Skip to main content
Fluz exposes a single GraphQL endpoint per environment. There are no versioned REST paths and no per-capability base URLs — you send a query or mutation to /graphql, and the token decides whose account you’re operating on.

Endpoints

Access tokens are minted from a separate OAuth service at https://oauth-service.fluzapp.com.

Anatomy of a request

  • query — the GraphQL document. Use named operations (query GetWallet) for better logs.
  • variables — typed inputs, keeping values out of the query string.
  • operationName — optional, useful when a document defines multiple operations.

Queries vs. mutations

  • Queries are read-only (viewer, wallet, transactions).
  • Mutations change state (createVirtualCard, purchaseGiftCard, depositCashBalance, createTransfer).
Money-moving mutations use request de-duplication — see Idempotency.

Response format

GraphQL always returns HTTP 200 with a data / errors envelope:
On failure, data may be null and errors will describe what went wrong — including a machine-readable code you can branch on. See Errors.

Introspection and schema

Introspection is enabled in staging so you can point tools like Apollo Studio or GraphiQL at the endpoint. In live, introspection is disabled; use the published schema from API reference instead.

Next steps

Authentication

How the token in that Authorization header gets minted — for your account or a customer’s.

Errors

What the errors array contains and how to branch on error codes.