SafePays API

Authentication

Learn how to authenticate with the SafePays API

API Key Authentication

The SafePays API uses API keys to authenticate requests. You can generate and manage your API keys from the SafePays Dashboard.

Obtaining Your API Key

  1. Log in to your SafePays Dashboard
  2. Navigate to SettingsAPI Keys
  3. Click Generate New API Key
  4. Give your key a descriptive name (e.g., "Production Server", "Development")
  5. Copy the key immediately - it won't be shown again

Important Security Notice

  • Never expose your API key in client-side code
  • Never commit API keys to version control
  • Rotate keys regularly for security
  • Use environment variables to store keys

Using Your API Key

Include your API key in the request body for all API calls:

curl -X POST https://app.safepays.com/api/customer \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "your_api_key_here",
    "name": "John Doe",
    "email": "john.doe@example.com"
  }'
const response = await fetch('https://app.safepays.com/api/customer', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    api_key: process.env.SAFEPAYS_API_KEY, // Use environment variable
    name: 'John Doe',
    email: 'john.doe@example.com'
  })
});
import os
import requests
import json

api_key = os.environ.get('SAFEPAYS_API_KEY')  # Use environment variable

response = requests.post(
    'https://app.safepays.com/api/customer',
    headers={'Content-Type': 'application/json'},
    data=json.dumps({
        'api_key': api_key,
        'name': 'John Doe',
        'email': 'john.doe@example.com'
    })
)
<?php
$api_key = $_ENV['SAFEPAYS_API_KEY'];  // Use environment variable

$data = [
    'api_key' => $api_key,
    'name' => 'John Doe',
    'email' => 'john.doe@example.com'
];

$ch = curl_init('https://app.safepays.com/api/customer');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));

$response = curl_exec($ch);
curl_close($ch);
?>

Authentication Errors

When authentication fails, you'll receive a 401 Unauthorized response:

{
  "error": "Invalid API Key"
}

Common causes:

  • Missing API key in request
  • Incorrect API key
  • Expired or revoked API key
  • API key from wrong environment (test vs production)

Best Practices

1. Use Environment Variables

Never hardcode API keys in your source code:

// .env file
SAFEPAYS_API_KEY=your_api_key_here

// Your application
require('dotenv').config();
const apiKey = process.env.SAFEPAYS_API_KEY;
# .env file
SAFEPAYS_API_KEY=your_api_key_here

# Your application
from dotenv import load_dotenv
import os

load_dotenv()
api_key = os.getenv('SAFEPAYS_API_KEY')
// .env file
SAFEPAYS_API_KEY=your_api_key_here

// Your application
<?php
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();
$api_key = $_ENV['SAFEPAYS_API_KEY'];
?>

2. Secure Storage

  • Store API keys in secure key management services (AWS Secrets Manager, Azure Key Vault, etc.)
  • Use encrypted environment variables in production
  • Limit API key access to necessary personnel only

3. Key Rotation

Regularly rotate your API keys:

  1. Generate a new API key
  2. Update your application to use the new key
  3. Verify the new key is working
  4. Revoke the old key

4. Separate Keys for Environments

Use different API keys for:

  • Development
  • Staging
  • Production
  • Testing

This helps:

  • Prevent accidental production data modification
  • Track usage per environment
  • Improve security isolation

API Key Permissions

Currently, all API keys have full access to all endpoints. Future updates may include:

  • Read-only keys
  • Endpoint-specific permissions
  • IP whitelisting
  • Rate limit customization

Monitoring API Key Usage

You can monitor your API key usage from the dashboard:

  1. Go to SettingsAPI Keys
  2. Click on a key to view:
    • Request count
    • Last used timestamp
    • Error rate
    • Geographic distribution

Pro Tip: Set up alerts for unusual API key activity to detect potential security issues early.

Troubleshooting

Invalid API Key Error

If you receive an "Invalid API Key" error:

  1. Verify the key - Check you're using the correct key
  2. Check environment - Ensure you're using the right key for your environment
  3. Verify format - Keys should be exactly as provided (no extra spaces)
  4. Check expiration - Keys may be revoked or expired

Rate Limiting

API keys are subject to rate limits:

  • 1000 requests per minute
  • 10,000 requests per hour

See Rate Limits for more information.

Security Checklist

  • API keys stored in environment variables
  • Never committed to version control
  • Different keys for each environment
  • Regular key rotation schedule
  • Monitoring enabled for key usage
  • Keys stored securely in production
  • Access logs reviewed regularly
  • Alerts configured for anomalies

API Reference

Complete reference for all SafePays API endpoints

Customers

API endpoints for customer management

On this page

API Key AuthenticationObtaining Your API KeyUsing Your API KeyAuthentication ErrorsBest Practices1. Use Environment Variables2. Secure Storage3. Key Rotation4. Separate Keys for EnvironmentsAPI Key PermissionsMonitoring API Key UsageTroubleshootingInvalid API Key ErrorRate LimitingSecurity Checklist