> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Issue an explicit refund against an RMA

> **Authorization:** requires `returns:write` + `payments:write` API-key scopes
AND the per-user `payments.refund_void` permission (SoD parity sweep
2026-05-16; refunds are highest-trust AICPA SoD action). System-actor
calls denied.

Phase A canonical: refundReturn() extracted from postReturnFinancialSettlement.
Routes by payment_method:
  - original/check/cash: calls processRefund (Stripe + GL via postRefundEntry)
  - store_credit: calls issueCreditMemo (DR sales_returns_allowances / CR customer_credits)

**Multi-source refund (allocations[]):** when the invoice was paid via 2+
payment sources, pass `allocations: [{ payment_id, amount, reason? }, ...]`
to split the refund across those sources (operator-picks, industry
standard per Stripe + NetSuite -- no auto-routing). Each `payment_id` must
be an `order_payments.id` on the RMA's original order and
`SUM(allocations[].amount)` must equal the total refund (within 1 cent).
Every allocation refunds inside ONE transaction under one GL `batch_id`;
a failure on any allocation rolls back the whole refund. Card-source
allocations do NOT refund the original processing fee (non-recoverable).

State guard: must be received, inspecting, restocked, written_off, sent_to_vendor, or closed.
Idempotency: same amount on same RMA returns cached result; different amount returns 409.
Rule 23 SSOT: returns.refund_amount written only by this endpoint.
Compound scope required: returns:write AND payments:write.




## OpenAPI

````yaml /openapi.yaml post /returns/{id}/refund
openapi: 3.1.0
info:
  title: Arcus ERP Public API
  version: 1.0.0
  description: >
    Arcus ERP public REST API. Designed for external integrations and data
    migration.


    **Authentication.** Bearer token (API key) via the `Authorization` header.

    Format: `Authorization: Bearer ark_live_ent_<code>_<random>` (or
    `ark_test_*` for sandbox).

    API keys are issued per-entity in **Settings > Developers > API Keys**.


    **Entity scoping.** The entity is encoded in the API key prefix; routes are
    flat

    (e.g. `/v1/accounts`, `/v1/orders`, `/v1/products`). A small set of platform
    endpoints

    (migration, reconciliation, events, webhook endpoints, API keys) use the

    `/v1/entities/{entity_id}/...` form -- those are noted in their tags.


    **Key capabilities.**
      - Related-resource hydration via `?expand[]=` (see `x-arcus-expand` on each resource).
      - Cursor-based pagination (`starting_after` / `ending_before` / `limit`).
      - Idempotency via the `Idempotency-Key` header.
      - Webhook events for asynchronous notification.
      - Conditional requests / ETag for cache validation.
servers:
  - url: https://api.arcuserp.com/v1
    description: Arcus ERP API (accepts both live `ark_live_*` and test `ark_test_*` keys)
  - url: https://dev-api.arcuserp.com/v1
    description: >-
      Dev sandbox API (test-only data, accepts `ark_test_*` keys against dev
      RDS)
security: []
paths:
  /returns/{id}/refund:
    parameters:
      - name: id
        in: path
        required: true
        schema:
          type: string
          format: uuid
    post:
      tags:
        - Returns
      summary: Issue an explicit refund against an RMA
      description: >
        **Authorization:** requires `returns:write` + `payments:write` API-key
        scopes

        AND the per-user `payments.refund_void` permission (SoD parity sweep

        2026-05-16; refunds are highest-trust AICPA SoD action). System-actor

        calls denied.


        Phase A canonical: refundReturn() extracted from
        postReturnFinancialSettlement.

        Routes by payment_method:
          - original/check/cash: calls processRefund (Stripe + GL via postRefundEntry)
          - store_credit: calls issueCreditMemo (DR sales_returns_allowances / CR customer_credits)

        **Multi-source refund (allocations[]):** when the invoice was paid via
        2+

        payment sources, pass `allocations: [{ payment_id, amount, reason? },
        ...]`

        to split the refund across those sources (operator-picks, industry

        standard per Stripe + NetSuite -- no auto-routing). Each `payment_id`
        must

        be an `order_payments.id` on the RMA's original order and

        `SUM(allocations[].amount)` must equal the total refund (within 1 cent).

        Every allocation refunds inside ONE transaction under one GL `batch_id`;

        a failure on any allocation rolls back the whole refund. Card-source

        allocations do NOT refund the original processing fee (non-recoverable).


        State guard: must be received, inspecting, restocked, written_off,
        sent_to_vendor, or closed.

        Idempotency: same amount on same RMA returns cached result; different
        amount returns 409.

        Rule 23 SSOT: returns.refund_amount written only by this endpoint.

        Compound scope required: returns:write AND payments:write.
      operationId: refundReturn
      parameters:
        - $ref: '#/components/parameters/IdempotencyKey'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                amount:
                  type: number
                  format: float
                  description: >-
                    Refund amount. Defaults to sum of
                    return_items.refund_amount. When allocations[] is supplied,
                    must equal SUM(allocations[].amount).
                payment_method:
                  type: string
                  enum:
                    - original
                    - store_credit
                    - check
                    - cash
                  default: original
                  description: >-
                    Single-source path only. Ignored when allocations[] is
                    supplied.
                allocations:
                  type: array
                  description: |
                    Multi-source refund split. When present, the refund is
                    executed per-payment across these order_payments rows
                    (operator-picks). SUM(allocations[].amount) must equal the
                    total refund within 1 cent.
                  items:
                    type: object
                    required:
                      - payment_id
                      - amount
                    properties:
                      payment_id:
                        type: string
                        format: uuid
                        description: An order_payments.id on the RMA's original order.
                      amount:
                        type: number
                        format: float
                        description: >-
                          Dollars to refund against this payment source (must be
                          > 0 and <= the source's remaining refundable amount).
                      reason:
                        type: string
                reason:
                  type: string
      responses:
        '200':
          description: Refund issued
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: object
                    properties:
                      return_id:
                        type: string
                        format: uuid
                      return_number:
                        type: string
                      amount:
                        type: number
                      payment_method_type:
                        type: string
                        description: '''multi_source'' when allocations[] was supplied.'
                      order_refund_id:
                        type: string
                        format: uuid
                      credit_memo_id:
                        type: string
                        format: uuid
                      batch_id:
                        type: string
                        format: uuid
                        description: >-
                          Multi-source only: GL batch grouping all
                          per-allocation journal entries.
                      allocations:
                        type: array
                        description: 'Multi-source only: per-allocation result rows.'
                        items:
                          type: object
                          properties:
                            payment_id:
                              type: string
                              format: uuid
                            source_method:
                              type: string
                            amount:
                              type: number
                            order_refund_id:
                              type: string
                              format: uuid
                            refund_payment_id:
                              type: string
                              format: uuid
                      status:
                        type: string
                        enum:
                          - succeeded
                          - already_processed
                      idempotent:
                        type: boolean
        '400':
          $ref: '#/components/responses/Error'
        '401':
          $ref: '#/components/responses/Error'
        '403':
          $ref: '#/components/responses/Error'
        '404':
          $ref: '#/components/responses/Error'
        '409':
          $ref: '#/components/responses/Error'
        '422':
          $ref: '#/components/responses/Error'
      security:
        - ApiKeyAuth: []
components:
  parameters:
    IdempotencyKey:
      name: Idempotency-Key
      in: header
      required: false
      description: |
        Client-generated unique key for idempotent POST/PATCH/DELETE operations.
        Alias for the Idempotency parameter. Max 255 chars. On retry with the
        same key, the original response is returned without re-executing the
        operation. Keys expire after 24 hours.
      schema:
        type: string
        maxLength: 255
  responses:
    Error:
      description: Error response (400/401/403/404/409/422/429/500)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  schemas:
    ErrorEnvelope:
      type: object
      description: |
        Canonical error response envelope. All API errors use this shape.
      required:
        - error
        - code
      properties:
        error:
          type: string
          description: Machine-readable error key
          example: not_found
        code:
          type: string
          description: Machine-readable error code (often same as error)
          example: not_found
        type:
          type: string
          enum:
            - validation_error
            - permission_error
            - not_found
            - conflict
            - rate_limit
            - internal
            - expand_error
            - not_implemented
          example: not_found
        hint:
          type: string
          description: Human-readable one-sentence explanation (English)
          example: >-
            The requested order does not exist or does not belong to this
            entity.
        param:
          type: string
          description: The parameter that caused the error, if applicable
          example: expand[0]
        required:
          type: string
          description: The scope required (only on insufficient_scope errors)
          example: accounts:read
        request_id:
          type: string
          description: >-
            Unique request ID for support tracing (maps to CloudWatch log
            stream)
          example: req_abc123
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      description: |
        API key issued per entity via Settings > Developers > API Keys.
        Each key carries scopes (e.g. orders:read, products:write).
        Bearer token format: Authorization: Bearer ark_live_ent_<code>_<random>
        Test keys use ark_test_ent_<code>_<random>. Both are issued per entity
        via Settings > Developers > API Keys.

````