Authentication#
The CasaPay API uses API keys to authenticate requests. You can view and manage your API keys in the CasaPay Dashboard.
Your API keys carry many privileges, so be sure to keep them secure. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
API Key Types#
| Key Type | Prefix | Usage |
|---|---|---|
| Secret key (test) | sk_test_ | Server-side, test mode |
| Secret key (live) | sk_live_ | Server-side, live mode |
| Publishable key (test) | pk_test_ | Client-side, test mode |
| Publishable key (live) | pk_live_ | Client-side, live mode |
Making Authenticated Requests#
Authentication to the API is performed via HTTP Bearer auth. Provide your API key as the bearer token value:
curl https://api.casapay.com/v1/customers \
-H "Authorization: Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc"const casapay = require('casapay')('sk_test_4eC39HqLyjWDarjtT1zdp7dc');
const customer = await casapay.customers.retrieve('cus_123456789');import casapay
casapay.api_key = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"
customer = casapay.Customer.retrieve("cus_123456789")All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
Restricted API Keys#
For granular permissions, you can create restricted API keys that only have access to specific API resources. Configure restricted keys in your Dashboard under API Keys → Create restricted key.
Keep your keys safe
Your secret API key can be used to make any API call on behalf of your account. Treat your secret API key as you would any other password. Grant access only to those who need it.