Authentication

All API requests require authentication using your Client ID and Client Secret.

API-Key Header

Include your Client ID in the API-Key header for every API request:

API-Key: YOUR_CLIENT_ID

You can find your Client ID in your dashboard.
Requests without a valid or correct API-Key will return 401 Unauthorized.

Do not commit your API keys to git, or use them in client-side code. Never share your Client Secret. If you believe it has been compromised, rotate it immediately in your dashboard.

Client Secret

Your Client Secret is used for sensitive operations such as verifying webhook signatures and should never be shared or exposed in client-side code.

Keep your Client Secret safe. The Client Secret is for server-side use only (e.g., webhook signature verification). Never expose it in frontend code, public repositories, or logs.

Webhook Signature Verification

When receiving webhooks, use your Client Secret to verify the authenticity of the payload. Refer to the webhook documentation for implementation details.

Always ensure your server verifies the SSL connection to Paycrest. Do not set SSL verification (e.g., VERIFY_PEER) to FALSE in your HTTP client.

Overview

Sender

Provider

General

API-Key Header

Client Secret

Webhook Signature Verification

Overview

Sender

Provider

General

​API-Key Header

​Client Secret

​Webhook Signature Verification

API-Key Header

Client Secret

Webhook Signature Verification