Loyalty Exchange API

Brand-scoped, header-authenticated. Every request needs an x-api-key header (created per brand). Missing or invalid keys return 401.

Authentication

curl https://qiibee-loyalty-api.josboxoffice.com/api/admin/tokens \
  -H "x-api-key: qb_your_sandbox_key"

Endpoints

GET /api/admin/tokens
List the brand's loyalty tokens (type, onramp/offramp, issued/burned).
GET /api/admin/tokens/:id
Fetch one token's economics — onramp, offramp, total issued and burned.
POST /api/admin/codes
Mint an earning code (token_id, code, points); redeeming it issues points to a user.
GET /api/admin/transactions
List the brand's exchange transactions (status, amounts, rate, USD value).
POST /api/admin/transactions
{type:"exchange", user_auth_id, brandA_token_id, amount, brandB_token_id}202 accepted (async saga); 400 if not whitelisted / over USD limit / insufficient.
GET /api/admin/transactions/:id
Fetch one transaction's status (requested → completed/failed).
GET /api/admin/token-exchange-whitelist
One-way exchange partnerships: from→to token, derived rate, min/max USD.
POST /api/admin/reward-types
Publish a reward catalog entry (token_id, sku, title, cost_points, provider).
GET /api/admin/reward-types
The brand's reward catalog.
POST /api/admin/transactions {type:"points_to_rewards"}
Burn points → issue a reward voucher. 202 accepted; 400 on insufficient/unknown.
GET /api/admin/rewards
Issued rewards (voucher + issued/used status).
PUT /api/admin/rewards/:id
Mark a reward used (one-time; 409 if already used).
GET /api/admin/wallets
Custodial wallet addresses per user (keys never exposed).
GET /api/admin/chain/txns
On-chain transactions: kind (mint/burn/transfer/mint_nft), tx_hash, pending/confirmed status, block.
POST /api/admin/nft-types
Publish an NFT design (points_token_id, name, cost_points).
GET /api/admin/nft-types
The brand's NFT catalog.
POST /api/admin/transactions {type:"points_to_nft_exchange"}
Burn points → mint a real ERC-721 to the user's wallet. 202/400.
GET /api/admin/nfts
Minted NFTs (on-chain token id, owner, status, tx_hash).
POST /api/admin/transactions {type:"points_to_crypto"}
Burn points → buy crypto via the ramp (points_token_id, asset, amount). 202/400 (KYC/limit).
GET /api/admin/crypto/purchases
Crypto purchases: asset, points, usd, amount, rate, tx_ref, status.
POST /api/admin/webhooks
Register a webhook (url, events); returns a signing secret once. Deliveries are HMAC-signed (x-qb-signature).
GET /api/admin/webhooks
List the brand's webhook subscriptions.
GET /api/admin/users/:external_id
Fetch a brand-scoped user by their user_auth_id.

Health

GET /api/health
Liveness + DB status (no auth).