Authentication
VaultsPay authenticates API requests using Bearer tokens. Each request must include an Authorization header carrying your secret API key.
Your API keys
Once your VaultsPay account is approved, you’ll receive two API keys:
| Key | Prefix | Use |
|---|---|---|
| Test secret | sk_test_... | Sandbox environment only |
| Live secret | sk_live_... | Production environment |
Treat your live secret key like a password. Never commit it to a public repository, embed it in client-side code, or share it in plain text. Rotate immediately if compromised.
Sending the Authorization header
All authenticated requests include a single Authorization header:
Authorization: Bearer sk_test_yourApiKeyHereExample using curl:
curl https://api.vaultspay.ae/v1/accounts \
-H "Authorization: Bearer sk_test_yourApiKeyHere"Rotating keys
You can rotate your API keys from the VaultsPay Dashboard → Developers → API Keys. When you rotate:
- A new key is issued.
- The old key continues to work for 24 hours to give you time to deploy.
- After 24 hours, the old key is permanently revoked.
IP allow-listing (optional)
For additional security, you may restrict your live API key to specific IPv4/IPv6 ranges from the dashboard. Requests from other IPs will receive a 401 unauthorized_ip error.
Request signing (webhooks)
Inbound webhook requests from VaultsPay to you are signed with an HMAC signature for verification. See Signature verification.
FAQ
Q: Can I use my API key in a mobile app? No. API keys are server-side only. For mobile/web clients, request short-lived Session Tokens from your backend.
Q: How do I regenerate a leaked key? Open the dashboard, go to Developers → API Keys → Revoke. Issue a replacement immediately.
Q: Does VaultsPay support OAuth? OAuth 2.0 for third-party partners is on the roadmap. For current integrations, use API keys.