x-api-key: sk_your_key
# or
Authorization: Bearer sk_your_key

The SMS-forwarder device authenticates with its own token: Authorization: Bearer dev_…

Create a payment POST /api/payments

curl -X POST https://pay.api.drutoai.com/api/payments \
  -H "x-api-key: $API_KEY" -H "content-type: application/json" \
  -d '{
    "amount": 1000.37,
    "reference": "ORDER-001",
    "expiresInMinutes": 30
  }'

Optional fields: provider (bkash|nagad|rocket) and senderMsisdn to constrain matching. Response includes an id and status: "pending". Store the id on your order.

Check status GET /api/payments/{id}

curl https://pay.api.drutoai.com/api/payments/$ID -H "x-api-key: $API_KEY"

# { "status": "verified", "transaction": { "trxId": "9AB1CD2EF3", "amount": 1000.37, ... } }

Statuses: pending → verified | expired | cancelled. Poll every 3–5s, or use a webhook.

Webhooks

Set a webhookUrl on your merchant. When a payment verifies, DrutoPay POSTs:

POST your-webhook-url
{
  "event": "payment.verified",
  "payment": { "id": "...", "amount": 1000.37, "reference": "ORDER-001", "status": "verified" },
  "transaction": { "provider": "bkash", "trxId": "9AB1CD2EF3", "amount": 1000.37, "senderMsisdn": "0171...", "receivedAt": "..." }
}

Respond 200 to acknowledge. Match the order via payment.reference.

Verify by TrxID POST /api/payments/verify

curl -X POST https://pay.api.drutoai.com/api/payments/verify \
  -H "x-api-key: $API_KEY" -H "content-type: application/json" \
  -d '{"trxId":"9AB1CD2EF3","amount":1000.37}'

# { "verified": true, "transaction": { ... } }

Avoiding mismatches

Auto-match pairs an SMS to a pending payment by amount. If two orders share the same amount at once, the first SMS could match the wrong one. Pick one safeguard:

Unique amounts (recommended): add random paisa, e.g. 1000.37.
Require TrxID: use the verify endpoint above.
Require sender: pass senderMsisdn when creating the payment.

Register a device POST /api/merchants/devices

curl -X POST https://pay.api.drutoai.com/api/merchants/devices \
  -H "x-api-key: $API_KEY" -H "content-type: application/json" \
  -d '{"name":"Shop bKash phone","msisdn":"01700000000"}'

# → { "deviceToken": "dev_...", ... }   (shown once)

SMS forwarder (Android)

The capture phone must be Android (iOS can’t read SMS). Easiest setup is Tasker — no app build:

Tasker → Profile → Event → Phone → Received Text.
Task → URL-encode %SMSRB and %SMSRF, then HTTP Request:

POST https://pay.api.drutoai.com/api/sms/ingest
Header: Authorization: Bearer dev_your_token
Header: Content-Type: application/x-www-form-urlencoded
Body:   sender=%sender&body=%body

The endpoint accepts JSON or form bodies and parses bKash / Nagad / Rocket “received” messages. A ready-made Tasker profile and full guide are in the repo at docs/TASKER_SETUP.md.

API reference

Try every endpoint live with auth in the interactive API reference →