API Keys
Merchant credentials are environment-specific, rotatable, and permission-scoped. Secrets are shown once and should be stored in a secret manager.
Lifecycle
- Create credentials per merchant app and per environment.
- Restrict keys by IP, currency, endpoint scope, and spending policy where required.
- Rotate or revoke credentials whenever an app secret, webhook secret, or integration owner changes.
Endpoints
| Endpoint | Method | Auth | Headers | Notes |
|---|---|---|---|---|
Issue merchant credentials/business/api/v1/merchant/{code}/credentials/Create a new merchant credential pair. |
POST | Merchant owner JWT Merchant owner or merchant admin |
Authorization: Bearer <user-jwt>Content-Type: application/json |
Idempotency: Optional but recommended Sandbox: Supported with sandbox keys and adapters. Production: Available subject to verification, country activation, and provider support. Rate limits: Standard authenticated rate limits |
Rotate merchant credentials/business/api/v1/merchant/{code}/credentials/{credential_id}/rotate/Replace an existing API secret. |
POST | Merchant owner JWT Merchant owner or merchant admin |
Authorization: Bearer <user-jwt>Content-Type: application/json |
Sandbox: Supported with sandbox keys and adapters. Production: Available subject to verification, country activation, and provider support. Rate limits: Standard authenticated rate limits |
Revoke merchant credentials/business/api/v1/merchant/{code}/credentials/{credential_id}/revoke/Deactivate a credential without deleting historic usage. |
POST | Merchant owner JWT Merchant owner or merchant admin |
Authorization: Bearer <user-jwt>Content-Type: application/json |
Sandbox: Supported with sandbox keys and adapters. Production: Available subject to verification, country activation, and provider support. Rate limits: Standard authenticated rate limits |