Skip to content

Authentication

All v2 API endpoints require an API Key passed in the token header.

How It Works

sequenceDiagram
    participant Y as Your Server
    participant S as SecPaid API

    Y->>S: POST /api/v2/createLink<br/>Header: token: YOUR_API_KEY
    S->>S: Validate API Key → resolve user
    S-->>Y: Response
  1. You send your API Key in the token header
  2. SecPaid validates the key and resolves your account
  3. Your request is authenticated and processed

Request Format

POST /api/v2/createLink HTTP/1.1
Host: app.secpaid.com
Content-Type: application/json
token: YOUR_API_KEY

{
  "amount": 49.99
}

Getting Your API Key

Production

Your production API Key is available in the platform dashboard:

  1. Log in to your SecPaid account at app.secpaid.com
  2. Navigate to SettingsAPI & Integrations
  3. Copy your API-Token from the field shown

Development (app.dev.secpaid.com)

Accounts for the development environment are provisioned by SecPaid — there is no public self-signup for app.dev.secpaid.com. Email support@secpaid.com to request a sandbox account; we will send your login and development API Key. Use that key only with https://app.dev.secpaid.com/api/v2/. See Environments & Rate Limits for details.

Your API Key is an alphanumeric string (e.g., S3ZOMroDliZZBWyL). Each environment (development / production) has a separate key.

Also on this page

The API & Integrations tab also shows your Payment Endpoint (webhook URL) and your Recipient Token (used when others reference you in split links).

Security Best Practices

Keep your token secret

Your API Key grants full access to your SecPaid account. Treat it like a password.

  • Store the token in environment variables, never in client-side code
  • Use HTTPS exclusively (enforced by SecPaid)
  • Rotate your token if you suspect it has been compromised — contact support
  • Do not share tokens between environments (dev vs. production)

Error Responses

If authentication fails, you'll receive:

{
  "ResponseCode": 0,
  "ResponseMsg": "Incorrect token or missing token",
  "Result": "False",
  "ServerTime": "CEST"
}

Common causes:

Error Cause
Missing token header Header not included in request
Invalid API key Token doesn't match any SecPaid user
Wrong environment Using a dev token against production or vice versa