Frequently asked questions

Integrate in whichever way suits your stack: call the REST APIs directly, use our official SDKs (JavaScript and PHP) to skip request-signing boilerplate, or let an AI coding agent build the integration using our MCP server and skills. See the Developers and AI sections for each path.

Each request carries your static `developer_key` header plus a per-request `secret-key` header — an HMAC-SHA256 signature of the current timestamp, keyed by your access key. The access key itself is never sent over the wire. You receive UAT keys on signup and production keys after KYC.

Yes. A full sandbox environment is available immediately on signup. You can test your integration end-to-end before going live — no commitment required.

Sandbox and production share the same paths and differ only by base URL: use https://staging.eko.in/ekoapi/v3 for UAT / Sandbox, and https://api.eko.in/ekoicici/v3 for Production. A common cause of failures is calling the sandbox/staging URL with live credentials (or vice-versa) — make sure the base URL matches the keys you are using.

Production API access may require your static public (server) IP to be whitelisted. If your calls work from Postman but fail or time out from your own server, share your static public IP with us so we can whitelist it.

Most verification APIs return in real time with sub-second responses, and 99th-percentile latency stays under two seconds across verification endpoints. Transaction APIs (DMT, AePS, BBPS) respond within seconds.

Yes. The API is designed to handle large-scale volumes reliably without performance degradation.

Usage is billed per successful API call with no minimum commitment. Volume-based pricing tiers are available — contact our team for detailed rates.

Every response includes a status code and a human-readable message. Failed requests return specific error codes indicating the reason, so you can handle each case programmatically.

Eko APIs are versioned in the base path (currently v3). Sandbox and production share the same paths and differ only by base URL.

Eko follows applicable RBI and data-protection guidelines for its regulated banking and KYC services. Aadhaar-based KYC is performed only with explicit customer consent.

Share the complete request and response so we can debug quickly: the full curl (including headers), the response body, the timestamp, and your initiator_id, user_code and client_ref_id. Issues raised with these details are resolved much faster.

Two frequent ones: client_ref_id must be at most 20 characters, and the JSESSIONID cookie that Postman adds automatically is harmless — it has no effect on the API and can be safely ignored.