API Reference

Authentication

Authenticate merchant GraphQL and REST requests with an API key argument.

How it works

Pass your API key as the apiKey argument on each GraphQL operation:

GraphQL
query GetQueriesLeft($apiKey: String!) {
getQueriesLeft(apiKey: $apiKey) {
code
message
queriesLeft
}
}
JSON
{
"query": "query GetQueriesLeft($apiKey: String!) { getQueriesLeft(apiKey: $apiKey) { code message queriesLeft } }",
"variables": { "apiKey": "YOUR_API_KEY" }
}

REST

For POST /create-payment, send apiKey in the JSON body:

JSON
{
"apiKey": "YOUR_API_KEY",
"amount": 25.5
}

Checkout REST helpers (POST /pay, POST /cancel-payment, GET /orders/:txnid) authenticate by `txnid` ownership on the transaction, not an API key header.

Query quota

  • Invalid or missing key → typically 401
  • queriesLeft <= 0 on debiting operations → 402 (query limit exceeded)
  • Check balance with getQueriesLeft (does not debit)
  • Top up with rechargeApiKey

Security notes

  • Treat your API key like a password.
  • Never commit keys to source control or expose them in client-side browser code.
  • Prefer server-to-server calls from your backend.
  • Rotate compromised keys with revokeApiKey.