The Workflow API uses the same authentication model as the rest of PayMongo: an HTTP Basic header carrying your secret key, plus the Organization-Id header that identifies the organization the request acts on.

Secret keys

Every Workflow API request authenticates with a PayMongo secret key. The key prefix decides whether the request runs in test mode (sk_test_...) or live mode (sk_live_...). Workflows, triggers, instances, and wait states are isolated between modes. A workflow created with a test key is invisible to a live key, and vice versa.

The Authorization header is built from your secret key followed by a colon, base64-encoded:

# Construct the token
echo -n "${YOUR_SECRET_KEY}:" | base64
# → e.g. c2tfdGVzdF9hYmMxMjM6

The trailing colon is mandatory. Most HTTP clients build it automatically when you set the username to your secret key and leave the password empty.

Required headers

Every authenticated request must carry both headers below.

Livemode isolation

The key prefix determines livemode:

• sk_live_...: live mode. Real money movement, real bank rails.
• sk_test_...: test mode. Sandbox; transfers do not move real funds.

Cross-livemode reads return 404 Not Found. A test-mode key cannot retrieve, list, or modify a live-mode workflow even when it knows the ID. The existence of the resource is not leaked across the boundary.

Authentication errors

The full error envelope shape is described in Validation and Errors.

Example

curl --request GET 'https://workflow-api.paymongo.com/v1/workflows' \
  --header 'Authorization: Basic ${YOUR_BASIC_TOKEN}' \
  --header 'Organization-Id: ${YOUR_ORG_ID}' \
  --header 'Content-Type: application/json'

A successful response is a JSON envelope of workflows. Any of the codes above will appear in the standard error envelope on failure.