Authentication¶
All v2 API endpoints require an API Key passed in the token header.
How It Works¶
sequenceDiagram
participant Y as Your Server
participant S as SecPaid API
Y->>S: POST /api/v2/createLink<br/>Header: token: YOUR_API_KEY
S->>S: Validate API Key → resolve user
S-->>Y: Response- You send your API Key in the
tokenheader - SecPaid validates the key and resolves your account
- Your request is authenticated and processed
Request Format¶
POST /api/v2/createLink HTTP/1.1
Host: app.secpaid.com
Content-Type: application/json
token: YOUR_API_KEY
{
"amount": 49.99
}
Getting Your API Key¶
Your API Key is available in the platform dashboard:
- Log in to your SecPaid account
- Navigate to Settings → API & Integrations
- Copy your API-Token from the field shown
Your API Key is an alphanumeric string (e.g., S3ZOMroDliZZBWyL). Each environment (development / production) has a separate key.
Also on this page
The API & Integrations tab also shows your Payment Endpoint (webhook URL) and your Recipient Token (used when others reference you in split links).
Security Best Practices¶
Keep your token secret
Your API Key grants full access to your SecPaid account. Treat it like a password.
- Store the token in environment variables, never in client-side code
- Use HTTPS exclusively (enforced by SecPaid)
- Rotate your token if you suspect it has been compromised — contact support
- Do not share tokens between environments (dev vs. production)
Error Responses¶
If authentication fails, you'll receive:
{
"ResponseCode": 0,
"ResponseMsg": "Incorrect token or missing token",
"Result": "False",
"ServerTime": "CEST"
}
Common causes:
| Error | Cause |
|---|---|
Missing token header |
Header not included in request |
| Invalid API key | Token doesn't match any SecPaid user |
| Wrong environment | Using a dev token against production or vice versa |