Authentication

All requests to the Dotapay API must be authenticated. Authentication identifies which Dotapay integration a request belongs to and determines whether it’s authorized to perform the requested action.

The Dotapay API uses API keys to authenticate requests. Every request must include your secret key in the Request Header

API keys

Every Dotapay integration provides two types of API keys for each environment:

Type
Prefix
Description

Public Key

PUB_

Used on the frontend when integrating using Dotapay Inline and in our Mobile SDKs only. By design, public keys can only initiate transactions to your account.

Secret Key

PRV_

Used on the backend when making API requests. The secret keys must be stored securely.

You can find your API keys on the API Keys & Webhooks section of the Dotapay Dashboard.

It's good practice to rotate your API keys periodically to enhance security. You can rotate your keys by generating new ones in the API Keys & Webhooks section of the Dotapay Dashboard. If you suspect that your secret key has been compromised, you should rotate it immediately.

Secure your secret key

Do not commit your secret keys to git, or use them in client-side code.

Authorization headers should be in the following format: DPPRIVATEKEY: SECRET_KEY

Sample Authorization Header

DPPRIVATEKEY: SECRET_KEY

API requests made without authentication fail with the status code 401: Unauthorized. All API requests must be made over HTTPS

Secure your requests

Do not set VERIFY_PEER to FALSE. Ensure your server verifies the SSL connection to Dotapay.

Test and live modes

Dotapay provides two separate environments for integration:

  • Test mode – For development and quality assurance. Transactions and API calls here don't involve real money.

  • Live mode – For production. Transactions and settlements are real and processed through your live Dotapay account.

Each environment has its own set of public and secret keys. Test keys are prefixed with PUB_DP_DEMO_ and PRV_DP_DEMO_, while live keys are prefixed with PUB_DP_ and PRV_DP_.

Test mode limitations

The test environment aims to closely mirror live behavior, but not all features are available. For example, settlements aren't processed in test mode, and some payment channels are unavailable.

Key management best practices

  • Never embed your secret key in frontend code, mobile apps, or public repositories.

  • Store keys securely using environment variables or a secrets manager.

  • Rotate keys periodically, especially if you suspect exposure.

  • Restrict who can view or manage API keys in your Dashboard.

PreviousIntroductionNextErrors

Last updated