Partner API Suite v1 application/json

Free Fire Account API Reference

Machine-readable contracts for catalog sync, checkout orchestration, and webhook-driven fulfillment. Same design language as internal services: signed requests, idempotent writes, and explicit error envelopes.

Region: ap-south-1
Transport: TLS 1.2+
Encoding: UTF-8
Clock skew: ±120s

Base URL

Use your issued gateway host in production. Below is the current site origin for local or same-host testing (path reflects your install).

origin — v1

https://pipratopup.com/api/v1

Legacy example gateway: https://api.idzone.top/v1 (replace with credentials from onboarding).

Architecture

Ingress

01 Edge validates TLS, API key namespace, and clock.
02 Signature service recomputes HMAC over timestamp.body.
03 Idempotency layer dedupes retried POST by key.

Core services

• Catalog projection for partner storefronts
• Order router + AI risk / intent checks
• Fulfillment + webhook dispatcher with retries

Authentication

Header	Description
X-API-Key	Partner secret key (`sk_live_…` / `sk_test_…`).
X-Timestamp	UNIX seconds. Rejected if outside ±120s of server time.
X-Signature	Hex-encoded HMAC-SHA256 of `{timestamp}.{raw_body}` using partner signing secret.
Idempotency-Key	Required on `POST /v1/orders`; UUID v4 recommended.

Rate limit: 120 req/min per key — burst returns 429 with retry_after_seconds.

Signing (PHP reference)

sign.php

$secret   = getenv('FFID_PARTNER_SECRET');
$ts       = (string) time();
$rawBody  = file_get_contents('php://input'); // or json_encode($payload, JSON_UNESCAPED_SLASHES)
$signing  = $ts . '.' . $rawBody;
$sig      = hash_hmac('sha256', $signing, $secret);

$headers = [
    'X-API-Key: sk_live_xxxxxxxx',
    'X-Timestamp: ' . $ts,
    'X-Signature: ' . $sig,
    'Content-Type: application/json',
];

Endpoints

GET /v1/products

Paginated catalog slice for storefront rendering. Only available inventory is returned unless scoped by contract.

Query parameters

Name	Type	Required	Notes
category	string	no	e.g. `ff-id`
limit	integer	no	default 20, max 100
cursor	string	no	opaque pagination token

Example · curl

bash

curl -sS -X GET "https://pipratopup.com/api/v1/products?category=ff-id&limit=20" \
  -H "X-API-Key: sk_live_xxxxxxxx" \
  -H "X-Timestamp: 1780497239" \
  -H "X-Signature: <hmac_sha256_hex>" \
  -H "Accept: application/json"

200 · response body

{
  "object": "list",
  "api_version": "2026-03-08",
  "has_more": false,
  "data": [
    {
      "id": "prod_8f2a1c",
      "code": "FF-MAX-70-LEGEND",
      "title": "Level 70 — Mythic Skins",
      "price_bdt": 12500,
      "status": "available",
      "metadata": { "level": 70, "region": "BD" }
    }
  ]
}

POST /v1/orders

Creates an order from partner checkout. Include Idempotency-Key to safely retry on network failure.

Request body · JSON

{
  "partner_order_id": "WS-983442",
  "idempotency_key": "uuid-v4-or-unique-string",
  "flow_type": "buy_direct_id",
  "product_code": "FF-MAX-70-LEGEND",
  "buyer": {
    "name": "Rahim Uddin",
    "email": "rahim@example.com"
  },
  "delivery_channel": "gmail_transfer",
  "callback_url": "https://partner.example.com/webhooks/ffid-market"
}

GET /v1/orders/{order_id}

Returns queued · verifying · fulfilled · rejected and fulfillment metadata. {order_id} is the platform id or mapped partner reference per contract.

POST /v1/webhooks/ack

Partner acknowledges webhook receipt; stops exponential retry schedule for that delivery id.

Webhooks

Events are POSTed to your callback_url. Verify X-Webhook-Signature (HMAC of raw body with webhook secret) before mutating local order state.

→order.created
→order.verifying
→order.fulfilled
→order.rejected

Payload example

{
  "id": "evt_7a3d9012",
  "type": "order.fulfilled",
  "created": 1713920123,
  "livemode": true,
  "data": {
    "object": "order",
    "id": "ord_partner_WS-983442",
    "status": "fulfilled",
    "delivery": { "channel": "gmail_transfer", "state": "completed" }
  }
}

Order lifecycle

Partner submits signed order payload with idempotency key.
Router classifies flow (direct buy, bag sell, hybrid) and reserves inventory slot.
Fulfillment executes Gmail-linked gates; state transitions emit webhooks.
Terminal state delivered; partner POST /v1/webhooks/ack closes retry loop.

Error model

Errors use a single envelope so clients can branch on error.code without parsing free-form messages.

{
  "error": {
    "type": "invalid_request",
    "code": "signature_mismatch",
    "message": "X-Signature does not match payload + timestamp.",
    "request_id": "req_9c4b21e8a0f3"
  }
}

400

Schema / validation failure on JSON body or query.

401

Unknown key, bad signature, or expired timestamp.

404

Unknown order_id or revoked product.

429

Rate limited — honor retry_after_seconds.

Changelog

2026-04-18 v1.0.0 — stable catalog + order + webhook ack surface (docs refreshed).

2026-03-08 v1.0.0-rc — partner API surface launched; idempotency keys required on POST /v1/orders.

Request API access

Partnership onboarding: scoped keys, webhook secrets, and SLA tier. Fields marked * are required.

Name *

Company *

Website

Contact *

Message *