PayGate

Authentication

Learn how to authenticate with the PayGate API.

Authentication

The PayGate API uses API keys to authenticate requests. You can view and manage your API keys in the Dashboard.

API Keys

Your API keys carry many privileges, so be sure to keep them secure. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

Security Warning: Never expose your secret API key in client-side code or public repositories.

Key Types

Key TypePrefixDescription
Secret Key (Test)sk_test_Use for server-side test mode requests
Secret Key (Live)sk_live_Use for server-side production requests
Publishable Key (Test)pk_test_Use for client-side test mode (checkout)
Publishable Key (Live)pk_live_Use for client-side production (checkout)

Making Authenticated Requests

Include your API key in the Authorization header using Bearer authentication:

curl https://api.44.200.142.19.nip.io/v1/payments \
  -H "Authorization: Bearer sk_test_..." \
  -H "Content-Type: application/json"
import PayGate from '@paygate/node'

// The SDK handles authentication automatically
const paygate = new PayGate('sk_test_...')

const payments = await paygate.payments.list()
import paygate

# The SDK handles authentication automatically
client = paygate.Client('sk_test_...')

payments = client.payments.list()
<?php
$paygate = new \PayGate\PayGate('sk_test_...');

// The SDK handles authentication automatically
$payments = $paygate->payments->list();
import "github.com/paygate/paygate-go"

// The SDK handles authentication automatically
client := paygate.New("sk_test_...")

payments, _ := client.Payments.List(nil)

Error Responses

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "error": {
    "type": "authentication_error",
    "code": "invalid_api_key",
    "message": "Invalid API key provided. Check that your API key is correct."
  }
}

Common Authentication Errors

Error CodeDescriptionSolution
invalid_api_keyThe API key is invalidCheck your API key is correct
expired_api_keyThe API key has expiredGenerate a new key in the Dashboard
revoked_api_keyThe API key was revokedGenerate a new key in the Dashboard
test_key_on_liveUsing test key for live endpointUse your live API key

Best Practices

  1. Use environment variables - Store API keys in environment variables, never in code
  2. Rotate keys regularly - Generate new keys periodically for security
  3. Use separate keys - Use different keys for different environments/services
  4. Monitor usage - Review API logs in the Dashboard for unusual activity
Environment Variables
// .env
PAYGATE_SECRET_KEY=sk_live_...

// app.ts
const paygate = new PayGate(process.env.PAYGATE_SECRET_KEY!)

Webhook Signature Verification

For webhooks, we use a different authentication mechanism. Each webhook includes a signature in the X-PayGate-Signature header that you should verify. See Handling Webhooks for details.

Quick Start

Get up and running with PayGate in under 5 minutes.

Test Mode

Learn how to use test mode to develop and test your PayGate integration.

On this page

AuthenticationAPI KeysKey TypesMaking Authenticated RequestsError ResponsesCommon Authentication ErrorsBest PracticesWebhook Signature Verification