Authentication

Secure authentication is the foundation of the iNPAY Developer API. This guide covers everything you need to know about authenticating your requests.

🔑 Secret Key Authentication

All API requests must include your secret key in the Authorization header:

Authorization: Bearer sk_live_your_secret_key_here

Secret Key Format

iNPAY secret keys follow this format:

Live Keys: sk_live_...
Test Keys: sk_test_...

🏗️ Getting Your Secret Key

Step 1: Access Your Dashboard

Log in to your iNPAY Dashboard
Navigate to Settings → API Keys

Step 2: Generate a New Key

Click "Generate New Key"
Choose between Live or Test environment
Copy the generated secret key
Store it securely - you won't be able to see it again!

Step 3: Environment Setup

Never hardcode your secret keys in your application!

Node.js Example

// .env file
INPAY_SECRET_KEY=sk_live_your_secret_key_here
INPAY_BASE_URL=https://api.inpaycheckout.com

// In your code
const secretKey = process.env.INPAY_SECRET_KEY;
const baseUrl = process.env.INPAY_BASE_URL;

Python Example

# .env file
INPAY_SECRET_KEY=sk_live_your_secret_key_here
INPAY_BASE_URL=https://api.inpaycheckout.com

# In your code
import os
from dotenv import load_dotenv

load_dotenv()
secret_key = os.getenv('INPAY_SECRET_KEY')
base_url = os.getenv('INPAY_BASE_URL')

PHP Example

// .env file
INPAY_SECRET_KEY=sk_live_your_secret_key_here
INPAY_BASE_URL=https://api.inpaycheckout.com

// In your code
$secretKey = $_ENV['INPAY_SECRET_KEY'];
$baseUrl = $_ENV['INPAY_BASE_URL'];

🔒 Security Best Practices

✅ Do's

Use HTTPS: Always make requests over HTTPS
Store Securely: Use environment variables or secure key management
Rotate Regularly: Generate new keys periodically
Monitor Usage: Set up alerts for unusual API activity
Use Test Keys: Test thoroughly with sandbox keys before going live

❌ Don'ts

Never expose in client-side code: Secret keys should never be in browsers or mobile apps
Don't commit to version control: Add .env files to .gitignore
Don't share keys: Keep your secret keys private
Don't use live keys for testing: Always use test keys in development

🌍 Environment Separation

Development Environment

# Use sandbox environment
Base URL: https://sandbox-api.inpaycheckout.com
Secret Key: sk_test_your_test_key_here

Production Environment

# Use live environment
Base URL: https://api.inpaycheckout.com
Secret Key: sk_live_your_live_key_here

🚨 Error Handling

Invalid Secret Key

{
  "success": false,
  "message": "Invalid secret key format",
  "code": "INVALID_SECRET_KEY_FORMAT"
}

Authentication Failed

{
  "success": false,
  "message": "Invalid secret key",
  "code": "INVALID_SECRET_KEY"
}

Example Error Handling

JavaScript

try {
  const response = await fetch('https://api.inpaycheckout.com/api/v1/developer/health', {
    headers: {
      'Authorization': `Bearer ${process.env.INPAY_SECRET_KEY}`,
      'Content-Type': 'application/json'
    }
  });
  
  if (!response.ok) {
    const error = await response.json();
    throw new Error(`API Error: ${error.message}`);
  }
  
  const data = await response.json();
  console.log('API is healthy:', data);
} catch (error) {
  console.error('Authentication failed:', error.message);
}

Python

import requests
import os

try:
    response = requests.get(
        'https://api.inpaycheckout.com/api/v1/developer/health',
        headers={
            'Authorization': f'Bearer {os.getenv("INPAY_SECRET_KEY")}',
            'Content-Type': 'application/json'
        }
    )
    
    if not response.ok:
        error = response.json()
        raise Exception(f'API Error: {error["message"]}')
    
    data = response.json()
    print('API is healthy:', data)
    
except Exception as e:
    print('Authentication failed:', str(e))

🧪 Testing Your Authentication

Use the health check endpoint to verify your authentication:

curl -X GET https://api.inpaycheckout.com/api/v1/developer/health \
  -H "Authorization: Bearer sk_live_your_secret_key_here"

Expected Response:

{
  "success": true,
  "message": "Proxy server is healthy",
  "timestamp": "2025-09-14T10:30:00.000Z",
  "version": "1.0.0"
}

🔄 Key Rotation

When to Rotate Keys

Security Breach: If you suspect your key has been compromised
Regular Maintenance: Rotate keys every 90 days
Employee Changes: When team members with access leave
Environment Changes: When moving between development and production

How to Rotate Keys

Generate a new secret key in your dashboard
Update your application configuration
Test with the new key
Deactivate the old key
Monitor for any issues

📞 Need Help?

If you're having authentication issues:

Check your secret key format - ensure it starts with sk_live_ or sk_test_
Verify environment variables - make sure they're loaded correctly
Test with health endpoint - use the health check to verify authentication
Contact support - reach out to support@inpay.ng for assistance

Next Steps:

PayID Creation Guide - Create your first PayID
Virtual Accounts Guide - Set up virtual account payments
API Reference - Explore all available endpoints

🔑 Secret Key Authentication​

Secret Key Format​

🏗️ Getting Your Secret Key​

Step 1: Access Your Dashboard​

Step 2: Generate a New Key​

Step 3: Environment Setup​

Node.js Example​

Python Example​

PHP Example​

🔒 Security Best Practices​

✅ Do's​

❌ Don'ts​

🌍 Environment Separation​

Development Environment​

Production Environment​

🚨 Error Handling​

Invalid Secret Key​

Authentication Failed​

Example Error Handling​

JavaScript​

Python​

🧪 Testing Your Authentication​

🔄 Key Rotation​

When to Rotate Keys​

How to Rotate Keys​

📞 Need Help?​