Skip to content

Keys & Access Tokens

V2 API Keys

All V2 endpoints authenticate using an API key passed in the request header:

Header Value
token Your API key

Example:

POST /api/v2/createLink HTTP/1.1
Host: app.secpaid.com
token: YOUR_API_KEY_HERE
Content-Type: application/x-www-form-urlencoded

The API gateway validates the key and resolves the associated user before the request reaches the service. No Bearer token or OAuth flow is required for V2.

Obtaining an API Key

  1. Contact compute@spacepitch.org to request an API key.
  2. Specify whether you need a development or production key.
  3. For development, you can use the demo key below to get started immediately.

Development demo key: u06AuLfBhQdQDtYGVcbGQtUNgIO1wrFN

The demo key creates test payment links backed by the PSP's sandbox. You can cancel or authorize demo payments to test your webhook and callback integrations. It does not process real money.

Recipient Tokens

To use the Split Link feature, you need the recipient tokens of your split recipients. These are separate from your API key:

  • Development: recipients can find their token in their SecPaid account settings.
  • Production: contact compute@spacepitch.org after the recipient has registered and verified their SecPaid account.

Recipient tokens are placed in the recipients array of the request body — not in the header.

Best Practices

  1. Store API keys in environment variables — never hard-code them or expose them in client-side code.
  2. Rotate API keys periodically.
  3. Implement proper error handling for 401 and 403 responses.
  4. Always use HTTPS — all SecPaid endpoints enforce TLS.
  5. Monitor your API usage to detect unauthorized access.