Authentication
Learn how to authenticate your API requests to ShadhinPay
Authentication
All API requests to ShadhinPay require authentication using your API credentials. This guide explains how to obtain and use your credentials securely.
API Credentials
You need three credentials to authenticate API requests:
| Credential | Description |
|---|---|
| Client-Id | Your unique client identifier |
| Business-Id | The ID of the business making the request |
| Secret-Key | Your secret API key (keep this private!) |
Getting Your Credentials
- Log in to your ShadhinPay Dashboard
- Navigate to Settings → API Keys
- Click Generate New Keys if you haven't already
- Copy all three credentials and store them securely
Security Warning: Never expose your Secret-Key in:
- Client-side JavaScript
- Mobile app source code
- Public GitHub repositories
- Browser network requests
Making Authenticated Requests
Include all three credentials in the request headers:
curl -X GET https://api.shadhinpay.com/api/v1/payments \
-H "Client-Id: cl_live_abc123" \
-H "Business-Id: bus_xyz789" \
-H "Secret-Key: sk_live_secret_key_here"const headers = {
'Client-Id': process.env.SHADHINPAY_CLIENT_ID,
'Business-Id': process.env.SHADHINPAY_BUSINESS_ID,
'Secret-Key': process.env.SHADHINPAY_SECRET_KEY,
'Content-Type': 'application/json',
};
const response = await fetch('https://api.shadhinpay.com/api/v1/payments', {
headers,
});import os
import requests
headers = {
'Client-Id': os.environ['SHADHINPAY_CLIENT_ID'],
'Business-Id': os.environ['SHADHINPAY_BUSINESS_ID'],
'Secret-Key': os.environ['SHADHINPAY_SECRET_KEY'],
'Content-Type': 'application/json',
}
response = requests.get(
'https://api.shadhinpay.com/api/v1/payments',
headers=headers
)Test vs Live Credentials
ShadhinPay provides separate credentials for testing and production:
| Environment | Prefix | Base URL |
|---|---|---|
| Sandbox | cl_test_, sk_test_ | https://sandbox.shadhinpay.com/api/v1 |
| Production | cl_live_, sk_live_ | https://api.shadhinpay.com/api/v1 |
Use sandbox credentials during development. Switch to live credentials only when you're ready for production.
Authentication Errors
If authentication fails, you'll receive one of these errors:
| Status Code | Error | Description |
|---|---|---|
401 | INVALID_CLIENT_ID | Client-Id header is missing or invalid |
401 | INVALID_BUSINESS_ID | Business-Id header is missing or invalid |
401 | INVALID_SECRET_KEY | Secret-Key is incorrect |
403 | BUSINESS_NOT_AUTHORIZED | Business doesn't have access to this resource |
{
"success": false,
"error": {
"code": "INVALID_SECRET_KEY",
"message": "The provided secret key is invalid"
}
}Best Practices
- Use environment variables - Never hardcode credentials
- Rotate keys regularly - Generate new keys periodically
- Use separate keys per environment - Different keys for dev/staging/prod
- Monitor API usage - Check your dashboard for unusual activity
- Restrict key permissions - Use business-specific keys when possible