API Keys

Overview

We authenticate your API requests using the API key - a unique combination of symbols associated with your account. If a request doesn’t include a valid key, Payment Gateway returns an invalid request error. If a request includes a deleted or expired key, Payment Gateway returns an authentication error.

The API key is passed in the X-Api-Key header of an API request:

curl -X GET "https://dev.bpcbt.com/api2/sessions/test_aksdhauedqiuwehdiqwbdq" \
-H "X-Api-Key: 6HUXQFbeomV1zf5i8cgm5W8KfncENVEa5uh8RngB" \
-H "X-Version: 2023-10-31" \

You can generate as many API keys as necessary. For example, you company may require yearly key rotation. To change the API key safely, we recommend you to use the following approach:

1. When you are going to change your API key, first generate the new API key.
2. Support two APY keys: 1) the old one, 2) the new one that you have just generated.
3. Use the new API key in the API requests to make sure they are correctly authenticated.
4. Delete the old API key.

You can use Merchant Portal to generate or delete API keys. See the details in the Merchant Portal User Guide.