Overview

This release introduces HTTP Request Signing as a new authentication method and gives merchants full control over webhook signing key management from the StraitsX Dashboard.

Part 1: New Feature — HTTP Request Signing

We've introduced HTTP Request Signing, an enhanced authentication option that uses Ed25519 asymmetric cryptography (public/private key pairs) to sign API requests. This provides stronger request integrity and origin verification on top of your existing API key.

What's new:

• New authentication method using Ed25519 public/private key pairs.
• New request headers: X-PUBLIC-KEY-ID, X-TIMESTAMP, X-NONCE, X-SIGNATURE.
• Public Key management via the StraitsX Dashboard (upload, view, activate/deactivate, delete).
• Replay protection via nonce uniqueness and timestamp validation (±300 second window).

What you need to know:

• This is an opt-in feature — your existing API key authentication (X-XFERS-APP-API-KEY) remains fully supported with no changes required.
• You can test the signing flow in the Sandbox environment before enabling it in Production.

Updated documentation:

• Guides > Getting Started > Authentication Methods
  • Now covers both API Key (token-based authentication) and HTTP Request Signing methods.
• Guides > FAQ > Authentication FAQs > HTTP Request Signing
  • Detailed FAQ including canonical string construction, code samples (Python, Go, Node.js, Ruby), and error references.

Part 2: Enhancement — Webhook Signing Key Management

Merchants can now explicitly manage webhook signing secrets from the StraitsX Dashboard. Previously, signing secrets were automatically created alongside API keys and could not be managed independently.

What's new:

• Create new webhook signing secrets
• Activate or deactivate a signing secret
• Delete signing secrets you no longer need

This gives you full control over your webhook signing key lifecycle, including the ability to rotate secrets independently of your API keys.

Overview

This release enhances multi-currency consistency across core endpoints and introduces support for SWIFT and MEPS (MAS Electronic Payment System) rails for high-value SGD transactions.

Part 1: Multi-Currency Support Enhancements

We’ve expanded currency and wallet support across key endpoints to improve consistency in multi‑currency workflows:

• Added support for sgd and usd options in filter[currency] attribute:

  • GET /v1/payments
  • GET /v1/payouts
  
  

  Attribute	Description
  filter[currency]	Accepts xsgd, xusd, sgd or usd

• Added support for sgd and usd options in walletSource attribute:

  • POST /v1/withdrawal
  • POST /v1/payouts
  
  

  Attribute	Description
  walletSource	Fiat Only Business User: sgd, usd Default Business User: xsgd, xusd, sgd, usd

• Expanded Swap API Support
  • Added 9 new swap pairs to support seamless conversion between fiat (SGD, USD) and stablecoins (XSGD, XUSD, USDC, USDT).
  • Newly supported swap pairs: XSGDSGD, XSGDUSD, XUSDSGD, XUSDUSD, USDCSGD, USDCUSD, USDTSGD, USDTUSD, SGDUSD
  • These pairs will now be returned in the GET /v1/swap/pairs API response.

Part 2: SWIFT and MEPS Rail Access for API Users

Following the successful rollout of SGD SWIFT and MEPS rails to Dashboard users, API users can now initiate and manage high-value SGD transactions through supported endpoints.

📘

The MEPS rail is introduced for SGD transactions only. USD disbursement behavior remains unchanged and continues to use SWIFT.

1. Withdrawal - Disbursement Method Enhancement

• Added meps as a supported option for disbursementMethod attribute:

  • POST /v1/payout-recipients
  • POST /v1/customer_profile/{customer_profile_id}/payout-recipients
  • POST /v1/payouts
  • POST /v1/customer_profile/{customer_profile_id}/payouts
  
  

  Attribute	Description
  disbursementMethod	Accepts bankTransfer or paynow or swift or meps Note: For SGD, all listed methods are supported. For USD, only swift is supported.

• New disbursement_method attribute for Create a First Party Bank Transfer Payout API:

  • POST /v1/customer_profile/{customer_profile_id}/withdrawals
  
  

  New Parameter	Description
  disbursement_method	Payout method used to transfer funds. Accepts swift, meps, or bank_transfer. Note: bank_transfer: Supported only for SGD payouts via the FAST network. This is the default value for SGD. meps: Available for SGD only. swift: Available for both SGD and USD. This is the default value for USD. This field is Optional

  
  

2. Deposit - Virtual Bank Account Enhancement

• New network attribute for Create a Virtual Bank Account API:

  • POST /v1/payment_methods/virtual_bank_accounts
  
  

  New Parameter	Description
  network	Payment rail for the virtual bank account. Accepts fast, swift, or meps. Note: fast: Supported only for SGD virtual bank accounts. This is the default value for SGD. meps: Available for SGD virtual bank accounts only. swift: Available for both SGD and USD. This is the default value for USD. This field is Optional

  
  

Overview

We have updated our API documentation to introduce new functionality and improve clarity for existing integration flows:

1. New Enhancement: Added custom payment description support to improve processing flow with recipient banks.
2. Documentation Improvements: Updated FAQs, callback event references, and API specifications to reflect the latest system behaviors.

Part 1: New Enhancement

We’ve added support for the paymentReason field in both the Customer Profile Bank Account and Payout Recipient APIs.

📘

Payment reason is a field used to pass clear, specific instructions to the receiving bank. It is sent as the payment description to the bank and will override the Remittance Information (MT103 Field 70 / pacs.008 Remittance Information) in the payment message.

Endpoints:

• POST /v1/customer_profile/{customer_profile_id}/payout-recipients
• PATCH /v1/customer_profile/{customer_profile_id}/payout-recipients/{recipient_id}
• GET /v1/customer_profile/{customer_profile_id}/payout-recipients/{recipient_id}
• GET /v1/customer_profile/{customer_profile}/payout-recipients
• POST /v1/payout-recipients
• PATCH /v1/payout-recipients/{recipient_id}
• GET /v1/payout-recipients/{recipient_id}
• GET /v1/payout-recipients

Endpoints:

• POST /v1/customer_profile/{customer_profile_id}/bank_accounts
• PUT /v1/customer_profile/{customer_profile_id}/bank_accounts/{bank_account_id}
• GET /v1/customer_profile/{customer_profile_id}/bank_accounts

Part 2: Documentation Improvements

1. Guides > FAQs

• Bank Account FAQs: Updated Question 2 to include the new callback event cpbaVerificationStatusUpdated.
• Swap FAQs: Updated Question 1 to include XSGDUSDT swap pair.

2. Guides > Resources > Webhook / Callbacks > Callback Samples

• Deposit/Payment Callbacks: Added description on the payment transactions payload structure.
• Blockchain Deposit and Withdrawal Status Update Callbacks: Added callback sample for the Blockchain Deposit Status Update.
• Added new callback samples for Customer Profile Bank Account Callbacks.

3. API Reference

• Get Account Statement API: Updated the query parameter filter[currency] to allow sgd and usd currency filtering options.
• Webhook APIs: Updated the Get webhooks and Update webhooks API to include below events.
  • cpbaVerificationStatusUpdated
  • cpbaCreated
  • ubaCreated
  • ubaVerificationStatusUpdated
• Update Transaction Limit API: Updated the response schema to include customerProfileId attribute.
• Get Supported Swap Pairs API: Updated the response sample data to include XSGDUSDT swap pair.
• Create a First Party Bank Transfer Payout API: Updated the request schema attribute purpose_code description to include applicability for payments to UAE (in addition to SGD FAST payouts), and added validation for alphanumeric values up to 6 characters.

🚨 IMPORTANT: Action required by 30 Jan 2026

Starting 30 Jan 2026, we are enforcing stricter API validations to ensure SWIFT/ISO 20022 compliance. Please update your integration to the new field requirements before the deadline to avoid failures.

Overview

We are updating our API to align with downstream banking networks and introduce new withdrawal capabilities. These changes are divided into two parts:

1. Validation Updates: Stricter character and length limits for Customer Profiles.
2. New Features: Enhanced logic for Blockchain Withdrawals.

Part 1: Validation & Compliance Updates

• Goal: Reduce downstream rejections and meet ISO 20022 standards.
• Change: Stricter Regex patterns (SWIFT characters) and reduced field lengths.

1. Personal CP Configuration

Endpoints:

• POST /v1/kyc/customer_profiles

• PUT /v1/kyc/customer_profiles/:unique_id

• PATCH /v1/sandbox/kyc/customer_profiles/:unique_id Includes updates to general personal details and standard address fields.

  Parameter	Old Validation	New Validation
  customerName	Max 191 (Any chars) (Mandatory field)	SWIFT Chars (Max 50) /^(?=.{1,50}$)[a-zA-Z0-9 ]+$/ (Mandatory field)
  address.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.city	Max 100 (Specific chars) (Optional field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.state	Max 35 (SWIFT chars) (Optional field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Optional field)

  
  

2. Business CP Configuration

Endpoints:

• POST /v1/kyc/customer_profiles

• PUT /v1/kyc/customer_profiles/:unique_id

• PATCH /v1/sandbox/kyc/customer_profiles/:unique_id Includes updates to general business details and standard address fields.

  Parameter	Old Validation	New Validation
  customerName	Max 191 (Any chars) (Mandatory field)	SWIFT Chars (Max 50) /^(?=.{1,50}$)[a-zA-Z0-9 ]+$/ (Mandatory field)
  address.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.city	Max 100 (Specific chars) (Optional field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.state	Max 35 (SWIFT chars) (Optional field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Optional field)
  placeOfBiz	Max 255 (Any chars) (Mandatory field)	SWIFT Chars (Max 255) /^(?=.{1,255}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)

3. Personal CP+ Configuration

Endpoints:

• POST /v1/kyc/customer_profiles

• PUT /v1/kyc/customer_profiles/:unique_id

• PATCH /v1/sandbox/kyc/customer_profiles/:unique_id Includes updates to personal identity fields and standard address fields.

  Parameter	Old Validation	New Validation
  customerFirstName	Max 191 (Any chars) (Mandatory field)	SWIFT Chars (Max 50) /^(?=.{1,50}$)[a-zA-Z0-9 ]+$/ (Mandatory field)
  customerLastName	Max 191 (Any chars) (Mandatory field)	SWIFT Chars (Max 50) /^(?=.{1,50}$)[a-zA-Z0-9 ]+$/ (Mandatory field)
  address.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.city	Max 100 (Specific chars) (Optional field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.state	Max 35 (SWIFT chars) (Optional field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Optional field)

4. Business CP+ Configuration

Endpoints:

• POST /v1/kyc/customer_profiles

• PUT /v1/kyc/customer_profiles/:unique_id

• PATCH /v1/sandbox/kyc/customer_profiles/:unique_id Includes updates to operating addresses, beneficial owners, and trader details.

  Parameter	Old Validation	New Validation
  customerName	Max 191 (Any chars) (Mandatory field)	SWIFT Chars (Max 50) /^(?=.{1,50}$)[a-zA-Z0-9 ]+$/ (Mandatory field)
  address.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.city	Max 100 (Specific chars) (Mandatory field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  address.state	Max 35 (SWIFT chars) (Mandatory field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  operatingAddress.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  operatingAddress.city	Max 100 (Specific chars) (Optional field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  operatingAddress.state	Max 35 (SWIFT chars) (Mandatory field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  beneficialOwners[].address.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  beneficialOwners[].address.city	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  beneficialOwners[].address.state	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  trader.address.street	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 180) /^(?=.{1,180}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  trader.address.city	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 20) /^(?=.{1,20}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)
  trader.address.state	Max 180 (Any chars) (Mandatory field)	SWIFT Chars (Max 15) /^(?=.{1,15}$)[a-zA-Z0-9\-?:().,' +]+$/ (Mandatory field)

Part 2: New Features (Blockchain Withdrawals)

• Goal: Allow users to keep funds in fiat (SGD/USD) without auto-conversion.

1. Blockchain Withdrawal Improvements

Endpoint:

• POST /v1/blockchain_transfer/withdrawals/

  We've introduced a new field when creating a blockchain withdrawal request. Depositing SGD/USD into the Dashboard VAs will now go towards your SGD/USD balances instead of being auto-converted to XSGD/XUSD. You can now select which balances to deduct for each blockchain withdrawal.
  Note: Once you've made the necessary changes, please let our internal team know for us to roll out the new dashboard updates.

  New Parameter	Description	Accepted Values
  wallet_source	The source of funds the deduction will be made from. If no value is specified for this field, XSGD and XUSD withdrawals will, by default, be deducted from the XSGD and XUSD balances respectively. This field is Optional	XSGD XUSD USD SGD

We have published three new endpoints to support user withdrawals from their StraitsX account via API

• GET /v1/withdrawals/bank-accounts
• POST /v1/withdrawals
• GET /v1/withdrawals/:withdrawal_id

You will be able to make a withdrawal from your XSGD or XUSD wallet to a verified bank account on your StraitsX account easily with these two new endpoints.

We are now supporting both the SHA and OUR charge option for USD first party withdrawals (SWIFT) via POST /v1/customer_profile/{customer_profile_id}/withdrawals. The default charge option will be SHA if the attribute is not provided in the request.

We have now introduced the ability to create a customer profile bank account that's meant for SWIFT transactions. This means that the POST /v1/customer_profile/{customer_profile_id}/bank_accounts now supports the following optional fields:

• swift_bic
• intermediary_swift_bic
• routing_code

We released a new endpoint GET /v1/payout-recipients/requirements that allows you to query for the recipient's data requirements depending on the recipient's country, currency, the disbursement method, the proxy type (when disbursement method is paynow) and the entity type. The data requirements are returned in regex and you can apply the same validation on your platforms to support recipient creation.

Note that if you are using the regex in a programming language that requires double backslashes (like Ruby or Java), then the response is already the correct regex. However, if you are using it directly in a regex engine (like JavaScript or Python), you would need to replace the double backslashes \\ with single backslash \.

For added convenience, you can now also query and update webhooks for the various supported events directly via the following endpoints:

• GET /v1/webhooks
• PATCH /v1/webhooks

Updating webhooks via the StraitsX dashboard continues to be available to you.

When creating a payout recipient via POST /payout-recipients you now also have to pass in the following required fields:

• recipientInformation.entityType
• recipientInformation.currency

We now also support creating a SWIFT payout recipient (with additional required fields) to allow for payouts in USD.

For more information, check out the API reference here.