Merchant integrations may use API Keys or OAuth tokens to secure access to the Nuapay APIs
Two authentication approaches are available for merchant integrators, to ensure the security of your sensitive data, with both methods using Secure Sockets Layer (SSL) over the HTTPS protocol:
- API Keys
- OAuth Tokens
API Key Authentication
Access to the API is controlled by HTTP Basic authentication.
An API Key will be issued to you when you are onboarded or you may generate your own via the Nuapay Console. Also as part of the onboarding process, you will be required to provide the Onboarding team with a list of allowed IP addresses (or configure these yourself - see Allowed-IP Configuration). This is a white list of IP addresses for your business. Any API requests not originating from one of the white-listed IP addresses will be rejected.
When generating an API request:
- Provide your API key as the basic authentication username, encoded in Base64 in all your API requests.
- A password is not required, however the request must be made from an allowed IP address.
API authentication header format: | Authorization: Basic Base64(<API_Key>:) |
Example
To generate an encoded, Base64 HTTP Header (“Authorization: Basic {Base64(API_KEY:)}”) for use in your requests:
- With the following given
APIKey = bb09c2b6a9478720765c757a8bcadf1aa1fb31554566a21118c9c75e26c29686
- Encode this in base 64:
bb09c2b6a9478720765c757a8bcadf1aa1fb31554566a21118c9c75e26c29686:
(note that the colon (:) is required) - the HTTPS header will then be:
"Authorization: Basic YmIwOWMyYjZhOTQ3ODcyMDc2NWM3NTdhOGJjYWRmMWFhMWZiMzE1NTQ1NjZhMjExMThjOWM3NWUyNmMyOTY4Njo="
Note: All API requests must be made over HTTPS; calls made over HTTP will fail. Note too that all API requests must be authenticated.
Token Authentication
- It is also possible to use OAuth tokens to secure your requests, rather than your API Key.
- OAuth Tokens offer greater flexibility to manage access to specific resources as they can be protected by Scopes.
- See Token Authentication for more details.
Note that it is possible to carry out the following operations, as described in the Token Management section: