Resources/The Agent API Atlas/Finance/Airwallex

Everything an AI agent can do with the Airwallex API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints25

API version2026-05-29

Last updated23 June 2026

Orientation

How the Airwallex API works.

The Airwallex API is how an app or AI agent works with an Airwallex account: accepting a payment, refunding it, paying out to a beneficiary, or reading the balance across currencies. Access is granted by exchanging a client ID and API key for a short-lived token, and that token inherits whatever the key is permitted to do on the account. Airwallex pins behaviour to a dated version sent on each request, and a state change emits an event that Airwallex can deliver to a registered endpoint.

25Endpoints

9Capability groups

10Read

15Write

15Permissions

Authentication

Airwallex does not send the API key on each call. A client ID and API key are first exchanged at the authentication endpoint for a Bearer access token valid for 30 minutes, which is then reused on every request. The token is meant to be cached and reused, because the authentication endpoint has its own lower limit of 100 requests per minute per key.

Permissions

Access is account-level: a token inherits whatever the API key is permitted to do, set when the key is created in the web app. There are no granular per-endpoint OAuth scopes the way some APIs define them, so the boundary is the key's permissions plus, for platforms, the account a request acts on behalf of.

Versioning

Airwallex versions behaviour by date, like 2026-05-29, sent in the x-api-version header on a request. A dated release can carry breaking changes, listed in the changelog, so an integration pins a version and upgrades deliberately. The version on a request also governs the shape of the data returned.

Data model

A payment is modeled as a PaymentIntent that is created, confirmed, and optionally captured later, and refunded against. Payouts combine Beneficiaries and Transfers, money sits in Balances across currencies fed by Global Accounts, and the issuing API mints physical and virtual cards. A state change emits an event delivered by webhook.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Airwallex determines what it can reach. There is a route for making calls, a route for receiving events, and a developer server that helps an agent write Airwallex integration code, and each is governed by the API key behind it and the permissions that key carries.

Ways to connect

REST API

The REST API takes JSON request bodies and returns JSON, at https://api.airwallex.com (production) and https://api-demo.airwallex.com (sandbox). A call authenticates with a Bearer access token obtained by exchanging a client ID and API key at the authentication endpoint; the token is valid for 30 minutes and reused across calls. Most write paths end in an action verb, like /api/v1/pa/payment_intents/{id}/confirm.

Best forConnecting an app or AI agent to Airwallex.

Governed byThe API key's account-level permissions, carried by the access token.

Docs ↗

Webhooks

Airwallex POSTs an event to an HTTPS endpoint registered in the web app. The event carries a name like payment_intent.succeeded and a payload describing what changed, and the receiver verifies a signature on the request to confirm it came from Airwallex before acting on it. This lets an integration react to activity without polling.

Best forReceiving Airwallex events at an app or AI agent.

Governed byThe signing secret on the registered endpoint.

Docs ↗

Developer MCP server

A first-party Model Context Protocol server helps AI coding agents build Airwallex integrations. It exposes documentation and developer tooling rather than running live business operations, at https://mcp.airwallex.com/mcp for production, https://mcp-demo.airwallex.com/developer for sandbox, and https://mcp-demo.airwallex.com/docs for documentation only. The developer and production endpoints authenticate with an OAuth flow; the docs endpoint needs no authentication.

Best forHelping an AI agent write and debug Airwallex integration code.

Governed byThe OAuth grant against the connected account, or no auth for docs-only.

Docs ↗

Authentication

API key (token exchange)

The primary method for first-party server calls. A client ID and API key, created in the web app, are sent to the authentication endpoint, which returns a Bearer access token valid for 30 minutes. The token is then sent on every request and reused until it expires. The key's account-level permissions, set at creation, govern what the token can do.

TokenBearer access token, from client ID + API key

Best forServer-side calls against an account the integration owns.

Docs ↗

Partner connections (OAuth)

A platform connects to accounts it does not own through an authorisation flow, after which it can act on behalf of a connected account. The connection defines which accounts the platform may reach, and a request names the account it acts for. This is how marketplaces and platforms operate across many Airwallex accounts.

TokenOAuth-based access tied to a connected account

Best forPlatforms connecting to accounts they don't own.

Docs ↗

Capability map

What an AI agent can do in Airwallex.

The Airwallex API is split into areas an agent can act on, like accepting payments, refunding them, paying out to beneficiaries, and reading balances and global accounts. Each area has its own methods, and writes in some areas move real money or issue spendable cards.

Payments (PaymentIntents)

7 endpoints

Methods for accepting payments, modeled as PaymentIntents.

A write here moves real money or changes a payment in progress.

View endpoints →

Refunds

2 endpoints

Methods for refunding payments back to shoppers.

A write here returns real money to a shopper.

View endpoints →

Payment Methods

1 endpoint

Methods for reading available payment method configuration.

These read configuration and do not move money.

View endpoints →

Customers

3 endpoints

Methods for storing shoppers to reuse on future payments.

A write here changes stored customer data.

View endpoints →

Beneficiaries

2 endpoints

Methods for saving payout recipients.

A write here adds or changes who money can be sent to.

View endpoints →

Transfers (Payouts)

2 endpoints

Methods for paying out to beneficiaries.

A write here sends real money out of the account.

View endpoints →

Balances

2 endpoints

Methods for reading the account balance across currencies.

These read funds and do not move money.

View endpoints →

Global Accounts

2 endpoints

Methods for opening and reading multi-currency receiving accounts.

A write here opens a real receiving account.

View endpoints →

Issuing (Cards)

4 endpoints

Methods for creating and managing spendable cards.

A write here mints or changes a card that can spend funds.

View endpoints →

Endpoint reference

Every Airwallex API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Payments (PaymentIntents) Methods for accepting payments, modeled as PaymentIntents.7
POST	`/api/v1/authentication/login`	Exchange a client ID and API key for a Bearer access token valid for 30 minutes.	write	—	Current
Sends x-client-id and x-api-key; the returned token is reused on every call. This endpoint has its own limit of 100 requests per minute per key. Acts onaccess_token Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limit100 / minute per API key SourceOfficial documentation ↗
POST	`/api/v1/pa/payment_intents/create`	Create a PaymentIntent to track and orchestrate a payment, with amount, currency, and a request_id idempotency key.	write	`PaymentIntents write`	Current
A core write; the request_id makes the create safe to repeat without double-charging. Acts onpayment_intent Permission (capability)`PaymentIntents write` VersionAvailable since the API’s base version Webhook event`payment_intent.created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/pa/payment_intents/{id}/confirm`	Confirm a PaymentIntent to attempt authorisation with the shopper's payment method.	write	`PaymentIntents write`	Current
Triggers authorisation; with automatic capture it also collects funds, otherwise the intent moves to requires_capture. Acts onpayment_intent Permission (capability)`PaymentIntents write` VersionAvailable since the API’s base version Webhook event`payment_intent.succeeded` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/pa/payment_intents/{id}/capture`	Capture the funds of an authorised manual-capture PaymentIntent.	write	`PaymentIntents write`	Current
Only for manual-capture intents; collects funds authorised earlier. Acts onpayment_intent Permission (capability)`PaymentIntents write` VersionAvailable since the API’s base version Webhook event`payment_intent.succeeded` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/pa/payment_intents/{id}/cancel`	Cancel a PaymentIntent that has not completed, optionally with a cancellation reason.	write	`PaymentIntents write`	Current
Cancels the full amount and releases any held funds. Acts onpayment_intent Permission (capability)`PaymentIntents write` VersionAvailable since the API’s base version Webhook event`payment_intent.cancelled` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/pa/payment_intents/{id}`	Retrieve the details and current status of a PaymentIntent.	read	`PaymentIntents read`	Current
Read-only. Acts onpayment_intent Permission (capability)`PaymentIntents read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/pa/payment_intents`	List PaymentIntents, with filters and paging.	read	`PaymentIntents read`	Current
Read-only. Acts onpayment_intent Permission (capability)`PaymentIntents read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Refunds Methods for refunding payments back to shoppers.2
POST	`/api/v1/pa/refunds/create`	Refund a payment, fully or partially, against a PaymentIntent, with a reason and optional amount.	write	`Refunds write`	Current
Returns money to the shopper; omitting the amount refunds the full payment. Acts onrefund Permission (capability)`Refunds write` VersionAvailable since the API’s base version Webhook event`refund.succeeded` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/pa/refunds/{id}`	Retrieve the details and status of a refund.	read	`Refunds read`	Current
Read-only. Acts onrefund Permission (capability)`Refunds read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Payment Methods Methods for reading available payment method configuration.1
GET	`/api/v1/pa/config/payment_method_types`	Retrieve the payment method types available for a given country, currency, and configuration.	read	`Payment Config read`	Current
Read-only configuration lookup; does not move money. Acts onpayment_method_type Permission (capability)`Payment Config read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Customers Methods for storing shoppers to reuse on future payments.3
POST	`/api/v1/pa/customers/create`	Create a customer to store a shopper's details and reuse them on future payments.	write	`Customers write`	Current
The returned customer id is passed into Create a PaymentIntent for returning shoppers. Acts oncustomer Permission (capability)`Customers write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/pa/customers/{id}`	Retrieve a stored customer.	read	`Customers read`	Current
Read-only. Acts oncustomer Permission (capability)`Customers read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/pa/customers/{id}/update`	Update a stored customer's details.	write	`Customers write`	Current
Changes stored shopper data. Acts oncustomer Permission (capability)`Customers write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Beneficiaries Methods for saving payout recipients.2
POST	`/api/v1/beneficiaries/create`	Save a payout recipient (bank account or digital wallet), returning a beneficiary id to reuse on transfers.	write	`Beneficiaries write`	Current
type is BANK_ACCOUNT or DIGITAL_WALLET; the id is reused in place of full details on a transfer. Acts onbeneficiary Permission (capability)`Beneficiaries write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/beneficiaries/update/{id}`	Update a saved beneficiary.	write	`Beneficiaries write`	Current
Changes who money can be sent to. Acts onbeneficiary Permission (capability)`Beneficiaries write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Transfers (Payouts) Methods for paying out to beneficiaries.2
POST	`/api/v1/transfers/create`	Create a transfer to pay out to a beneficiary, with currency, amount, date, and reference.	write	`Transfers write`	Current
Sends real money out; takes a saved beneficiary id or an inline beneficiary object. Acts ontransfer Permission (capability)`Transfers write` VersionAvailable since the API’s base version Webhook event`transfer.settled` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/transfers/{id}`	Retrieve a transfer and its current status.	read	`Transfers read`	Current
Read-only. Acts ontransfer Permission (capability)`Transfers read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Balances Methods for reading the account balance across currencies.2
GET	`/api/v1/balances/current`	Retrieve the current balance across currencies held in the account.	read	`Balances read`	Current
Read-only; reports available and pending funds per currency. Acts onbalance Permission (capability)`Balances read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/balances/history`	List balance history, the entries that make up the balance over time.	read	`Balances read`	Current
Read-only. Acts onbalance Permission (capability)`Balances read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Global Accounts Methods for opening and reading multi-currency receiving accounts.2
POST	`/api/v1/global_accounts/create`	Open a global account to receive funds, including multi-currency accounts.	write	`Global Accounts write`	Current
Opens a real receiving account; multi-currency accounts can receive several currencies. Acts onglobal_account Permission (capability)`Global Accounts write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/global_accounts/{id}`	Retrieve a global account and its receiving details.	read	`Global Accounts read`	Current
Read-only. Acts onglobal_account Permission (capability)`Global Accounts read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Issuing (Cards) Methods for creating and managing spendable cards.4
POST	`/api/v1/issuing/cards/create`	Create a physical or virtual card issued to a business or an individual cardholder.	write	`Issuing Cards write`	Current
Mints a spendable card; issue_to is ORGANISATION or INDIVIDUAL, and program.purpose selects consumer or commercial. Acts oncard Permission (capability)`Issuing Cards write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/issuing/cards/{id}`	Retrieve a card's details and status.	read	`Issuing Cards read`	Current
Read-only. Acts oncard Permission (capability)`Issuing Cards read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/issuing/cards/{id}/update`	Update a card's transaction limits, allowed currencies, or allowed merchant categories.	write	`Issuing Cards write`	Current
Changes how much and where a live card can spend. Acts oncard Permission (capability)`Issuing Cards write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/issuing/cards/{id}/activate`	Activate a physical card so it can be used; virtual cards are active by default.	write	`Issuing Cards write`	Current
Only physical cards need activation; virtual cards are auto-activated. Acts oncard Permission (capability)`Issuing Cards write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Airwallex can notify an app when something happens in an account, like a payment succeeding or a transfer settling. It sends an event describing what changed, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`payment_intent.created`	A PaymentIntent was created and is ready to be confirmed.	`/api/v1/pa/payment_intents/create`
`payment_intent.succeeded`	A PaymentIntent completed successfully and the funds are collected. An integration fulfils the order on this event.	`/api/v1/pa/payment_intents/{id}/confirm` `/api/v1/pa/payment_intents/{id}/capture`
`payment_intent.requires_capture`	A manual-capture PaymentIntent was authorised and is now awaiting capture, meaning the shopper has paid but the funds are not yet collected.	`/api/v1/pa/payment_intents/{id}/confirm`
`payment_intent.cancelled`	A PaymentIntent was cancelled before completion, releasing any held funds.	`/api/v1/pa/payment_intents/{id}/cancel`
`refund.succeeded`	A refund against a payment completed and the funds were returned to the shopper.	`/api/v1/pa/refunds/create`
`transfer.settled`	A payout transfer reached its destination and is settled.	`/api/v1/transfers/create`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Airwallex limits how fast an app can call, by a per-second request rate measured both across the account and per endpoint, plus a separate cap on how many requests run at once.

Request rate

Airwallex meters requests by a per-second rate, not by a per-method cost or point weighting. In production an account is allowed 100 requests per second across the account and 20 per second per endpoint; sandbox is lower, at 20 per second across the account and 10 per endpoint. A separate concurrency limit caps how many requests run at once, 50 in production and 10 in sandbox. The authentication endpoint is metered separately, at 100 requests per minute per API key, which is why tokens are meant to be reused. Going over returns HTTP 429 with the code too_many_requests and the message Rate Limit Exceeded.

Pagination

List endpoints page through results with a page number and page size, and many time-based lists also accept from and to filters to bound the range. A response reports whether more pages remain, so an integration walks pages until the set is exhausted. Exact page-size ceilings are stated per endpoint in the reference rather than as one global number.

Request size

An access token is valid for 30 minutes and is meant to be cached and reused across calls until it expires. A request_id (the idempotency key on payment creation) is supplied by the caller to make a create safe to repeat. Per-field and per-list size limits are stated on the individual endpoint in the reference.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`invalid_argument / validation_error`	The request was malformed or a field failed validation. The body carries a code naming the error, and for a field-level failure a params or errors object pinpointing what was wrong.	Read the code and field details, correct the request, and resend. The request is not retryable unchanged.
401	`unauthorized`	No valid access token was provided, or the token has expired (tokens last 30 minutes).	Re-exchange the client ID and API key at the authentication endpoint for a fresh token, then retry.
403	`forbidden`	The token is valid but the API key lacks permission for this action, or it targets an account it may not act on.	Grant the key the needed account permission, or act on an account the key is connected to.
404	`resource_not_found`	The requested object does not exist or is not visible to this account or environment.	Verify the object id and confirm it lives in the same environment (production vs sandbox) and account.
429	`too_many_requests`	Requests exceeded the per-second or per-endpoint rate, or the concurrency cap. The message is Rate Limit Exceeded.	Back off and retry with exponential backoff, and reuse the access token rather than re-authenticating per call.
500	`internal_error`	An error on Airwallex's side. It is rare.	Retry idempotently with backoff, and contact Airwallex support if it persists.

Versioning & freshness

Version history.

Airwallex pins API behaviour to a dated version, sent on each request, and ships dated releases that can carry breaking changes, so an integration moves up deliberately rather than being changed underneath it.

Version history

What changed, and when

Latest version2026-05-29

2026-05-29Current version

Current dated version

Airwallex pins behaviour to a dated version, sent in the x-api-version header on each request. A dated release can carry breaking changes, so an integration pins a version and upgrades deliberately. This cut revamped the Card and Cardholder experience in the issuing API.

What changed

Issuing: Card and Cardholder experience revamped, with new card attributes including brand, program, is_personalized, and additional_cardholder_ids.
Payments: certain payment method flows renamed and next_action payloads adjusted.

2026-02-27Feature update

February 2026 dated release

A dated release on the changelog timeline. Each dated version is selected per request via the x-api-version header.

What changed

Continued additive and breaking changes across resources, listed per version in the changelog.

2025-11-11Requires migration

November 2025 dated release

A dated release on the changelog timeline.

What changed

Major changes to the Transfers and Batch Transfers resources, including application fees for platform revenue control.
Credit Notes resource introduced for refunds against finalised invoices.

2025-09-30Feature update

September 2025 dated release

A dated release on the changelog timeline.

What changed

Billing APIs reworked with Billing Customers, Payment Sources, and Billing Transactions, plus a Billing Checkouts resource for an Airwallex-hosted checkout page.

2025-06-30Requires migration

June 2025 dated release

A dated release on the changelog timeline.

What changed

Unified Transfers resource replaced the deprecated Wallet Transfers, supporting both bank and Digital Wallet beneficiary types.
Global Accounts updated for multi-currency accounts that receive funds in several currencies.

Pin a dated version and move up on a schedule that suits the integration.

Airwallex API changelog ↗

Questions

Airwallex API, answered.

How does authentication work, and why a token instead of the key?+

A client ID and API key are sent once to the authentication endpoint, which returns a Bearer access token valid for 30 minutes. That token is then reused on every API call until it expires, rather than sending the key each time. The authentication endpoint has its own limit of 100 requests per minute per key, so calling it before every request will exhaust that limit; the documented pattern is to cache the token and refresh it only when it nears expiry.

Does Airwallex have granular per-endpoint permission scopes?+

No. Access is account-level: a token inherits whatever the API key is permitted to do, configured when the key is created in the web app. There is no OAuth-style scope attached to each individual endpoint. For platforms acting on connected accounts, the boundary is the key's permissions plus the on-behalf-of account a request targets, which is why governing what a given agent may call is best done in front of the key rather than inside it.

How do I make a payment safe to retry?+

Creating a PaymentIntent takes a request_id, a unique idempotency key supplied by the caller, used to prevent a duplicate transaction if the same create is sent twice. Reusing the same request_id returns the original result rather than charging again. This matters most on create calls that move money, where a network blip could otherwise cause a double charge.

How does API versioning work?+

Airwallex versions behaviour by date. A request sends an x-api-version header, like 2026-05-29, and the response shape and behaviour follow that version. Dated releases are listed in the changelog and can include breaking changes, so an integration pins a version and upgrades on its own schedule rather than tracking the latest automatically.

What is the difference between confirming and capturing a PaymentIntent?+

Confirming a PaymentIntent attempts to authorise the amount with the shopper's payment method. Capturing then collects the authorised funds. For automatic capture the two happen together; for manual capture, the intent moves to requires_capture after authorisation and the funds are taken later with a separate capture call, which is the pattern for charging only after an order ships.

Does Airwallex offer a hosted MCP server for AI agents?+

Airwallex publishes a first-party Developer MCP server aimed at helping AI coding agents build Airwallex integrations, exposing documentation and developer tooling rather than running live business operations like moving money. A docs-only endpoint needs no authentication, while the developer and production endpoints use an OAuth flow against a sandbox or production account. Calling the live REST API to actually take payments or pay out is still done with an API key.

What is Bollard AI?

Control what every AI agent can do in Airwallex.

Bollard AI sits between a team's AI agents and Airwallex. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Airwallex key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Airwallex access in Bollard Browse all APIs →

Airwallex

Finance Agent

View balances ResourceOffReadFull use

Pay out to beneficiaries ActionOffReadFull use

Refund payments ActionOffReadFull use

Customers ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Airwallex

How the Airwallex API works.

Connection & authentication methods.

REST API

Webhooks

Developer MCP server

API key (token exchange)

Partner connections (OAuth)

What an AI agent can do in Airwallex.

Payments (PaymentIntents)

Refunds

Payment Methods

Customers

Beneficiaries

Transfers (Payouts)

Balances

Global Accounts

Issuing (Cards)

Every Airwallex API method.

Payments (PaymentIntents)

Refunds

Payment Methods

Customers

Beneficiaries

Transfers (Payouts)

Balances

Global Accounts

Issuing (Cards)

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Airwallex API, answered.

More finance API guides for agents

Stripe

FreshBooks

Chargebee

Razorpay

Recurly

Square

Control what every AI agent can do in Airwallex.