API Key Authentication
Every request to the RohoPay v1 API must include your API key in the Authorization header as a Bearer token.
Authorization: Bearer live_0000000000000000000000000000000000000000000000000000000000000000
Key Types
| Prefix | Environment | Behavior |
|---|
test_ | Test (sandbox) | No real money; test phone numbers work; rate-limited |
live_ | Live (production) | Real money; live phone numbers required |
Never expose your live API key in client-side JavaScript, mobile apps, or public repositories. Always call the RohoPay API from your server.
Obtaining API Keys
- Log in to your RohoPay dashboard (or sign up)
- Create or select a Project
- Navigate to Project → API Keys
- Click Generate Key and choose
test or live
- Copy the key — it is shown only once
Key Rotation
If a key is compromised, rotate it from the dashboard. The new key is returned once; the old key is revoked immediately.
# Rotate a key via the dashboard API (session auth)
curl -X POST https://api.rohopay.com/dashboard/projects/{projectId}/api-keys/{keyId}/rotate \
-H "Cookie: session=YOUR_SESSION"
Key Prefix Reference
test_<64-char-hex> → test environment, rate limited
live_<64-char-hex> → production environment, unrestricted
Error Response (Unauthorized)
If authentication fails, you receive:
{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing API key"
}
}
Keep your test and live keys in separate environment variables and never commit them to version control.
# .env (never commit this file)
ROHOPAY_API_KEY_TEST=test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ROHOPAY_API_KEY_LIVE=live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
