Authentication
Orsunpay uses API keys to authenticate requests. Your API keys carry many privileges, so keep them secure and never share them in publicly accessible areas such as GitHub, client-side code, and so forth.API Keys
All API requests must be authenticated using your secret API key in the Authorization header.Key Format
API keys follow this format:- Sandbox:
sk_test_... - Production:
sk_live_...
Authentication Header
Include your API key in the Authorization header as a Bearer token:Required Headers
Authorization
Every API request must include the Authorization header:Content-Type
For requests with a request body, specify the content type:Idempotency Key
For critical operations (creating transactions, refunds), use theIdempotency-Key header to prevent duplicate processing:
API Versioning
All API endpoints use versioning in the URL path:v1. We maintain backward compatibility and will announce any breaking changes well in advance.
Example Authentication
Creating a Transaction with Authentication
Here’s a complete example of creating a transaction with proper authentication:Environment-Specific Keys
Use different API keys for different environments:| Environment | API Key Prefix | Base URL |
|---|---|---|
| Sandbox | sk_test_... | https://sandbox-api.orsunpay.com/v1 |
| Production | sk_live_... | https://api.orsunpay.com/v1 |
Sandbox transactions use test payment providers and don’t process real money. Always test your integration thoroughly in sandbox before going live.
Webhook Authentication
For incoming webhooks from Orsunpay, verify the signature using your merchant’s private key:Signature Verification
Webhooks include anX-Orsunpay-Signature header with HMAC-SHA256 signature:
Error Responses
Authentication errors return specific HTTP status codes:401 Unauthorized
Missing or invalid API key:403 Forbidden
Valid API key but insufficient permissions:Security Best Practices
Server-Side Only
Key Management
- Rotate keys regularly for enhanced security
- Use environment variables to store keys, never hardcode them
- Implement proper access controls for key storage
- Monitor API key usage for unusual patterns
HTTPS Required
All API requests must use HTTPS. HTTP requests will be rejected:Request Logging
For security and debugging, log API requests (but never log sensitive data):Testing Your Authentication
Use this simple test to verify your authentication setup:Next Steps
Now that you have authentication set up, you can:Explore API Endpoints
Learn about our core API endpoints and start processing transactions.
Set Up Webhooks
Configure webhook endpoints to receive real-time payment notifications.

