v1 · Public API

SuperPay Checkout APIOne call, the right card.

The SuperPay Checkout API recommends the credit card that earns the most rewards on a given purchase. It powers the <script>-tag widget that turns your checkout into an instant "use this card" prompt — and it can be called server-to-server too.

Pricing — Card-Recommendation Widget. 100% free for merchants — forever. No fees, no rev share, no contract minimums. SuperPay treats the widget as a value-add at checkout and a brand / shopper-acquisition channel, not a revenue line.
Ready to integrate? Apply for a live API key → — we review applications within 1 business day. Or email hello@superpayrewards.com for an instant sandbox key to start building now. Read the Merchant Partner Guide (PDF) for the full integration walkthrough and code samples.

Authentication

Every request needs a merchant API key issued by SuperPay. Send it in either of two headers:

Authorization: Bearer sp_live_xxxxxxxx_…
X-SuperPay-Key: sp_live_xxxxxxxx_…

Keys are sp_live_ + 8 hex characters + _ + 48 hex characters. Treat keys like passwords: never commit them to client-side source control. The drop-in widget script is the one exception — it's designed to ship the key in the page so a browser can call /v1/recommend directly.

Origin allowlist

When SuperPay issues your key we register the exact origins (e.g. https://shop.example.com) you'll mount the widget on. Browser requests from any other origin are rejected with HTTP 403 ORIGIN_NOT_ALLOWED. Server-to-server calls (no Origin header) are not subject to this check — the API key alone authorizes them.

POST /v1/recommend

Returns the best card from our ~320-card catalog for the requested category, plus 1–2 alternates, an estimated reward in cents, and a SuperPay signup_url the shopper can tap to claim it.

v0 is anonymous-only. Recommendations are computed against the public catalog; we do not accept a shopper identifier on this endpoint. A future release will support personalized lookups against a shopper's own SuperPay wallet, but only behind a real shopper-authorization flow — not a merchant API key.

Request body

FieldTypeRequiredNotes
amountnumberyesUSD, e.g. 87.45
mccstringpreferredISO 18245 4-digit code. Takes precedence over category when both are supplied.
categorystringfallbackUsed only when MCC is missing or unmapped. One of dining, groceries, gas, travel, entertainment, online_shopping, streaming, drugstores, home_improvement, transit, shopping, other
merchant_namestringrecommendedDisplay name, e.g. "Whole Foods Market"

Example — curl

curl -X POST https://superpayrewards.com/v1/recommend \
  -H "Authorization: Bearer sp_live_…" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 87.45,
    "mcc": "5411",
    "merchant_name": "Whole Foods Market"
  }'

Response

{
  "recommendation_id": "9f8…",
  "anonymous": true,
  "category": "groceries",
  "amount_cents": 8745,
  "top_card": {
    "source": "catalog",
    "id": "amex_blue_cash_preferred",
    "name": "Blue Cash Preferred® Card from American Express",
    "issuer": "American Express",
    "reward_rate": 6,
    "reward_type": "cashback",
    "estimated_reward_cents": 524,
    "estimated_reward_display": "$5.24",
    "reason": "6% on groceries",
    "apply_url": "https://…"
  },
  "alternates": [ { … }, { … } ],
  "signup_url": "https://superpayrewards.com/r/install/checkout_widget?utm_source=merchant&utm_medium=checkout_widget",
  "display": {
    "headline": "Earn ~$5.24 with SuperPay",
    "subline": "Top card: Blue Cash Preferred · 6% back"
  }
}

Drop-in widget

Paste this into your checkout page. Render the <div> wherever you want the recommendation pill to appear and load /v1/widget.js once, anywhere on the page:

<div data-superpay-recommend
     data-amount="87.45"
     data-mcc="5411"
     data-merchant="Whole Foods Market"
     data-theme="light"></div>
<script src="https://superpayrewards.com/v1/widget.js" data-key="sp_live_…" async></script>

The widget is ≤ 360px wide, themes light/dark via data-theme, never breaks the merchant's checkout (it silently no-ops on any error), and is CORS-allowed for browser calls. Pre-bundled SuperPay branding doubles as a sign-up CTA so anonymous shoppers can claim the recommended reward by joining SuperPay.

Errors & rate limits

StatusCodeMeaning
400INVALID_AMOUNTamount missing or out of range
401MISSING_API_KEY / INVALID_API_KEY / API_KEY_REVOKEDauth failed
404NO_RECOMMENDATIONno catalog card has a non-zero rate for this category
429RATE_LIMITEDover 60 requests per minute on this key
500INTERNAL_ERRORSuperPay-side failure — safe to retry

Rate limits are per API key. Headers X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After are set on every response.

Brand assets

Sandbox vs live keys

SuperPay issues two types of API keys:

Key typePrefixHow to getRate limitBehavior
Sandboxsp_test_Email hello@superpayrewards.com60 req/minReturns static mock recommendations; no analytics tracked. Use for development & testing.
Livesp_live_Apply on the Developers page60 req/minReturns real catalog recommendations; usage logged and visible in your merchant dashboard.

Sandbox keys are available immediately on request. Live keys require a brief application review (typically < 1 business day) to ensure origin allowlists and integration quality.

Get an API key

Ready to integrate? Apply for a live API key →

Submit your business name, contact email, store origins, and a brief description of your integration. We'll verify your email and review your application — you'll receive your sp_live_… key via email once approved, typically within 1 business day.

Just exploring? Email hello@superpayrewards.com for a sandbox key — no application needed. Sandbox keys work identically to live keys but return static mock data so you can build and test without going through the review process.

Need to rotate a lost key or update your allowed origins? Email hello@superpayrewards.com.

SuperPay · superpayrewards.com · For merchants · Brand · Privacy · Terms