DocsAuthentication

Authentication

Learn how to authenticate your requests to the PayHub API and manage your API keys securely.

API Keys

PayHub uses API keys to authenticate requests. You can view and manage your API keys in the Dashboard.

Sandbox Keys

Prefix: sk_test_

Use for development and testing. No real transactions.

Production Keys

Prefix: sk_live_

Use for live transactions. Handle with care!

Keep your API keys secure

Never commit API keys to version control
Use environment variables to store keys
Rotate keys periodically and if compromised
Use different keys for different environments

Bearer Token Authentication

Include your API key in the Authorization header as a Bearer token:

Terminal

curl https://api.payhub.io/v1/payments \
  -H "Authorization: Bearer sk_live_your-api-key-here"

All API requests must be made over HTTPS. Requests made over plain HTTP will fail.

SDK Authentication

When using the SDK, pass your API key when initializing the client:

app.ts

import { PayHubClient } from '@payhub/sdk';

const client = new PayHubClient({
  apiKey: process.env.PAYHUB_API_KEY,
  environment: 'production',
});

Environment Variables

Store your API keys in environment variables:

.env

# .env file
PAYHUB_API_KEY=sk_live_your-api-key-here
PAYHUB_WEBHOOK_SECRET=whsec_your-webhook-secret-here

Environments

Environment	Base URL	Description
Sandbox	https://sandbox.api.payhub.io	Testing environment with testnet tokens
Production	https://api.payhub.io	Live environment with real transactions

Webhook Secrets

Webhook secrets are used to verify that webhook payloads are genuinely from PayHub. Each webhook endpoint has its own secret that you can find in the Dashboard.

Learn more about webhook verification in the Webhooks documentation.

Authentication Errors

401Unauthorized

The API key is missing, invalid, or has been revoked.

403Forbidden

The API key doesn't have permission to perform the requested action.

Quickstart Payments