AEVION Bank — API Reference

Hand-curated developer surface. The live source of truth is the OpenAPI document linked below.

Full OpenAPI →▶ Run live smoke test ✦ Investor walk-through ♡ Diagnostics ✎ Audit log

Variables (substituted into the curl examples below)

$BASE$TOKEN

Webhook signing (recommended)

Webhook receivers (/api/qright/royalties/verify-webhook, /api/cyberchess/tournament-finalized, /api/planet/payouts/certify-webhook) accept Stripe-style HMAC signatures with a ±5min timestamp window. The legacy X-QRight-Secret / X-CyberChess-Secret / X-Planet-Secret bearer-style headers still work as a fallback — they will be removed once partners migrate (set WEBHOOK_REQUIRE_HMAC=1 on the backend to disable fallback).

# Sign with shared secret + sorted-key body. Headers:
#   X-Aevion-Timestamp: <unix-seconds>
#   X-Aevion-Signature: hex(HMAC-SHA256(`${ts}.${stableJson}`, secret))

ts=$(date +%s)
body='{"amount":12.34,"email":"creator@example.com","eventId":"evt_001","period":"2026-Q1","productKey":"album-x"}'
sig=$(printf "%s.%s" "$ts" "$body" | openssl dgst -sha256 -hmac "$QRIGHT_WEBHOOK_SECRET" | awk '{print $2}')

curl -X POST $BASE/api/qright/royalties/verify-webhook \
  -H "Content-Type: application/json" \
  -H "X-Aevion-Timestamp: $ts" \
  -H "X-Aevion-Signature: $sig" \
  -d "$body"

Stable serialization: partners must serialize the body with alphabetically-sorted keys before signing — same convention QSign uses. Replay protection: requests outside ±300s of server time return 401 timestamp skew.

Cursor pagination

Five list endpoints accept ?limit=&cursor= query parameters (default limit=50, max 200): /api/qtrade/operations, /api/qtrade/transfers, /api/qright/royalties, /api/cyberchess/results, /api/planet/payouts. The response shape is { items, total, nextCursor }. When nextCursor is non-null, request the next page with ?cursor=<value>; when null, the list is exhausted.

curl "$BASE/api/qright/royalties?limit=50" -H "Authorization: Bearer $TOKEN"
# → { "items": [...50], "total": 213, "nextCursor": "roy_abc..." }
curl "$BASE/api/qright/royalties?limit=50&cursor=roy_abc..." -H "Authorization: Bearer $TOKEN"

Authentication

POST/api/auth/register

Create a new account and return a JWT.

Request

curl -X POST https://aevion.app/api/auth/register \
  -H 'Content-Type: application/json' \
  -d '{"email":"lana@example.com","password":"hunter2","name":"Lana"}'

Sample response

{ "token": "eyJhbGciOi...", "user": { "id": "usr_...", "email": "lana@..." } }

POST/api/auth/login

Exchange email + password for a JWT.

Request

curl -X POST https://aevion.app/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"lana@example.com","password":"hunter2"}'

Sample response

{ "token": "eyJhbGciOi...", "user": { "id": "usr_...", "email": "lana@..." } }

GET/api/auth/meauth required

Decode the current bearer token and return the owning user.

Request

curl https://aevion.app/api/auth/me \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "id": "usr_...", "email": "lana@...", "name": "Lana", "role": "user" }

Wallet · transfers · ledger

GET/api/qtrade/accountsauth required

List wallet accounts owned by the authenticated user.

Request

curl https://aevion.app/api/qtrade/accounts \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "items": [{ "id": "acc_x9", "balance": 142.50, "currency": "AEC", "createdAt": "..." }] }

GET/api/qtrade/accounts/lookupauth required

Find an account id by owner email — used by P2P transfers.

Request

curl 'https://aevion.app/api/qtrade/accounts/lookup?email=bob@example.com' \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "id": "acc_y2", "owner": "bob@example.com" }

POST/api/qtrade/topupauth required

Credit AEC into one of the user's accounts (test net).

Send the Idempotency-Key header to make retries safe (24h TTL — replay returns the cached body).

Request

curl -X POST https://aevion.app/api/qtrade/topup \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -H 'Idempotency-Key: topup-2026-04-30-001' \
  -d '{"accountId":"acc_x9","amount":100}'

Sample response

{ "id": "op_...", "balance": 242.50, "updatedAt": "..." }

POST/api/qtrade/transferauth required

Move AEC between two accounts. Both must exist; sender must own from-account.

Send the Idempotency-Key header to make retries safe (24h TTL — replay returns the cached body).

Request

curl -X POST https://aevion.app/api/qtrade/transfer \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -H 'Idempotency-Key: trf-2026-04-30-001' \
  -d '{"from":"acc_x9","to":"acc_y2","amount":25}'

Sample response

{ "id": "trf_...", "from": "acc_x9", "to": "acc_y2", "amount": 25 }

GET/api/qtrade/operationsauth required

Recent ledger operations across the user's accounts.

Paginate with ?limit=N&cursor=...; nextCursor is returned until no more pages.

Request

curl 'https://aevion.app/api/qtrade/operations?limit=20' \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "items": [{ "id": "op_...", "kind": "transfer", "amount": 25, "from": "...", "to": "...", "createdAt": "..." }], "nextCursor": "op_..." }

Cryptographic signing

POST/api/qsign/signauth required

Sign an arbitrary JSON payload with the user's Ed25519 key.

Request

curl -X POST https://aevion.app/api/qsign/sign \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"payload":{"intent":"transfer","amount":25}}'

Sample response

{ "payload": {...}, "signature": "0xfeed...", "algo": "Ed25519", "createdAt": "..." }

POST/api/qsign/verify

Verify a payload + signature pair without authentication.

Request

curl -X POST https://aevion.app/api/qsign/verify \
  -H 'Content-Type: application/json' \
  -d '{"payload":{...},"signature":"0xfeed..."}'

Sample response

{ "valid": true, "expected": "0xfeed...", "provided": "0xfeed..." }

Royalties · prizes · certs

GET/api/ecosystem/earningsauth required

Aggregated earnings across QRight, CyberChess, Planet.

Request

curl https://aevion.app/api/ecosystem/earnings \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "totals": { "qright": 12.50, "cyberchess": 30.00, "planet": 3.00, "all": 45.50 }, "perSource": [ { "source": "qright", "amount": 12.50, "count": 2, "last": "..." }, { "source": "cyberchess", ... }, { "source": "planet", ... } ] }

GET/api/qright/royaltiesauth required

List royalty events recorded for the authenticated user.

Request

curl https://aevion.app/api/qright/royalties \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "items": [{ "id": "roy_...", "productKey": "album-x", "period": "2026-Q1", "amount": 12.34, "paidAt": "..." }] }

GET/api/cyberchess/resultsauth required

Tournament prize entries for the authenticated user.

Request

curl https://aevion.app/api/cyberchess/results \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "items": [{ "id": "prize_...", "tournamentId": "tour_...", "place": 1, "amount": 25, "finalizedAt": "..." }] }

GET/api/cyberchess/upcomingpublic

Public schedule of tournaments accepting entries.

Request

curl https://aevion.app/api/cyberchess/upcoming

Sample response

{ "items": [{ "id": "tour_...", "startsAt": "...", "format": "Swiss · 3+2 · 7 rounds", "prizePool": 250, "entries": 32, "capacity": 64 }] }

GET/api/planet/payoutsauth required

List Planet certification payouts for the authenticated user.

Request

curl https://aevion.app/api/planet/payouts \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "items": [{ "id": "pcert_...", "artifactVersionId": "art_v1", "amount": 3, "certifiedAt": "..." }] }

Stats · CSV exports

GET/api/planet/statsauth required

Aggregated artifact + verification stats from Planet.

Request

curl https://aevion.app/api/planet/stats \
  -H 'Authorization: Bearer YOUR_TOKEN'

Sample response

{ "totalArtifacts": 12, "verifiedCount": 8, "trustWeight": 0.62 }

GET/api/qtrade/operations.csvauth required

Export the user's full ledger as CSV (Excel-friendly).

Request

curl https://aevion.app/api/qtrade/operations.csv \
  -H 'Authorization: Bearer YOUR_TOKEN' -o operations.csv

Sample response

(text/csv) id,kind,amount,from,to,createdAt\nop_...,transfer,25,...,...,...\n

Partner webhooks

POST/api/qright/royalties/verify-webhookX-QRight-Secret

DSP / streaming partner reports a paid royalty.

Idempotent on eventId — replay returns 200 with replayed: true.

Request

curl -X POST https://aevion.app/api/qright/royalties/verify-webhook \
  -H 'Content-Type: application/json' \
  -H 'X-QRight-Secret: $QRIGHT_WEBHOOK_SECRET' \
  -d '{"eventId":"evt_001","email":"creator@example.com","productKey":"album-x","period":"2026-Q1","amount":12.34}'

Sample response

{ "replayed": false, "id": "roy_...", "eventId": "evt_001", "paidAt": "..." }

POST/api/cyberchess/tournament-finalizedX-CyberChess-Secret

Tournament service reports podium + prize amounts.

Idempotent on (tournamentId, place, email).

Request

curl -X POST https://aevion.app/api/cyberchess/tournament-finalized \
  -H 'Content-Type: application/json' \
  -H 'X-CyberChess-Secret: $CYBERCHESS_WEBHOOK_SECRET' \
  -d '{"tournamentId":"tour_001","podium":[{"email":"a@x.com","place":1,"amount":25},{"email":"b@x.com","place":2,"amount":15}]}'

Sample response

{ "tournamentId": "tour_001", "recorded": [...], "replayed": [], "finalizedAt": "..." }

POST/api/planet/payouts/certify-webhookX-Planet-Secret

Planet certifier reports a verified artifact payout.

Idempotent on eventId — replay returns 200 with replayed: true.

Request

curl -X POST https://aevion.app/api/planet/payouts/certify-webhook \
  -H 'Content-Type: application/json' \
  -H 'X-Planet-Secret: $PLANET_WEBHOOK_SECRET' \
  -d '{"eventId":"cert_001","email":"creator@example.com","artifactVersionId":"art_v1","amount":3}'

Sample response

{ "replayed": false, "id": "pcert_...", "eventId": "cert_001", "certifiedAt": "..." }

Pagination, rate limits, idempotency and webhook handlers are now live — see the OpenAPI spec for full schemas. Anything beyond the test net (cards, fiat, KYC, lending) requires partner contracts and a license.