Skip to main content
POST
/
api
/
v2
/
sessions
Initiate EFT Session
curl --request POST \
  --url https://www.{baseurl}.com/api/v2/sessions \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "type": "EFT",
  "direction": "DEBIT",
  "options": {
    "guarantee": {
      "enable": false
    },
    "notificationPreferences": {
      "language": "EN"
    },
    "showConsentScreen": false
  },
  "payor": {
    "firstName": "Sara",
    "lastName": "Ahmad",
    "email": "sara.ahmad@example.com",
    "address": {
      "addressLine1": "123 Street",
      "city": "Toronto",
      "postalCode": "M5H2N2",
      "province": "ON",
      "country": "CA"
    }
  }
}
'
{
  "sessionId": "850750a4-3021-4061-ac03-a8d873aa4179",
  "referenceId": "USER12345"
}
Create a new EFT session and obtain a sessionId for launching the user payment flow. To successfully call this endpoint, you must first call the /Authorize endpoint to obtain a valid access token.

Initiate an EFT Session

This endpoint creates a session on the Regular EFT path and returns a sessionId that your application uses to launch the hosted Flinks Pay flow — either by redirecting the user to the app URL or loading it in an iframe. Set type to EFT and options.guarantee.enable to false. Funds settle to your client’s configured bank account, so payee is not supported for EFT.

Authentication Requirements

  • You must authenticate and obtain a valid access_token from the /Authorize endpoint.
  • Create the session while the token is still valid (599 seconds). If it expires, re-authenticate and call this endpoint again.
  • Your client must have the RegularEft feature enabled. If it is not, the request returns 403 Forbidden.

User Identity Matching

firstName and lastName are used for identity matching against the payor’s bank account. They must accurately reflect the person who owns the external account expected to make the payment. Critical: If the provided name differs significantly from the name on the linked bank account, the session will return an error (EFT0403) and the transaction will not be processed.

Reference ID Best Practices

While referenceId is not mandatory, it is strongly recommended:
  • It should uniquely identify the end user or transaction in your system.
  • It appears in responses and reconciliation files for easy matching.
  • For EFT it flows through as the cross-reference number, so it must be 1–36 alphanumeric characters or hyphens.

Amount Handling

  • When amount is provided — the value is pre-set and the user cannot modify it in the flow. It must fall within your client’s configured minimum/maximum EFT amount.
  • When amount is omitted — the user enters the amount during the hosted flow.

Payor Address

payor.address is optional for regular EFT. If you include it, address line 1, city, province, postal code, and country are required. (An address is only mandatory for Guaranteed EFT.)

Launching the Payment Flow

Once you have a sessionId, launch the user flow by directing users to: 
{{BaseUri}}/app/?sessionId={{sessionId}}

Request Example

curl --location '{{BaseUri}}/api/v2/sessions' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{access_token}}' \
--data-raw '{
  "referenceId": "USER12345",
  "type": "EFT",
  "direction": "DEBIT",
  "payor": {
    "firstName": "Sara",
    "lastName": "Ahmad",
    "email": "sara.ahmad@example.com"
  },
  "options": {
    "guarantee": { "enable": false }
  }
}'

Response

{
  "sessionId": "850750a4-3021-4061-ac03-a8d873aa4179",
  "referenceId": "USER12345"
}

Field Specifications

Character Limits

FieldLimitNotes
firstName, lastName100 charactersRequired for identity matching
email100 charactersRequired; used for notifications
referenceId1–36 charactersAlphanumeric and hyphens only
postalCode6 charactersNo spaces (e.g., M5H2N2)
province2 charactersProvincial code (e.g., ON, QC)
country2 charactersOnly CA supported

Supported Province Codes

AB, BC, MB, NB, NL, NT, NS, NU, ON, PE, QC, SK, YT

Authorizations

Authorization
string
header
required

Bearer token obtained from the /api/v1/authorize endpoint.

Headers

Authorization
string
required

Bearer token received from the /authorize endpoint.

Pattern: ^Bearer .+

Body

application/json
type
enum<string>
required

The payment rail. Must be EFT for this API.

Available options:
EFT
Example:

"EFT"

direction
enum<string>
required

Payment direction. Only DEBIT is supported for EFT.

Available options:
DEBIT
Example:

"DEBIT"

options
object
required
payor
object
required

The end user being debited. firstName, lastName, and email are required for regular EFT. address is optional for regular EFT (it is required only when a guarantee is enabled).

currency
enum<string>
default:CAD

Currency code. Only CAD is supported (defaults to CAD if omitted).

Available options:
CAD
Example:

"CAD"

amount
number<double> | null

Payment amount, up to 2 decimal places. Optional — if omitted, the user enters the amount in the hosted flow. When provided, it must fall within the client's configured minimum/maximum EFT amount.

Required range: x >= 0.01
Example:

100

referenceId
string | null

Your internal reference identifier (strongly recommended). 1–36 alphanumeric characters or hyphens. Flows through as the EFT cross-reference number and appears in reconciliation files.

Maximum string length: 36
Pattern: ^[a-zA-Z0-9\-]{1,36}$
Example:

"USER12345"

Response

Session created successfully

sessionId
string<uuid>

Unique session identifier. Use it to launch the hosted flow and monitor the session.

Example:

"850750a4-3021-4061-ac03-a8d873aa4179"

referenceId
string | null

The reference ID you supplied (if any).

Example:

"USER12345"