Authentication
Learn how to authenticate with the Payzava API
All Payzava API requests are authenticated using an API key passed in the
x-api-key header.
API Key
Include your API key in every request header:
x-api-key: sk_sandbox_X7k-aB3cDeFgHiJkL-mN9
Production vs Sandbox keys
| Key prefix | Environment | Base URL |
|---|---|---|
public- | Production | https://prod.payzava.com/cp/api/v1 |
sk_sandbox_ | Sandbox | https://sandbox.payzava.com/cp/api/v1 |
Sandbox keys only work with the sandbox base URL. Production keys only
work with the production base URL. Mixing them returns a 401 error.
Getting your API key
- Log in to your Payzava Dashboard (or Sandbox Dashboard for testing)
- Navigate to Settings → Development Info
- Copy your API key
Rate limits
| Scope | Limit |
|---|---|
| Per endpoint | 30 requests per minute |
| Global | 300 requests per 5 minutes |
When you exceed the rate limit, the API returns a 429 Too Many Requests
response. Wait before retrying.
Error responses
Missing API key
{
"success": false,
"message": "x-api-key header is required"
}
HTTP Status: 401 Unauthorized
Invalid API key
{
"success": false,
"message": "Invalid API key"
}
HTTP Status: 401 Unauthorized
Wrong environment key
{
"success": false,
"message": "Sandbox key cannot be used in production"
}
HTTP Status: 401 Unauthorized
Security best practices
- Never expose your API key in frontend code. Always make API calls from your server.
- Store keys in environment variables, not in source code.
- Rotate keys if you suspect they have been compromised. You can regenerate keys from the dashboard.
- Use sandbox keys during development and testing.