API Authentication

PaynPlus authenticates your API requests using standard HTTP authorization headers. You must include your API key in every request to interact with our endpoints.

API Key Types

When you create a PaynPlus account, you are provided with two types of API keys for each environment (Sandbox and Production).

Public Key

Identifiable by the pk_ prefix. This key is meant to be used in your frontend code (websites, mobile apps) to tokenize payment details securely before sending them to your server.

e.g., pk_live_HTL9z8y7...

Secret Key

Identifiable by the sk_ prefix. Used for backend API calls such as charging a card, processing refunds, or creating payouts.

e.g., sk_live_HTLm1n2o...

Security Warning

Your Secret Key can perform highly sensitive actions, including moving funds. Never expose your Secret Key in client-side code, public GitHub repositories, or mobile applications. Always keep it safely stored in your server's environment variables.

Making a Request

To authenticate, send your API key in the Authorization header using the Bearer schema.

Example Request

curl -X POST https://api.paynplus.com/v1/payments \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer sk_live_your_secret_key" \
  -d '{
    "amount": 1500.00,
    "currency": "PHP",
    "payment_method": "gcash"
  }'

Authentication Errors

If an invalid or missing API key is provided, the API will return a 401 Unauthorized error.

{
  "error": {
    "code": "UNAUTHORIZED_ACCESS",
    "message": "Invalid API key provided."
  }
}