API Authentication
Learn how to authenticate your API requests
Overview
Payzo uses API keys to authenticate requests. Your API key identifies your shop and authorizes you to create and manage payments.
Getting Your API Key
- Log in to your Dashboard
- Navigate to Shops
- Create a new shop or select an existing one
- Copy your API Key (starts with
c2c_live_)
Authentication Methods
Payzo supports two authentication methods:
Method 1: Authorization Header (Recommended)
Include your API key in the Authorization header with the Bearer scheme:
Authorization: Bearer YOUR_API_KEYExample Request
curl https://payzo.cc/api/v1/payments \
-H "Authorization: Bearer c2c_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"amount": 1000,
"success_url": "https://yoursite.com/success"
}'Node.js Example
const response = await fetch('https://payzo.cc/api/v1/payments', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.PAYZO_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
amount: 1000,
success_url: 'https://yoursite.com/success'
})
});Python Example
import requests
import os
response = requests.post(
'https://payzo.cc/api/v1/payments',
headers={
'Authorization': f'Bearer {os.getenv("PAYZO_API_KEY")}',
'Content-Type': 'application/json'
},
json={
'amount': 1000,
'success_url': 'https://yoursite.com/success'
}
)Method 2: X-API-Key Header
Alternatively, use the X-API-Key header:
X-API-Key: YOUR_API_KEYExample Request
curl https://payzo.cc/api/v1/payments \
-H "X-API-Key: c2c_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"amount": 1000,
"success_url": "https://yoursite.com/success"
}'Testing Authentication
Test your API key with a simple request:
curl https://payzo.cc/api/v1/payments \
-H "Authorization: Bearer YOUR_API_KEY"Success Response (200):
{
"data": [],
"has_more": false,
"total": 0
}Error Response (401):
{
"error": "Invalid API key"
}Security Best Practices
Never Expose Your API Key
Never include API keys in:
- Public repositories (GitHub, GitLab, etc.)
- Client-side code (JavaScript in browsers)
- Public forums or support tickets
- Mobile app source code
**Good:**Use Environment Variables
Store API keys in environment variables:
# .env file
PAYZO_API_KEY=c2c_live_1234567890abcdef
PAYZO_WEBHOOK_SECRET=whsec_abcdef123456// Load from environment
const apiKey = process.env.PAYZO_API_KEY;Rotate Keys if Compromised
If your API key is exposed:
- Delete the compromised shop in your dashboard
- Create a new shop with fresh credentials
- Update your application with the new API key
Server-Side Only
Always make API requests from your server, not from client-side JavaScript:
// **Bad:**Bad: Client-side (browser)
// API key exposed in browser!
fetch('https://payzo.cc/api/v1/payments', {
headers: {
'Authorization': 'Bearer c2c_live_...' // **Bad:**Exposed!
}
});
// **Good:**Good: Server-side
// Your frontend calls YOUR backend
fetch('/your-api/create-payment', {
method: 'POST',
body: JSON.stringify({ amount: 1000 })
});
// Your backend makes the Payzo API call
app.post('/your-api/create-payment', async (req, res) => {
const response = await fetch('https://payzo.cc/api/v1/payments', {
headers: {
'Authorization': `Bearer ${process.env.PAYZO_API_KEY}` // **Good:**Secure
},
body: JSON.stringify(req.body)
});
});Error Responses
401 Unauthorized
Missing or invalid API key:
{
"error": "Invalid API key"
}Solution: Check that your API key is correct and properly formatted in the headers.
403 Forbidden
Account inactive or suspended:
{
"error": "Seller account is inactive"
}Solution: Ensure your seller account is approved and active. Contact support if needed.