Getting started
The Sabika Partner API gives banks and licensed fintechs programmatic access to physical-backed 24K gold: firm quotes, instant execution, prefunded SAR accounts, and signed webhooks. Integration is sandbox-first — you can complete the entire flow below before any commercial go-live.
1. Onboarding
Integration is sales-led. Your organisation receives, over a secure channel:
| Credential | Purpose |
|---|---|
client_id / client_secret | OAuth2 client-credentials grant |
| mTLS client certificate | You generate the key + CSR; Sabika returns a signed certificate |
| Webhook HMAC secret | Verifying event signatures |
You register with us: your JWS signing public key (ES256), your IP addresses, your settlement IBAN, and your webhook endpoint URL (https only).
2. First call
curl --cert partner.crt --key partner.key \
https://sandbox.sabikagold.com/health
# {"status":"ok"}
TOKEN=$(curl -s --cert partner.crt --key partner.key \
-X POST https://sandbox.sabikagold.com/oauth/token \
-d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET" \
| jq -r .access_token)
curl -s --cert partner.crt --key partner.key \
-H "Authorization: Bearer $TOKEN" \
https://sandbox.sabikagold.com/v1/prices3. The core flow
fund → quote → order → webhook
# 1. sandbox-only instant funding
POST /sandbox/fund {"amount_sar": 100000}
# 2. firm quote, valid 60 seconds
POST /v1/quotes {"side": "buy", "gold_grams": 10}
# 3. signed, idempotent execution (see Authentication for signing)
POST /v1/orders {"quote_id": "..."} + Idempotency-Key + JWS headers
# 4. order.executed webhook arrives at your endpoint
Production base URL:
https://partners.sabikagold.com.
Sandbox credentials do not work in production and vice versa.