Authentication

Aurax Pay uses API keys to authenticate requests. Every call to the /v1/* endpoints must include your key in the x-api-key header.

⚠️Your API keys carry full access to your merchant account. Never expose them in client-side code, public repositories, or logs.

Sending your API key

Include the key on every request as an HTTP header:

cURL

curl https://api.auraxpay.net/v1/payments \
  -H "x-api-key: axp_live_YOUR_KEY_HERE"

Node.js

const response = await fetch("token-string">'https:"token-comment">//api.auraxpay.net/v1/payments', {
  method: "token-string">'POST',
  headers: {
    "token-string">'Content-Type': "token-string">'application/json',
    "token-string">'x-api-key': process.env.AURAX_API_KEY,
  },
  body: JSON.stringify({ amount: 5000, channel: "token-string">'MPESA', ... }),
})

Key types

Type	Prefix	Use for
Test	axp_test_	Development and integration testing. No real money moved.
Live	axp_live_	Production. Real transactions. Requires activated account.

Permissions

Each API key is scoped to a set of permissions. When generating a key from the dashboard, you select what it can do. A key without a required permission returns 403 Forbidden.

Permission	Allows
payments.create	Initiate collections and disbursements
payments.read	Retrieve and list transactions

Key security

Aurax Pay stores only a SHA-256 hash of your key — the plaintext is shown once at creation and never again. If you lose a key, revoke it and generate a new one.

Rotate keys regularly in production
Use separate keys per service or environment
Revoke immediately if you suspect compromise
Store in environment variables, never in source code

Authentication errors

Status	Code	Meaning
401	Missing x-api-key header	No key was provided
401	Invalid API key	Key not found or revoked
401	API key expired	Key has passed its expiry date
403	Merchant account not active	Account pending activation
403	Insufficient permissions	Key lacks required permission