Skip to main content

Authentication

SwiftPay uses API keys to authenticate requests. You can view and manage your API keys in the Dashboard.

API Keys

Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

Key Format

All API keys follow this format: 
mp_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • mp_ - Prefix identifying SwiftPay keys
  • live_ - Environment indicator (all keys are live)
  • xxxxxxxx... - Unique key identifier

Authentication Header

Authentication to the API is performed via the Authorization header with the Bearer scheme: 
Authorization: Bearer mp_live_your_api_key

curl https://api.swiftpay.cx/api/balance \
  -H "Authorization: Bearer mp_live_your_api_key"

Security Best Practices

Store your API keys in environment variables or a secure secrets manager. Never hardcode them in your application. bash # .env file SWIFTPAY_API_KEY=mp_live_your_api_key
API keys should only be used in server-side code. Never expose them in client-side JavaScript, mobile apps, or browser extensions.
Rotate your API keys periodically and immediately if you suspect they’ve been compromised. You can create new keys in the dashboard.
If you have staging and production environments, use separate API keys for each to isolate any issues.

Authentication Errors

Error CodeDescription
401No API key provided or invalid key format
403Valid key but insufficient permissions
{
  "success": false,
  "error": {
    "type": "unauthenticated",
    "message": "Invalid API key provided",
    "requestId": "req_abc123"
  }
}

Session Authentication

In addition to API keys, SwiftPay also supports session-based authentication for dashboard access. This is used automatically when you’re logged into the dashboard.
API keys are the recommended authentication method for programmatic access. Session authentication is only used for the web dashboard.