Kollectar AR exposes a small server-to-server API for approved payment and collection partners. Use it to confirm a customer account, show the amount due, and post a successful payment back to Kollectar AR.
This page is the quickstart for going live.
What This API Does#
The payment flow is intentionally simple:
- Validate the customer account.
- Check the outstanding balance.
- Collect payment in your channel.
- Record the successful payment in Kollectar AR.
Kollectar AR then allocates the payment to open invoices, writes the audit trail, and queues downstream accounting sync where enabled.
Base URL#
https://kollectar-ar.com
All endpoints are under:
/api/public/v1/payments
Use HTTPS and send JSON:
Content-Type: application/json; charset=utf-8
Authentication#
Production requests require three headers issued by Kollectar AR:
| Header | Description |
|---|---|
x-api-key | Your partner API key. |
x-timestamp | Current Unix timestamp in milliseconds. Requests outside the allowed clock window are rejected. |
x-signature | Lowercase hex HMAC-SHA256(secret, "{x-timestamp}.{raw_request_body}"). |
Sign the exact raw JSON bytes you send. If your client signs one JSON string and sends another, the signature will fail.
Signing examples#
import { createHmac } from "node:crypto";
const body = {
account_number: "BIN-100045",
provider: "pegasus",
channel: "ussd",
request_reference: "PEG-REQ-20260605-0001",
};
const raw = JSON.stringify(body);
const timestamp = Date.now().toString();
const signature = createHmac("sha256", process.env.KOLLECTAR_API_SECRET)
.update(`${timestamp}.${raw}`)
.digest("hex");
await fetch("https://kollectar-ar.com/api/public/v1/payments/validate-account", {
method: "POST",
headers: {
"content-type": "application/json; charset=utf-8",
"x-api-key": process.env.KOLLECTAR_API_KEY,
"x-timestamp": timestamp,
"x-signature": signature,
},
body: raw,
});1. Validate Account#
Use this before showing a customer balance or payment prompt.
POST /api/public/v1/payments/validate-account
Request:
{
"account_number": "BIN-100045",
"provider": "pegasus",
"channel": "ussd",
"request_reference": "PEG-REQ-20260605-0001"
}
Success response:
{
"success": true,
"code": "OK",
"message": "Account is valid",
"account_number": "BIN-100045",
"customer_name": "Sample Customer Ltd",
"customer_status": "active"
}
Common failures:
| HTTP | Code | Meaning |
|---|---|---|
400 | INVALID_REQUEST | Missing or malformed request data. |
401 | UNAUTHORIZED | API key, signature, or timestamp failed. |
404 | NOT_FOUND | Account number was not found. |
2. Check Balance#
Use this to show the amount currently due.
POST /api/public/v1/payments/balance-inquiry
Request:
{
"account_number": "BIN-100045",
"provider": "pegasus",
"channel": "ussd",
"request_reference": "PEG-REQ-20260605-0002"
}
Success response:
{
"success": true,
"code": "OK",
"message": "Outstanding balance retrieved",
"account_number": "BIN-100045",
"customer_name": "Sample Customer Ltd",
"customer_status": "active",
"outstanding_amount": 125000,
"currency": "UGX",
"invoice_number": "INV-2026-00045",
"billing_period": "2026-06",
"allow_partial_payment": true,
"minimum_payment_amount": 1,
"payment_reference": "KAR-BIN-100045-1780500000000"
}
If the customer has no outstanding balance, the response is still successful but returns:
{
"success": true,
"code": "ZERO_BALANCE",
"outstanding_amount": 0
}
3. Record Payment#
Call this only after your channel has successfully collected the money.
POST /api/public/v1/payments/record
Request:
{
"transaction_id": "PEG-TXN-20260605-000123",
"account_number": "BIN-100045",
"invoice_number": "INV-2026-00045",
"amount_paid": 50000,
"currency": "UGX",
"payment_date": "2026-06-05T09:30:00Z",
"payment_method": "mobile_money",
"status": "successful",
"payer_phone": "+256700000000",
"provider": "pegasus",
"channel": "ussd",
"request_reference": "PEG-REQ-20260605-0003",
"provider_payload": {
"receipt_number": "PEG-000123"
}
}
Success response:
{
"success": true,
"code": "PROCESSED",
"message": "Payment processed",
"transaction_id": "PEG-TXN-20260605-000123",
"payment_id": "9b1c5b3e-1a2c-4d8e-b3e7-77e3b1c2e0a1",
"allocations_count": 1,
"credit_amount": 0
}
transaction_id is the idempotency key. If you retry the same successful transaction, Kollectar AR returns HTTP 200 with:
{
"success": true,
"code": "DUPLICATE_IGNORED",
"message": "Duplicate transaction ignored - original payment kept intact",
"transaction_id": "PEG-TXN-20260605-000123",
"payment_id": "9b1c5b3e-1a2c-4d8e-b3e7-77e3b1c2e0a1"
}
Treat DUPLICATE_IGNORED as success in your retry logic.
Field Summary#
| Field | Required | Notes |
|---|---|---|
account_number | Yes | Customer account number in Kollectar AR. |
provider | Recommended | Your provider identifier, for example pegasus. |
channel | Recommended | Your channel, for example ussd, agent, web, or api. |
request_reference | Recommended | Your request/correlation ID for tracing. |
transaction_id | Yes for payment record | Your unique payment transaction ID. Used for idempotency. |
amount_paid | Yes for payment record | Amount collected. Must be greater than zero. |
currency | Recommended | ISO currency code. Use UGX unless agreed otherwise. |
payment_date | Yes for payment record | When the customer paid you. ISO-8601 is preferred. |
provider_payload | Optional | Small JSON object for provider receipt details. Avoid sensitive data. |
Retries#
Retry safely when you receive a network timeout or a transient server error.
Do not create a new transaction_id for the same collected payment. Reuse the original transaction_id so Kollectar AR can deduplicate the callback.
Recommended retry behavior:
| Situation | What to do |
|---|---|
| Network timeout after payment collection | Retry record with the same transaction_id. |
HTTP 200 + PROCESSED | Mark the transaction complete. |
HTTP 200 + DUPLICATE_IGNORED | Mark the transaction complete. |
HTTP 400 | Fix the request; do not retry blindly. |
HTTP 401 | Fix credentials/signing; do not retry blindly. |
HTTP 404 on account lookup | Ask the customer to confirm the account number. |
Optional: Reverse Payment#
Payment reversal is available for approved partners, but it is not required for the first integration unless agreed during go-live.
POST /api/public/v1/payments/reverse
Use it for chargebacks, refunds, or mistaken payment postings.
Go-Live Checklist#
Before production traffic starts, confirm:
- API key and HMAC secret have been issued through a secure channel.
- Your server clock is synchronized.
- You can call
validate-account,balance-inquiry, andrecord. - You have tested retrying the same
transaction_id. - Your support team knows what account number the customer will enter.
- Your reconciliation report includes
transaction_id,account_number,amount_paid,currency,payment_date, and provider receipt number.
Support#
For credentials, test accounts, failed signatures, or production cutover, contact the Kollectar AR integration owner provided during onboarding.