Skip to main content

Supported credentials

The auth middleware accepts either:
  • Authorization: Bearer <token>
  • x-api-key: <api-key>
It also accepts apikey and the apiKey query parameter for compatibility, but header-based authentication is the recommended approach for production integrations.

Bearer tokens

Use bearer tokens when your integration is operating with a server-managed session or delegated API access. Example: 
curl -X GET "https://api-dev.paygen.online/cards" \
  -H "Authorization: Bearer <jwt>"

API keys

Use API keys for server-to-server access to public resources such as:
  • cards
  • card holders
  • accounts
  • events
Example: 
curl -X GET "https://api-dev.paygen.online/cards" \
  -H "x-api-key: <client_api_key>"

Important behavior

  • Authentication support can vary by endpoint, so check the API reference before hard-coding a single credential type across your integration.
  • Header-based authentication is the recommended approach for production traffic.

Security recommendations

  • Store API keys in a secrets manager.
  • Set source IP restrictions on issued API keys when your environment supports it.
  • Prefer expiring keys for temporary integrations.
  • Rotate keys after incidents, staff changes, or environment migrations.