JCPay· Authentication
Sign in

Authentication

All requests to /v1/* require a secret API key sent in the Authorization header. Never expose your sk_live_* keys publicly — only use them from trusted server code.

Authorization: Bearer sk_test_abc123...

Environments

Every merchant has two key pairs:

  • pk_test_ / sk_test_ — routes to the JCPay sandbox (MockProvider).
  • pk_live_ / sk_live_ — routes to real payment providers configured by the platform.

Test-mode operations are fully isolated from live. A sk_test_ key cannot read, modify, or refund live payments.

Scopes

Keys carry scopes: read (GET endpoints) and write (POST/PATCH/DELETE). Generate read-only keys for reporting tools.

IP allowlist

Optional per-key. If set, requests from IPs outside the list return 403 ip_not_allowed. Useful for locking live keys to your production servers.

Rate limits

100 requests per minute per API key by default. Exceeded requests return 429 with a Retry-After header.