Tokens#

Tokens represent API keys and access credentials for authenticating with the CasaPay API.

The Token object#

AttributeTypeDescription
idstringUnique identifier with tok_ prefix
objectstringAlways "token"
namestringHuman-readable name
typeenumsecret, publishable, restricted
key_prefixstringFirst 8 characters of the key
permissionsarrayAllowed operations (restricted keys only)
last_used_attimestampLast time the token was used
expires_attimestampExpiration time (null for non-expiring)
livemodebooleanLive or test mode
createdtimestampTime at which the object was created
{
  "id": "tok_abc123",
  "object": "token",
  "name": "Production API Key",
  "type": "secret",
  "key_prefix": "sk_live_",
  "permissions": [],
  "last_used_at": 1706140800,
  "expires_at": null,
  "livemode": true,
  "created": 1704067200
}

Create a Token#

POST /v1/tokens

ParameterTypeRequiredDescription
namestringYesHuman-readable name
typestringNorestricted (secret/publishable managed in Dashboard)
permissionsarrayConditionalRequired for restricted keys
expires_attimestampNoOptional expiration
curl https://api.casapay.com/v1/tokens \
  -H "Authorization: Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Webhook Server Key",
    "type": "restricted",
    "permissions": ["payment_intents:read", "events:read", "webhook_endpoints:write"]
  }'
{
  "id": "tok_restricted_xyz",
  "object": "token",
  "name": "Webhook Server Key",
  "type": "restricted",
  "key": "rk_test_abc123...",
  "permissions": ["payment_intents:read", "events:read", "webhook_endpoints:write"],
  "created": 1706140800
}

Store the key securely

The full API key is only returned once when creating the token. Store it securely — you won't be able to retrieve it again.

Retrieve, List, Revoke#

GET /v1/tokens/:id

GET /v1/tokens

POST /v1/tokens/:id/revoke

curl -X POST https://api.casapay.com/v1/tokens/tok_abc123/revoke \
  -H "Authorization: Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc"