Authentication

The CardPlusPay API uses a single API key sent in a header. There is no OAuth or session-based login for the API.

Method

Include your API key on every request using the X-API-Key header:

X-API-Key: YOUR_API_KEY

Also send:

Accept: application/json
Content-Type: application/json

(Use Content-Type: application/json for request bodies on POST endpoints.)

Obtaining your API key

  1. Log in to the CardPlusPay Dashboard.
  2. Go to API Keys in the Dashboard and create or copy a key.
  3. Treat it like a password: anyone with the key can perform actions and spend balance on your account.

Security

  • Server-side only — Call the API from your backend. Never put the API key in frontend JavaScript, mobile app source, or public repositories.
  • Store securely — Use environment variables or a secrets manager (e.g. CARDPLUSPAY_API_KEY), not hardcoded strings or config files committed to version control.
  • HTTPS only — All requests must go to https://api.cardpluspay.com. Do not send the key over plain HTTP.
  • Rotation — If a key may be compromised, generate a new key in API Keys in the Dashboard and update your app; revoke or delete the old key as needed.

Advanced: request signing (optional)

Some accounts have request signing enabled for extra security. If your account uses it, you must send two additional headers with each request:

  • X-API-Challenge — A challenge string (you obtain this from the challenge endpoint or as provided for your account).
  • X-API-Signature — Base64-encoded RSA-SHA256 signature of the challenge string, signed with your private key. The server verifies it using the public key registered for your account.

Each challenge is single-use and time-limited (e.g. 5 minutes). If your API calls return 401 with a message about signature verification or missing X-API-Challenge / X-API-Signature, your account likely has this enabled. Contact support or check your Dashboard Security settings for how to obtain challenges and register your public key.

Invalid or missing key

If the key is missing, invalid, or inactive, the API returns 401 Unauthorized. The response body still uses the usual envelope:

{
  "success": false,
  "message": "Unauthorized",
  "data": { ... }
}

Check that the header name is exactly X-API-Key and the value is the full key with no extra spaces or quotes.

← Concepts · Integration Guide