Skip to main content

API keys

Securing API key


Store your API keys private and secure and do not share with someone you don't trust. Anyone with your API key can access all MobilePay APIs that are in scope of that key on behalf of you.

Keep in mind on securing keys:

  • Do not leave API keys in publicly accessible areas such as GitHub, client-side code, etc.
  • Delete your API keys if you suspect that unauthorized people know them. Note that deleted API keys will not work. In that case, you will need to create new API keys and update authorization headers.
  • Delete old API keys you are no longer using to avoid any external exposure.
  • Regenerate your API keys periodically.
  • Restrict your API key only to APIs you are going to use.

Get an API key

You can view and manage your API keys in the MobilePay portal. Meanwhile, sandbox keys are generated in the sandbox version of MobilePay portal and will be applicable only on sandbox environment.

When creating an API key you need to select APIs which will be accessible using this key. You can also assign it a name. Once API key is generated, it is not possible to change the scope or the name. Modifications must be carried out by creating a new API key. Lastly, you are fully responsible for managing the lifecycle of the keys you have created.


To perform successfull authorization provide:

  • API_Key - generated as described before (OAuth access token or Api key)
-H "Authorization: Bearer {API_Key}"