Authentication

How to authenticate your API requests and API Keys

Requests to IntaSend requires authentication. IntaSend provides two types of keys

  • Public/Publishable Key (Prefixed with ISPubKey_)
  • Private/Secret Key (Prefixed with ISSecretKey_)

The keys are unique for every account and also indicates the environment from which it was obtained. The environments are test and live.

Test keys (with keyword test) are for use in the sandbox environment while the ones with live keyword strings must be used only in live environment.

❗️

You must secure the secret key at all cost

Secret keys must only be added at the backend and should not be exposed on the frontend. If your integration does not need use of secret key e.g the checkout link API which needs only the public key to generate, we recommend that you do not generate the secret key.

The Secret key must never be shared and must be stored securely. We recommend using 12 Factor App concept, where sensitive information like the Private/Secret key must be kept in an environment variable and not hard-coded in the configuration files.

How to generate the API Keys

The API keys are obtained on your dashboard. The public key is readily available while the secret key must be generated and only if needed. Please check the API you are working with to verify if it needed the secret key to complete the authentication.

Public/Publishable Keys are safe to add at the frontend of your app/website. The publishable keys are only used to identify your business during the checkout links setup. The secret keys are able to do more i.e refunds, send money, create wallets etc.

How to authenticate your requests (REST API)

When sending requests that requires authentication, the secret key is needed.

To authenticate your request, send the secret key in the Authorization header with the Bearer Prefix

POST https://payment.intasend.com/api/v1/[protected-resource]
Authorization: Bearer [ADD-YOUR-SECRET-KEY]

Nonce and Encryption Signature

In order to protect your account, the Send Money API adds an extra verification using encryption keys and signatures. Basically when a request is initiated, IntaSend will send back a nonce for you to sign using a private key only know to you. On the other end, IntaSend will verify the signature using the public key that you will share with us. This process is only needed when working with Send Money and Disbursements APIs.