Authentication
ResolutPay uses Bearer token authentication for API requests. You'll need to include your secret key in the Authorization header of all API requests.
API Keys
You have two types of API keys:
- Public Key: Used for client-side operations (like initializing payments)
- Secret Key: Used for server-side operations (like verifying payments, accessing sensitive data)
Never expose your secret key in client-side code, browser extensions, or public repositories. Always use environment variables to store your secret key.
Getting Your API Keys
- Log in to your ResolutPay Dashboard
- Navigate to Settings → API Keys
- Copy your Public Key and Secret Key
Using Your API Keys
Server-Side Requests
For server-side requests (recommended for most operations), use your Secret Key:
const axios = require("axios");
const response = await axios.post(
"https://api.resolutpay.com/transaction/initialize",
{
amount: 5000,
email: "customer@example.com",
reference: "REF_" + Date.now(),
callback_url: "https://yourwebsite.com/verify",
currency: "GHS",
},
{
headers: {
Authorization: "Bearer YOUR_SECRET_KEY",
"Content-Type": "application/json",
},
}
);
Client-Side Requests
For client-side requests (like initializing payments), use your Public Key:
// Client-side code
const response = await fetch(
"https://api.resolutpay.com/transaction/initialize",
{
method: "POST",
headers: {
Authorization: "Bearer YOUR_PUBLIC_KEY",
"Content-Type": "application/json",
},
body: JSON.stringify({
amount: 5000,
email: "customer@example.com",
reference: "REF_" + Date.now(),
callback_url: "https://yourwebsite.com/verify",
currency: "GHS",
}),
}
);
Environment Variables
Store your API keys securely using environment variables:
# .env file
RESOLUTPAY_PUBLIC_KEY=pk_test_xxxxxxxxxxxxxxxxxxxxxxxx
RESOLUTPAY_SECRET_KEY=sk_test_xxxxxxxxxxxxxxxxxxxxxxxx
// Using environment variables
const response = await axios.post(
"https://api.resolutpay.com/transaction/initialize",
data,
{
headers: {
Authorization: `Bearer ${process.env.RESOLUTPAY_SECRET_KEY}`,
"Content-Type": "application/json",
},
}
);
Test vs Live Keys
ResolutPay provides separate keys for testing and production:
- Test Keys: Start with
pk_test_andsk_test_ - Live Keys: Start with
pk_live_andsk_live_
Use test keys during development and switch to live keys when going to production.
Key Rotation
For security, rotate your API keys regularly:
- Generate new keys in the dashboard
- Update your application with the new keys
- Delete the old keys after confirming everything works
Error Responses
If authentication fails, you'll receive a 401 Unauthorized response:
{
"status": false,
"message": "Invalid authorization key",
"data": null
}
Common authentication errors:
| Error Code | Description |
|---|---|
401 | Invalid or missing API key |
403 | API key doesn't have permission for this endpoint |
429 | Rate limit exceeded |
Security Best Practices
- Never commit API keys to version control
- Use environment variables to store keys
- Rotate keys regularly (every 90 days)
- Use HTTPS for all API requests
- Validate webhook signatures to prevent replay attacks
- Monitor API usage for suspicious activity
Next Steps
- Quickstart Guide - Get started with your first payment
- Payment Collection - Learn about different payment methods
- Webhooks - Set up real-time notifications