Authentication

All requests to the Notch Pay API must be authenticated. This guide explains the authentication methods available and how to implement them securely.

API Keys

Notch Pay uses API keys to authenticate requests. You can find your API keys in your Notch Pay Business suite under Settings > API Keys.

Test API Keys: Used for development and testing. These keys contain test_ prefix.All transactions made with test API keys don’t affect your live data and are only visible in test mode.

Authentication Methods

For most API requests, you need to include your API key in the Authorization header:

Authorization: YOUR_PUBLIC_KEY

Example Request

curl https://api.notchpay.co/payments \
  -H "Authorization: YOUR_PUBLIC_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 5000,
    "currency": "XAF",
    "customer": {
      "email": "customer@example.com"
    }
  }'

API Key Security

Keep API Keys Private

Whitelist Your IP Addresses

Use Environment Variables

Use environment variables or secure vaults to store API keys in your applications.

// Example in Node.js
const apiKey = process.env.NOTCHPAY_API_KEY;

Implement Access Controls

Implement proper access controls to limit who can access your API keys.Only give access to team members who absolutely need it.

Rotate Keys Regularly

Rotate your API keys periodically, especially if you suspect they may have been compromised.You can generate new API keys in your Notch Pay dashboard.

Use Test Keys for Development

Use test API keys for development and testing to avoid accidental charges.Switch to live keys only when you’re ready to process real transactions.

Error Responses

Authentication Error Responses

Missing API Key

Invalid API Key

Missing Grant Key

{
  "code": 403,
  "status": "Forbidden",
  "message": "This endpoint requires additional authentication"
}

This error occurs when you try to access an endpoint that requires the X-Grant header without providing it.

Invalid Grant Key

Invalid Sync Account

{
  "code": 404,
  "status": "Not Found",
  "message": "Sync account not found"
}

This error occurs when the sync account ID you provided in the X-Sync header doesn’t exist or you don’t have access to it.

Best Practices

Use HTTPS

Always use HTTPS to encrypt your API requests and prevent man-in-the-middle attacks.Never send API requests over unencrypted HTTP connections.

Proper Error Handling

Handle authentication errors gracefully in your application.Implement retry logic with exponential backoff for transient errors.

Limit API Key Exposure

Only share API keys with trusted systems and developers.Consider using different API keys for different services or environments.

Monitor API Usage

Regularly review your API logs to detect unauthorized access.Set up alerts for unusual API activity patterns.

Implement Rate Limiting

Protect your API endpoints from brute force attacks by implementing rate limiting.Consider using a service like Redis to track and limit request rates.

Next Steps

API Reference

Explore the complete API documentation

Errors

Learn about error handling in the Notch Pay API

Security Best Practices

Discover more ways to secure your integration

Introduction

Core Resources

Additional Resources

API Specification

Authentication

Authentication

API Keys

Authentication Methods

Example Request

API Key Security

Error Responses

Best Practices

Use HTTPS

Proper Error Handling

Limit API Key Exposure

Monitor API Usage

Implement Rate Limiting

Next Steps

API Reference

Errors

Security Best Practices

Introduction

Core Resources

Additional Resources

API Specification

​Authentication

API Keys

​Authentication Methods

​Example Request

​API Key Security

​Error Responses

​Best Practices

Use HTTPS

Proper Error Handling

Limit API Key Exposure

Monitor API Usage

Implement Rate Limiting

​Next Steps

API Reference

Errors

Security Best Practices

Authentication

Authentication Methods

Example Request

API Key Security

Error Responses

Best Practices

Next Steps