GlobalPay.bt

Authentication

Learn how to authenticate your API requests with GlobalPay.bt.

API Keys

GlobalPay.bt uses API keys to authenticate requests. You can view and manage your API keys in the dashboard under Settings > API Keys.

Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, etc.

Getting Your API Key

  1. Sign in to your dashboard at app.gopay.bt
  2. Navigate to Settings > API Keys
  3. Click Create API Key
  4. Give it a name (e.g., "Production API", "Development")
  5. Copy the key immediately (you won't be able to see it again)

Authentication Methods

Bearer Token

Include your API key in the Authorization header:

curl https://api.gopay.bt/api/invoices \\
  -H "Authorization: Bearer YOUR_API_KEY"

Header Format

All authenticated requests must include:

Authorization: Bearer sk_live_abcd1234efgh5678ijkl

Test vs Live Keys

GlobalPay.bt provides two types of API keys:

  • Test keys (prefix: sk_test_) - Use in test mode, won't process real payments
  • Live keys (prefix: sk_live_) - Use in production, processes real payments

Test keys work with test card numbers only. Live keys require real card details and will charge actual money.

Example Request

// Node.js example with fetch
const response = await fetch('https://api.gopay.bt/api/invoices', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_live_abcd1234efgh5678ijkl',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    customerId: 'cust_123',
    amount: 10000,
    currency: 'BTN',
    description: 'Monthly subscription'
  })
});

const invoice = await response.json();

Error Responses

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "error": {
    "message": "Invalid API key provided",
    "type": "authentication_error",
    "code": "invalid_api_key"
  }
}

Common Errors

| Error Code | Description | Solution | |------------|-------------|----------| | missing_api_key | No API key provided | Include Authorization header | | invalid_api_key | API key is invalid | Check your key in dashboard | | expired_api_key | API key has expired | Generate a new key | | revoked_api_key | API key was revoked | Create a new key |

Security Best Practices

Never commit API keys to version control or expose them in client-side code.

  1. Store securely - Use environment variables or secret management tools
  2. Rotate regularly - Generate new keys periodically
  3. Use test keys - Always use test keys during development
  4. Limit scope - Create separate keys for different services
  5. Monitor usage - Check API key usage in your dashboard

Environment Variables

Store your API key as an environment variable:

# .env.local (never commit this file)
GLOBALPAY_API_KEY=sk_live_abcd1234efgh5678ijkl

Access it in your code:

const apiKey = process.env.GLOBALPAY_API_KEY;

IP Whitelisting (Coming Soon)

We're working on adding IP whitelisting for enhanced security. This will allow you to restrict API key usage to specific IP addresses.

Webhook Signatures

Webhooks are signed with a unique secret. Learn more in the Webhooks documentation.

Next Steps