Authentication

Learn how to authenticate with the Payzava API

All Payzava API requests are authenticated using an API key passed in the x-api-key header.

API Key

Include your API key in every request header:

x-api-key: sk_sandbox_X7k-aB3cDeFgHiJkL-mN9

Production vs Sandbox keys

Key prefixEnvironmentBase URL
public-Productionhttps://prod.payzava.com/cp/api/v1
sk_sandbox_Sandboxhttps://sandbox.payzava.com/cp/api/v1

Sandbox keys only work with the sandbox base URL. Production keys only work with the production base URL. Mixing them returns a 401 error.

Getting your API key

  1. Log in to your Payzava Dashboard (or Sandbox Dashboard for testing)
  2. Navigate to Settings → Development Info
  3. Copy your API key

Rate limits

ScopeLimit
Per endpoint30 requests per minute
Global300 requests per 5 minutes

When you exceed the rate limit, the API returns a 429 Too Many Requests response. Wait before retrying.

Error responses

Missing API key

{
  "success": false,
  "message": "x-api-key header is required"
}

HTTP Status: 401 Unauthorized

Invalid API key

{
  "success": false,
  "message": "Invalid API key"
}

HTTP Status: 401 Unauthorized

Wrong environment key

{
  "success": false,
  "message": "Sandbox key cannot be used in production"
}

HTTP Status: 401 Unauthorized

Security best practices

  • Never expose your API key in frontend code. Always make API calls from your server.
  • Store keys in environment variables, not in source code.
  • Rotate keys if you suspect they have been compromised. You can regenerate keys from the dashboard.
  • Use sandbox keys during development and testing.