Skip to main content

Authentication

Orsunpay uses API keys to authenticate requests. Your API keys carry many privileges, so keep them secure and never share them in publicly accessible areas such as GitHub, client-side code, and so forth.

API Keys

All API requests must be authenticated using your secret API key in the Authorization header.

Key Format

API keys follow this format:
  • Sandbox: sk_test_...
  • Production: sk_live_...

Authentication Header

Include your API key in the Authorization header as a Bearer token:
Never expose your secret API key in client-side code. Use it only on your secure backend servers.

Required Headers

Authorization

Every API request must include the Authorization header:

Content-Type

For requests with a request body, specify the content type:

Idempotency Key

For critical operations (creating transactions, refunds), use the Idempotency-Key header to prevent duplicate processing:
Use a unique identifier like UUID v4 for each operation. If you retry the same request with the same idempotency key within 24 hours, you’ll receive the original response.

API Versioning

All API endpoints use versioning in the URL path:
Current version is v1. We maintain backward compatibility and will announce any breaking changes well in advance.

Example Authentication

Creating a Transaction with Authentication

Here’s a complete example of creating a transaction with proper authentication:

Environment-Specific Keys

Use different API keys for different environments:
EnvironmentAPI Key PrefixBase URL
Sandboxsk_test_...https://sandbox-api.orsunpay.com/v1
Productionsk_live_...https://api.orsunpay.com/v1
Sandbox transactions use test payment providers and don’t process real money. Always test your integration thoroughly in sandbox before going live.

Webhook Authentication

For incoming webhooks from Orsunpay, verify the signature using your merchant’s private key:

Signature Verification

Webhooks include an X-Orsunpay-Signature header with HMAC-SHA256 signature:
Always verify webhook signatures to ensure requests are coming from Orsunpay and haven’t been tampered with.

Error Responses

Authentication errors return specific HTTP status codes:

401 Unauthorized

Missing or invalid API key:

403 Forbidden

Valid API key but insufficient permissions:

Security Best Practices

Server-Side Only

Critical: Never use secret API keys in client-side code (JavaScript, mobile apps, etc.). They should only be used on your secure backend servers.

Key Management

  • Rotate keys regularly for enhanced security
  • Use environment variables to store keys, never hardcode them
  • Implement proper access controls for key storage
  • Monitor API key usage for unusual patterns

HTTPS Required

All API requests must use HTTPS. HTTP requests will be rejected:

Request Logging

For security and debugging, log API requests (but never log sensitive data):

Testing Your Authentication

Use this simple test to verify your authentication setup:

Next Steps

Now that you have authentication set up, you can:

Explore API Endpoints

Learn about our core API endpoints and start processing transactions.

Set Up Webhooks

Configure webhook endpoints to receive real-time payment notifications.