Every wallet is in one of two operational states. The state machine is intentionally simple — the entire surface area is two states and one bi-directional transition.Documentation Index
Fetch the complete documentation index at: https://developers.bloobank.com/llms.txt
Use this file to discover all available pages before exploring further.
States
| State | Created via | Effect |
|---|---|---|
ACTIVE | POST /wallets (default), PUT /wallets/{wallet} with {"status":"ACTIVE"} | Wallet accepts all operations: balance queries, inbound and outbound payment orders, approvals, cancellations. |
DISABLED | PUT /wallets/{wallet} with {"status":"DISABLED"} | New payment orders are rejected. Existing in-flight orders complete normally. Balance queries still work. |
State diagram
There are no terminal states —DISABLED is reversible. There is no DELETED state; wallets persist for audit purposes even when no longer in use.
When to use DISABLED
- Suspected compromise of the credential that operates the wallet — disable while you investigate, re-enable after rotation.
- Operational pause — e.g., during reconciliation cutover, year-end balance freeze.
- Decommissioning a wallet that no longer corresponds to an active business line. The wallet stays available for historical queries; new operations are explicitly blocked.
Transitions in detail
ACTIVE → DISABLED
status: "DISABLED", walVersion incremented, new updatedAt).
Effect on in-flight orders:
| Order state at transition time | Continues normally? |
|---|---|
AWAITING_APPROVAL | ✅ — can still be approved or canceled. New orders cannot be created. |
PENDING / PROCESSING | ✅ — runs to completion. Webhooks still fire. |
| Any final state | N/A — already terminal. |
DISABLED → ACTIVE
status: "ACTIVE", walVersion incremented).
Resumes acceptance of new payment orders immediately. No backfill or replay of orders attempted during the disabled window.
What you cannot change
| Field | Why immutable |
|---|---|
name | Used as URL path segment; changing would break links and references. Attempts return LABEL_IMMUTABLE. |
id | Database key; never changes. |
kind | Derived from resource type. |
createdAt | Audit log. |
selfName | Derived from name. |
Operational considerations
Effect on webhooks
Disabling a wallet does not affect webhook delivery — events for in-flight orders continue to fire as their states transition. Your webhook consumer should not assume the wallet isACTIVE when an event arrives.
Concurrent disable + create
There is no race protection betweenPUT .../status=DISABLED and a concurrent POST .../paymentOrders. The concrete outcomes:
- If
POSTarrives beforePUTcommits: order is created. The disable transition does not roll back already-accepted orders. - If
POSTarrives afterPUTcommits: order is rejected (server-side state check).
Disable during outage recovery
If an outbound provider is unavailable, you may see a backlog ofPENDING orders. Disabling the wallet does not cancel them — they remain pending until the provider responds. To clear a backlog, cancel each outbound order in AWAITING_APPROVAL (those that have not yet been submitted to the provider) and wait for the rest to settle naturally.
What DISABLED does not protect against
| Concern | Wallet status helps? |
|---|---|
| Stolen credential creating new wallets in your tenant | ❌ — disable scope is per-wallet; revoke the credential instead |
| In-flight orders completing after disable | ❌ — those run to completion |
| Past orders being visible | ❌ — GET still returns them |
| Historical balance discrepancy | ❌ — GET balance still works |
Next
Wallet overview
Anatomy, identifiers, balances.
Update wallet
The endpoint that changes status.