Your API requests to PayMongo API must be authenticated using your account's API keys. An authentication error will be returned if the API key is not provided or invalid.
Every PayMongo account is provided with API keys for testing to try out PayMongo API and for running live requests. Your API keys are available on the
Developers module of the dashboard.
To test our API, you can send API requests in test mode. This means all requests will not process actual payments. The test and live modes function almost the same with a few differences:
- In test mode, payments are not actually processed by our payment processing providers, and only our test sample data can be used.
- Some API resources such as sources have a more complicated flow in live mode. It requires more steps than those in test mode.
- You can only get your live API keys once your account is
activated. You can toggle from the left side of your dashboard's sidebar if you want to get your test/live API keys.
This API key is solely used to identify your account when calling PayMongo API from the client-side.
If the public key is used from the client-side, the secret key is meant to be kept confidential and only stored on your own servers. Secret API key can perform any API requests to PayMongo without restriction and with access to overall data. Public API key has restricted data for some endpoints.
Never share your secret keys
Treat your secret keys like your passwords. The best practice is to store the secret key in your server's environment variable and not hardcoded in your codebase. If, for any reason, you believe that your secret keys have been compromised, please contact us immediately at [email protected] so we can revoke the old keys and give you new ones.
We're working on making the regeneration of keys available on the dashboard.
Test or Live Mode?
Public or Secret?
To authenticate your API requests, use HTTP Basic Auth and provide your API key as the basic auth username, encoded in Base64. You can leave the password field empty. Don't worry, it'll be encrypted when sent.
Updated about a year ago