Authentication

How to authenticate API requests with your route API key.

API Keys

Every route has a unique secret API key, issued when you create the route. The key identifies which app and route a payment belongs to, so treat it like a password: store it as a server-side secret and rotate it from the dashboard if it leaks.

Making Requests

Pass the key in the x-api-key header. Requests without a valid key are rejected with 401 Unauthorized.

POST /api/init-payment
Content-Type: application/json
x-api-key: YOUR_API_KEY

Rate limits

Payment initialization is rate limited per key. If you exceed the limit you receive 429 Too Many Requests with a Retry-After header — back off and retry.

Test vs Live

An app is either in test or live mode, toggled from the dashboard. Test mode uses platform sandbox credentials and simulates payments; live mode uses your own connected credentials and moves real money. The same API key works in both — the app's mode decides the behavior.