Skip to main content
Pasteaza authenticates API requests with API keys. Include your secret key in the Authorization header for every server-side request.
Keep your secret key on your backend server. Never expose it in frontend code, mobile apps, Git repositories, or public logs.

API keys

Pasteaza issues separate keys for test mode and live mode. Use test keys while you build and live keys when you are ready to process real transactions.
Key typeTest modeLive modeUse
Public keypk_test_xxxxxxxxxxxxxxxxxpk_live_xxxxxxxxxxxxxxxxxClient-side integrations and checkout components
Secret keysk_test_xxxxxxxxxxxxxxxxxsk_live_xxxxxxxxxxxxxxxxxBackend API requests

Authenticate a request

Send your secret key as a bearer token in the Authorization header. 
Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxx
1

Choose the correct environment

Use a test secret key for sandbox requests. Use a live secret key only when you want to process real transactions.
2

Add the authorization header

Include the Authorization header with each backend API request.
POST /v1/collections HTTP/1.1
Host: api.oyapasteaza.com
Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxx
Content-Type: application/json
3

Send the request from your server

Make authenticated requests from your backend so your secret key stays private.

Example request

curl https://api.oyapasteaza.com/v1/collections \
  -X POST \
  -H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 5000,
    "currency": "NGN",
    "reference": "COL-10001"
  }'

Test mode

Use your sk_test_ key to create and test payments without moving real funds. Requests made with test keys run in the sandbox environment.
Start with test mode when you build your integration. Switch to live mode only after you have tested collections, disbursements, webhooks, and idempotency.

Live mode

Use your sk_live_ key to process real transactions. Store your live secret key securely and restrict access to trusted backend services only.

Webhook verification

Verify the X-Pasteaza-Signature header before trusting webhook payloads.

Idempotency

Use the Idempotency-Key header to prevent duplicate requests.

Security best practices

  • Keep secret keys out of frontend and mobile applications.
  • Store API credentials in a secure secrets manager or encrypted environment variables.
  • Rotate API keys periodically and after any suspected exposure.
  • Verify every webhook signature before updating transaction state.
  • Use HTTPS for every request to the Pasteaza API.