Authentication

Notch Pay API endpoints are protected with API keys, which you can generate from the dashboard. Your API key must be included in all API requests to the server as a header field.

When interacting with the Notch Pay API, ensure that each of your requests includes an Authorization header containing your secret key. You can manage your API keys directly from the dashboard.

Typically, we provide both public and secret keys. Public keys are intended for use in your interface when integrating with Payments exclusively. By design, public keys cannot modify any part of your account except to initiate transactions to you. However, secret keys must be kept confidential. If you suspect that your secret key has been compromised or you wish to reset it for any reason, you can do so from the dashboard.

Account environments

Your Notch Pay account has two different modes of operation:

  • Live - This mode involves real transactions with actual money and effects. Prior to switching to this mode, we advise thoroughly testing your integration.
  • Sandbox - This mode does not involve real money and can only make use of our test credentials. Despite the absence of real money, we still send webhooks and email notifications, and most API functions are retained.

Switching between Live and Test modes is a simple task, facilitated by the toggle button located at the header. Upon toggling between modes, the displayed API keys will swap correspondingly.

Throughout the integration development phase, thorough testing is crucial. As outlined in our authentication guide, accessing the Notch Pay API sandbox mode can be achieved using the sandbox API keys.

Transactions in the sandbox environment are automatically purged after a period of 45 days.

API Keys

Upon creating a Notch Pay account, users receive three categories of API keys:

  1. Public Key: Employed for "public" scenarios, such as in front-end JavaScript code.
  2. Private Key: Exclusively used with high-risk endpoints, such as transfers. Therefore, extreme caution must be exercised to ensure it is never exposed to the public.
  3. Hash: Used for verifying incoming Webhook

To get API keys, go to the developer section of your Notch Pay Dashboard.

API Keys Dashboard

When developing and testing your integration, it's crucial to utilize Sandbox API keys. For information on Sandbox mode, refer to our guide on Moneroo API testing. When you're prepared to handle actual payments, swap your test key with Live API keys.

Ensuring the security of all API keys is paramount. Never disclose them to others. However, in the event of a key leak, you always have the option to delete it. Remember to update your code with the new keys promptly. Failure to do so will result in your integration not functioning correctly.

Authorizing API calls

Every API call made on Notch Pay is duly authenticated. If API requests are made without proper authorization, it will result in a failure with the HTTP status code 401: Unauthorized.

Hey, heads up! Your secret key is super powerful and can basically do whatever it wants on your Notch Pay account. So make sure you keep it confidential and store it only on your servers, preferably as an environment variable. And here's a friendly reminder: don't include it in your Git repository or front-end JavaScript code.

To ensure authorization of API calls from our server, it is necessary to pass your public key as a Authorization value. This can be accomplished by passing an Authorization header with a value of "YOUR_PUBLIC_KEY".

Example

For example, an API call could look like.

This endpoint allows you to retrieve your merchant information's.

curl https://api.notchpay.co
-H "Authorization: YOUR_PUBLIC_KEY"
-X GET

Copyright © 2024 Notch Pay