Authentication
To call the KidaPay API (e.g. CreateOrder) from your website or application, authentication is required.
π API Server-Side Authenticationβ
Keep your API key private!All API calls must be made server-to-server from a secure and trusted environment (your backend).
Never expose API keys directly in frontend web or mobile apps.
Authentication Headerβ
HTTP Header:
'x-api-key': 'API_KEY_FROM_MERCHANT_PORTAL'
Get Token from the merchant's site.
βοΈ API Key Lifecycleβ
1. Creating an API Key
- Log in to the Merchant Portal
- Go to API Settings β API Keys
- Click Generate Key
- A unique API key will be created automatically
Each generated key is tied to either Sandbox or Live environments, depending on your selection during creation.
2. Editing API Keys Once an API key has been generated, you can update its configuration:
- Webhook URL: Define or update the webhook URL to receive payment event notifications (e.g. order - status updates).
3. Activating & Deactivating API Keys You can toggle the status of any API key between Active and Inactive:
- Active β The key is valid and can be used for requests.
- Inactive β The key is disabled, and all requests with this key will be rejected.
This is useful for temporarily pausing access (e.g. during maintenance or integration changes) without deleting the key.
4. Deleting API Keys
- Permanently removes the API key
- Once deleted, the key cannot be recovered
- Any system using the deleted key will immediately lose access β οΈ Be extra careful when deleting live keys that are actively used in production.
π Environment-Based Keys KidaPay provides separate keys for Test (Sandbox) and Live environments. This ensures you can safely test integrations before going live.
Sandbox (test transactions): test_O89dfT0rdQwkLqHYwC8btg86wMFue75T
Live (real transactions): prod_sNtLeAFDQnG6X8YpUY49bDv1Si6RSxsW
Never reuse sandbox keys in production. Each environment requires its own set of keys.
π Best Practices
- β Never expose API keys in frontend code or public repositories
- β Use environment-specific keys
- βΈοΈ Deactivate keys not in use
- π Rotate keys periodically
- ποΈ Delete compromised or unused keys immediately
- π Always configure webhook URLs for order/payment status tracking
Example using curl
curl -X POST \
https://api.kidapay.com/v1/orders \
-H 'Content-Type: application/json' \
-H 'x-api-key: API_KEY_FROM_MERCHANT_PORTAL' \
-d '{
"merchant_order_id": "503a854998-6230-4338-adb7",
"customer_email": "customer@email.com"
"title": "Monthly Program x 1",
"description": "Gaming for your family",
"amount": 1,
"currency": "USD",
"pay_currency": "USDT",
"callback_url": "https://ecards.com/api/success",
"webhook_url": "https://ecards.com/ecardstatus?status=webhook",
}'