All API requests require authentication using your API Key and API Secret.

API-Key Header

Include your API Key in the API-Key header for every API request: 
API-Key: YOUR_API_KEY
  • You can find your API Key in your dashboard.
  • Requests without a valid or correct API-Key will return 401 Unauthorized.
Do not commit your API keys to git, or use them in client-side code. Never share your API Secret. If you believe it has been compromised, rotate it immediately in your dashboard.

API Secret

Your API Secret is used for sensitive operations such as verifying webhook signatures and should never be shared or exposed in client-side code.
Keep your API Secret safe. The API Secret is for server-side use only (e.g., webhook signature verification). Never expose it in frontend code, public repositories, or logs.

Webhook Signature Verification

When receiving webhooks, use your API Secret to verify the authenticity of the payload. Refer to the webhook documentation for implementation details.
Always ensure your server verifies the SSL connection to Paycrest. Do not set SSL verification (e.g., VERIFY_PEER) to FALSE in your HTTP client.