Standalone page. Open devtools → Console for the verbose log; results also land below each form. CORS if you open this via file:// the browser will block requests to the API. Either serve this file from any local http server (e.g. python3 -m http.server) and open http://localhost:8000/bonly-api.html, or run a Chromium with --disable-web-security.
Defaults match the dev sandbox keys/IDs in api-docs.md.
Calls POST /balances with the user account id above. Open endpoint, no auth.
Response also exposes metadata (design/paypal_order_id), checked flag, and
created_at.
Calls POST /accounts/:id/check against the user account id above. Open endpoint, no
auth. Flips checked to true for the account. Idempotent; the flag is purely
informational and never gates transfers.
Signs "bonly-transfer-v1" ‖ pos_id ‖ user_id ‖ amount_i64_be with the POS privkey from config and
POSTs /transfers. Moves amount from the user account id above to the merchant.
Calls GET /merchants. Token-gated. Renders a table; raw JSON also goes to the console.
Signs "bonly-create-merchant-v1" ‖ name_utf8 with the system key and POSTs /merchants.
Names are unique — re-adding returns 409 merchant already exists.
Two-step: resolves the merchant ID from GET /merchants by name, then signs
"bonly-zero-merchant-v1" ‖ merchant_id with the system key and POSTs to
/merchants/:id/zero. Drains the merchant balance to the system sink.