Xendit API Keys
Xendit authenticates your API requests using your account's API keys. If you do not include your key when making an API request, or use one that is incorrect or deleted, Xendit returns an error.
There are two types of API Key in Xendit:
- Secret API key: Secret key can perform any API request to Xendit on behalf of your account. Your secret keys should be kept confidential and only stored on your own servers.
- Public API key: Public key are meant to identify your account with Xendit. In other words, they can safely be published in places like your Xendit.js javascript code or in an Android or iPhone app. Public key only have the power to create tokens and authenticate for Cards.
How Can I Generate My API Key?
API Key for your integration can be done by following these steps below:
- Make sure that the email you use when logging in the dashboard has "Developer" access;
- Click here to find out more regarding team member permission;
- Make sure you are on the right environment ("Live Mode" or "Test") on the toggle on the top right corner
- Put the toggle in "Live Mode" if you wish to generate API for Live / Production Mode where you will integrate to transact with real money;
- Put the toggle in "Test Mode" if you wish to generate API for Test / Sandbox Mode where you will integrate just to do transaction testing with fictional money;
- Visit API Key page on Settings Tab on Dashboard.
- Decide which API Key that you are generating:
Public API Key
- Click "copy" on the blue button under "Public Key"
- Your public API Key would start with "xnd_public"
Secret API Key
- Click "Generate secret key" on the blue button under "Secret keys"
- Input the desired name of the API Key
- The API Key Name can contain up to 15 alpha-numerical characters;
- The API Key Name cannot be the same with other generated API Key;
- Select the API key permission
- Pay attention to the permission where each API Key has permission of a product that you can configure.
-
There are three types of API key permission:
-
None
: No product access granted, meaning you forbid your API key to perform any action. -
Read
: Granting the ability to read-only access or fetch data using API of a specific product. You'll grant Read access if you only need to, for example, get your account balance or get payment detail. -
Write
: Granting the ability to read and write data using API. You'll grant Write access if you want to read or perform action ie create Invoice, create Disbursement, get VA, etc.
-
- If you do not use the specified product, please put the permission as
None
for security measures in order to prevent any unrecognized transaction in case the API Key got leaked.- Instant-Activated merchants can only pick
None
for Money-out product permission in order to be able to generate API Key. - If Instant-Activated merchants try to generate API Key, having
Read
orWrite
as the permission for Money-out products, you would encounter "User is not authorized" error - You would be able to generate API Key with
Read
orWrite
for Money-out product permission once we are done verifying your account's legal documents and when you are LIVE;
- Instant-Activated merchants can only pick
- Enter your user password to authenticate yourself
- Your secret API Key would start with "xnd_production" for LIVE Secret API Key, and "xnd_development" for TEST Secret API Key;
- Save the API key securely and apply the new API key to your system
- Please note that the created Secret API Key is not going to be able to be viewed anymore;
- If you forgot or misplaced your Secret API Key, please kindly delete the created API Key and make a new one.
How Can I Integrate My API Key into My System?
- Copy the generated API key;
- Use Basic Access Authentication (`BASIC AUTH`) as authentication method in your server;
-
Below is the format of `BASIC AUTH`:
-
{{username}}:{{password}}
-
- Input your API key into`username` , and leave `password` blank;
- Make sure NOT to leave `:` at the back;
Optional:
- Encrypt the value using Base64 (https://www.base64encode.org/)
- Input the generated Base64 passphrase into `Authorization` header
For more information about API Key in Xendit, read more on our Knowledge Documentation below for more complete reference: