Authentication
Learn how to authenticate with the Notch Pay API and secure your integration
Proper authentication is essential for securing your Notch Pay integration. This guide explains the key concepts of authentication and how to get started with implementing it in your applications.
API Keys Overview
Notch Pay uses API keys to authenticate requests to our API. When you create a Notch Pay account, you’ll receive two sets of API keys:
Test API Keys
Used for development and testing. These keys contain the test_ prefix.
All transactions made with test API keys don’t affect your live data and are only visible in test mode.
Live API Keys
Used for production environments. Only use these keys when your application is ready for real transactions.
You can find your API keys in your Notch Pay Business suite under Settings > API Keys.
Types of API Keys
Notch Pay provides two types of API keys for different purposes:
Public keys (starting with pk_) are used for client-side operations that don’t require access to sensitive data. These keys can be safely included in your frontend code.
Example: pk_test_123456789abcdef
Use for: Creating payment sessions, initializing the Notch Pay SDK in client-side code
Public keys (starting with pk_) are used for client-side operations that don’t require access to sensitive data. These keys can be safely included in your frontend code.
Example: pk_test_123456789abcdef
Use for: Creating payment sessions, initializing the Notch Pay SDK in client-side code
Private keys (starting with sk_) are used for server-side operations that require access to sensitive data. These keys should never be exposed in your frontend code or public repositories.
Example: sk_test_123456789abcdef
Use for: Accessing account information, creating transfers, managing webhooks
Authentication Methods
Notch Pay supports several authentication methods depending on the type of operation:
Standard Authentication
For most API requests, include your API key in the Authorization header:
Advanced Authentication
Some sensitive operations require additional authentication using the X-Grant header with your private key:
Sync Account Authentication
When working with connected accounts, specify the account using the X-Sync header:
API Key Security
Keep Keys Secure
Never share your private keys in publicly accessible areas such as GitHub, client-side code, or social media.
Use Environment Variables
Store API keys in environment variables or secure vaults, not in your application code.
Implement Access Controls
Limit who can access your API keys within your organization.
Rotate Keys Regularly
Periodically rotate your API keys, especially if you suspect they may have been compromised.
Use Test Keys for Development
Always use test API keys for development and testing to avoid accidental charges.
Common Authentication Errors
The API returns specific error codes and messages when authentication fails:
| Error | Description | Solution |
|---|---|---|
| 401 - API key missing | No API key was provided | Include your API key in the Authorization header |
| 401 - Invalid API key | The API key is incorrect or revoked | Check that you’re using the correct API key |
| 403 - Missing grant key | Advanced authentication required | Include your private key in the X-Grant header |
| 403 - Invalid grant key | The private key is incorrect | Verify your private key is correct |
| 404 - Sync account not found | Invalid sync account ID | Check that the sync account exists and you have access to it |
Next Steps
- Authentication API Reference - Detailed API specifications and code examples
- Error Handling - Learn about error handling in the Notch Pay API
- Security Best Practices - Discover more ways to secure your integration