SDK & API Usage Policy

1. Agreement to These Terms

By accessing, integrating, or using the Valta Developer SDK, REST API, webhooks, or any associated developer tooling (collectively, the “Valta API”), you (“Developer”, “you”, or “your”) agree to be legally bound by this SDK & API Usage Policy (“Policy”), Valta's general Terms of Service, and Privacy Policy.

If you are integrating on behalf of a company or organisation, you represent that you have the authority to bind that entity to this Policy.

If you do not agree to these terms, you must not access or use the Valta API.

2. Eligibility

To use the Valta API you must:

• —Be at least 18 years of age
• —Hold a verified Valta account in good standing
• —Not be located in, or acting on behalf of any entity in, a country subject to comprehensive sanctions by OFAC, the EU, the UN Security Council, or the Government of Nigeria
• —Not be a person or entity designated on any sanctions list
• —Comply with all applicable laws and regulations in your jurisdiction, including any financial services, data protection, and AI-related regulations

Valta reserves the right to decline or revoke API access to any developer or organisation at its sole discretion.

3. API Keys & Authentication

3.1 Security Requirements

Your API keys are credentials equivalent to a password. You must:

• —Store keys exclusively in server-side environments — backend services, environment variables, or secrets managers (e.g. AWS Secrets Manager, HashiCorp Vault)
• —Never expose keys in client-side code, public repositories, mobile app binaries, logs, or any browser-accessible environment
• —Use one API key per project and environment — do not share keys across applications
• —Rotate keys immediately if you have any reason to suspect compromise
• —Implement IP allowlisting where your infrastructure supports it

3.2 Your Responsibility

You are fully and solely responsible for all activity performed under your API keys. Valta will treat any request made with your key as authorised by you, regardless of whether it was made by you or a third party who gained access to your key.

3.3 Revocation

Valta may revoke any API key without prior notice if it poses a security risk, is used in violation of this Policy, is associated with fraudulent activity, or if the associated account is suspended or terminated.

4. Agent Permissions & Restrictions

The Valta API enables the creation and operation of AI agents that can initiate transactions, manage wallets, and interact with financial infrastructure. Because of the sensitivity of these capabilities, strict rules apply.

4.1 Spending Limits

• —Every agent must operate within a defined spending limit set by the wallet owner before any funds are accessible
• —Agents must not exceed their assigned per-transaction or per-period spending limits
• —Agents must not programmatically modify, circumvent, or override their own spending limits
• —Agents must not request, store, or use credentials that would allow them to elevate their own permissions

4.2 Approved Wallet Transfers

• —Agents may only transfer funds to wallets explicitly pre-approved by the authenticated user
• —Agents must not initiate transfers to arbitrary external addresses without explicit, per-transaction user authorisation
• —Agents must not self-authorise transactions above the pre-approved threshold
• —Agents must not split, batch, or structure transactions in any way designed to circumvent per-transaction limits or approval thresholds

4.3 Human-in-the-Loop Requirement

For any transaction that exceeds the user-configured approval threshold, agents must pause and obtain explicit human authorisation before proceeding. Automated override of approval gates — through any means — is strictly and absolutely prohibited.

4.4 Transparency & Attribution

• —Agents must accurately identify themselves in all transaction metadata
• —Misrepresenting an agent-initiated transaction as human-initiated is prohibited
• —You must disclose to your end users that an AI agent may initiate transactions on their behalf

4.5 No Self-Replication or Permission Escalation

Agents may not use the API to create additional agents, generate new API keys, grant permissions, or perform any action that was not explicitly authorised by the authenticated user at configuration time.

5. Permitted Use

You may use the Valta API to:

• —Build applications, dashboards, and tools that help authenticated users manage their Valta wallets and finances
• —Create AI agents that automate financial workflows strictly on behalf of a consenting, authenticated user
• —Integrate Valta payment and wallet functionality into your legitimate product or service
• —Access transaction history, wallet balances, and cryptographic receipts for the authenticated user
• —Build and publish agents to the Valta Marketplace, subject to the Marketplace's separate policies
• —Query analytics and reporting data for accounts you are authorised to access

6. Prohibited Use

The following uses are strictly prohibited. Violations may result in immediate API key revocation, account termination, civil liability, and criminal referral to relevant authorities.

6.1 Financial Crimes

• —Facilitating, processing, or concealing money laundering, terrorist financing, fraud, or any other financial crime
• —Processing transactions involving sanctioned individuals, entities, or jurisdictions
• —Circumventing AML, KYC, or any other compliance control
• —Processing transactions on behalf of third parties without their verified consent and identity

6.2 Unauthorised Access & Abuse

• —Accessing any wallet, account, or data you do not have explicit authorisation to access
• —Enumerating, scraping, or harvesting user data beyond the scope of a single authenticated session
• —Probing, testing, or attempting to exploit vulnerabilities in Valta's infrastructure without a written bug bounty agreement
• —Bypassing or attempting to bypass rate limits through multiple accounts, IP rotation, proxy abuse, or any other means

6.3 Market Manipulation

• —Wash trading, spoofing, pump-and-dump schemes, or any form of market manipulation
• —Artificially inflating or deflating transaction volumes or wallet activity

6.4 Deceptive Practices

• —Creating or operating agents that deceive users about the nature, amount, destination, or reversibility of transactions
• —Impersonating Valta, Valta employees, Valta support, or other platform users
• —Misrepresenting your integration's purpose or capabilities to users

6.5 Competing Infrastructure

• —Using Valta API data, responses, or infrastructure to train, fine-tune, or benchmark a competing financial OS, agent payment network, or AI financial model
• —Reverse-engineering, decompiling, or attempting to extract proprietary algorithms, models, or business logic from Valta's systems

6.6 System Abuse

• —Deliberately overloading Valta's infrastructure (DoS, DDoS, or similar attacks)
• —Sending requests that serve no legitimate purpose other than consuming server resources
• —Exploiting bugs or unintended behaviours to obtain data or capabilities beyond your authorised scope

7. Rate Limits & Quotas

All API usage is subject to rate limits enforced per API key. Exceeding limits returns a 429 Too Many Requests response. Persistent violations may result in temporary or permanent suspension.

If your use case requires higher limits, contact developers@valta.co to discuss an Enterprise plan.

8. Data Handling & Privacy

8.1 User Data Ownership

All data accessed through the Valta API belongs to the end user. You may only use it for the specific purpose the user explicitly consented to within your application. You may not use transaction data, wallet data, or financial behaviour data for purposes beyond your stated use case.

8.2 Storage & Encryption

• —You must not store or cache user financial data beyond what is operationally necessary
• —Where data is stored, it must be encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2 minimum)
• —Access to stored user data must be restricted on a need-to-know basis within your organisation

8.3 No Third-Party Sale or Sharing

You may not sell, license, rent, or share user financial data with any third party for advertising, profiling, credit scoring, or any purpose other than providing your core stated service directly to the user.

8.4 Deletion on Revocation

If a user revokes your application's access to their Valta account, or if your API access is terminated, you must delete all associated user financial data within 30 days of revocation.

8.5 Breach Notification

In the event of a data breach or suspected breach affecting Valta user data, you must notify Valta at security@valta.co within 72 hours of discovery, regardless of whether the full scope of the breach has been determined.

9. Webhook Security

If you use Valta webhooks, you must:

• —Validate the X-Valta-Signature header on every incoming webhook request before processing it — never trust an unverified webhook payload
• —Serve your webhook endpoints exclusively over HTTPS
• —Respond to webhook delivery within 5 seconds; acknowledge immediately and process asynchronously for longer operations
• —Never expose raw webhook payloads publicly or log them to insecure destinations
• —Implement replay protection — check event timestamps and deduplicate on event IDs

10. Compliance & Auditing

Valta may, at any time and without prior notice:

• —Monitor API usage patterns for anomalies, abuse, or policy violations
• —Request information about your integration, use case, and data handling practices for compliance purposes
• —Audit your application's use of the API where a breach of this Policy is suspected
• —Share usage data or user reports with law enforcement or regulatory authorities where legally required

You agree to cooperate fully with any such audit and provide all reasonably requested information within 10 business days.

11. Intellectual Property

Valta grants you a limited, non-exclusive, non-transferable, revocable licence to use the Valta API solely as permitted by this Policy. You do not acquire any ownership, title, or interest in the Valta API, its underlying technology, proprietary algorithms, models, or any data it returns.

Applications and integrations you build remain your intellectual property, provided they do not incorporate proprietary Valta code, models, or business logic beyond the published public API surface.

You may not use the Valta name, logo, or brand marks in a way that implies endorsement or official partnership without prior written consent from Valta.

12. Disclaimer of Warranties

Read carefully

THE VALTA API IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR UNINTERRUPTED AVAILABILITY.

Valta does not warrant that the API will be error-free, that any specific uptime SLA will be met outside of an Enterprise agreement, or that results obtained from the API will be accurate or reliable. Some jurisdictions do not allow the exclusion of certain warranties; in such jurisdictions the above exclusions apply to the maximum extent permitted by law.

13. Limitation of Liability

Read carefully

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VALTA AND ITS OFFICERS, DIRECTORS, EMPLOYEES, AND AGENTS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO:

• —Loss of profits, revenue, data, business, or goodwill
• —Losses caused by AI agents' actions, including transactions initiated due to misconfigured policies or compromised API keys
• —Losses arising from rate limiting, API downtime, or changes to API behaviour
• —Damages resulting from reliance on API responses that are incomplete, delayed, or inaccurate
• —Losses arising from your failure to comply with applicable laws or regulations

VALTA'S TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIS POLICY OR THE VALTA API SHALL NOT EXCEED THE GREATER OF: (A) FEES PAID BY YOU TO VALTA IN THE THREE (3) MONTHS PRECEDING THE CLAIM, OR (B) USD $100.

14. Indemnification

You agree to defend, indemnify, and hold harmless Valta and its officers, directors, employees, agents, and service providers from and against any claims, liabilities, damages, awards, losses, costs, and legal fees arising out of or relating to:

• —Your use of or access to the Valta API
• —Your violation of any provision of this Policy
• —Your violation of any third-party rights, including intellectual property or privacy rights
• —Your violation of any applicable law or regulation
• —Any financial transactions initiated by AI agents you deployed using the Valta API
• —Any claim by a third party harmed by your integration or your agents' actions
• —Your failure to configure, monitor, or shut down governance controls appropriately

15. Termination & Suspension

Valta may suspend or permanently revoke your API access at any time, with or without notice, if:

• —You breach any provision of this Policy or the general Terms of Service
• —Your account is flagged for suspicious, fraudulent, or illegal activity
• —Your integration poses a security risk to other users or the platform
• —You fail to cooperate with a compliance audit or information request
• —Valta determines, in its sole discretion, that continued access poses an unacceptable risk

Upon termination, all licences granted under this Policy immediately cease. Sections 8 (Data Handling), 11 (Intellectual Property), 12 (Disclaimers), 13 (Liability), 14 (Indemnification), and 16 (Governing Law) survive termination indefinitely.

16. Governing Law & Disputes

This Policy is governed by the laws of the Federal Republic of Nigeria, without regard to conflict of law principles.

Any dispute arising out of or in connection with this Policy shall first be attempted to be resolved through good-faith negotiation between the parties for a period of 30 days. If unresolved, disputes shall be submitted to binding arbitration in Lagos, Nigeria, conducted in English under the Arbitration and Conciliation Act (as amended).

Either party may seek injunctive or equitable relief from a court of competent jurisdiction to prevent actual or threatened infringement of intellectual property rights without first exhausting the dispute resolution process above.

17. Changes to This Policy

Valta may update this Policy at any time. For material changes we will:

• —Update the 'Last Updated' date at the top of this page
• —Send a notification email to your registered developer account
• —Display a notice in the Valta dashboard for at least 14 days before the change takes effect

Continued use of the Valta API after the effective date of any changes constitutes acceptance of the revised Policy. If you do not agree, you must stop using the API before the changes take effect.

18. Contact

For questions, compliance matters, or to report a violation: