Settle a credit lock
/credits/settleSettles a reservation created by POST /credits/lock, after the externally-executed action has completed. Send success: true when the action succeeded — the reserved credits are consumed (balance debit plus lock drawdown) — or success: false when it failed — the lock is released without any debit.
The endpoint is publish-only: it verifies the lock exists, then publishes the corresponding internal credit-pipeline event and returns 202 Accepted. The actual debit/release happens asynchronously in the FIFO credit pipeline (per-Business-Unit ordering, dedup, DLQ). Retrying a settle for an already-settled lock republishes the event; the pipeline's dedup keys make it a no-op.
The lock is looked up by the caller-supplied operation_id and must belong to the given business_unit_id. A missing lock and a business-unit mismatch both return the same 404 lock_not_found — deliberately indistinguishable.
Authorization
creditsApiKey Static bearer key for the Credit API, shared per-service (the CREDITS_API_KEY SST secret — the calling service is provisioned with the same value). The header must be exactly Authorization: Bearer <CREDITS_API_KEY>. This is an application-level check (no API Gateway authorizer) and it fails closed: if the secret is unset, every request is rejected with 401.
In: header
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
application/json
application/json
curl -X POST "https://example.com/credits/settle" \ -H "Content-Type: application/json" \ -d '{ "name": "request_info", "business_unit_id": 42, "operation_id": "request-info-789", "success": true }'{ "settled": "consume", "operation_id": "request-info-789"}{ "message": "Invalid request body", "issues": [ { "path": "success", "message": "Invalid input: expected boolean, received undefined" } ]}{ "message": "Unauthorized"}{ "error": "lock_not_found"}{ "message": "Internal server error"}