OutpayDocs
API reference

API authentication

Authenticate public v1 requests with a merchant-scoped bearer key.

See authentication for key creation, rotation, and scope guidance. This page covers the request-level contract.

curl "$OUTPAY_API_BASE_URL/api/v1/payments" \
  -H "Authorization: Bearer $OUTPAY_API_KEY"

The server hashes the secret portion of the key for comparison, checks the API key's active status and the merchant's status, then updates the key's last_used_at timestamp. Comparison is timing-safe, and an invalid prefix or secret both return the same 401 INVALID_API_KEY response — no detail is leaked about which part of the credential was wrong.

No public-key or browser-based authentication flow exists in the current route handlers. Do not place a secret key in a React component, a browser bundle, or any client-side environment variable.

  • Authentication — key format, scopes, and rotation.
  • Errors — authentication and authorization error codes.

On this page