API Authentication & Authorization

GoodPay uses HMAC-SHA512 API keys to authenticate and authorize all API requests. There are no unauthenticated endpoints—every request must include a valid API key with the appropriate scope.

This ensures both secure server-to-server communication and fine-grained permission control.

API Key Environments

Coming soon

Allow-listed organisations will be able to self-onboard and get their API Keys.

Environment	How to Access
Demo	Open to all. Use this test key for the `fauxbank` issuer: `Lg2vWofw8_K5RSrCmU_2BlrkIGXxh0rH-p_iCT2Q6Tr-tUPJXAERlJHZCSiKlYu6hJqUEMbctrW0vmq0ebX-wQ`
Sandbox	Request keys by emailing support@getgoodpay.com from your work email.
Production	Same as Sandbox: email support@getgoodpay.com from your work email to request production credentials.

Authenticating Requests

Include the following header in all requests:

Header	Value
`X-API-KEY`	Your API key

Example:

GET /v1/issuer/uk-domestic-bank-details HTTP/1.1
Host: demo.goodpay.dev
Accept: application/json
X-API-KEY: Lg2vWofw8_K5RSrCmU_2BlrkIGXxh0rH-p_iCT2Q6Tr-tUPJXAERlJHZCSiKlYu6hJqUEMbctrW0vmq0ebX-wQ

warning

Never expose your API keys in client-side code. Store them securely in your server environment to prevent misuse and data breaches.

API Key Environments​

Authenticating Requests​

Example:​

API Key Environments

Authenticating Requests

Example: