Bearer API key
Use `Authorization: Bearer <apiKey>` for `POST /payments/initialize` and related custom REST requests.
Authentication
Foxpay custom REST integrations authenticate with Bearer API keys. Payment initialization requests should send `Authorization: Bearer <apiKey>` and use merchant-specific credentials issued for the intended environment.
Merchant-scoped credentials
Use API keys issued for the merchant and environment you are integrating, and keep test and live credentials separate.
Webhook trust model
Webhook callbacks use signed requests and should be handled as a separate verification flow from client-initiated API calls.
Authentication model by use case
- Custom integrations initialize payments with a Bearer API key.
- API keys are validated before payment creation continues.
- Environment behavior is tied to the authenticated credential configuration and surfaced through `testMode` in responses.
- Expired, inactive, or mode-restricted credentials are rejected before checkout handoff is created.
- Webhook requests should be verified with signature-based validation rather than documented as standard API-key requests.
Credential handling guidance
- Store API keys only on your backend or in your secret-management system.
- Never expose Bearer credentials in frontend code, browser storage, or client-side logs.
- Rotate credentials when access scope changes or a credential may have been disclosed.
- Use separate credentials for test and production traffic.