Authentication
Secure your API requests with JWT-based authentication
Overview
Hedge Payments uses API keys and JWT tokens to authenticate requests. Your API keys carry many privileges, so be sure to keep them secure and never share them in publicly accessible areas.
โ ๏ธ Security Warning:
Do not commit API keys to version control or expose them in client-side code. Always use environment variables and keep keys on the server side.
API Keys
API keys are the primary method of authentication for Hedge Payments. You can find your API keys in the Dashboard under Settings โ API Keys.
Types of API Keys
๐งช Test Mode Keys
Start with test_
Use these keys during development. Test mode transactions don't process real payments and won't affect your balance.
๐ Live Mode Keys
Start with live_
Use these keys in production. Live mode transactions process real payments and affect your account balance.
Using API Keys
Include your API key in the Authorization header with every request:
curl -X POST https://api.hedgepayments.com/api/payments \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"amount": 100.00,
"currency": "USD",
"customerEmail": "user@example.com"
}'JWT Tokens
For added security in client-side applications, you can generate short-lived JWT tokens from your server using your API key. These tokens can be safely used in frontend code.
Generating a JWT Token
Node.js
const token = await hedge.auth.createToken({
expiresIn: '1h', // Token expires in 1 hour
scope: ['payments:read', 'payments:create']
})
// Send token to client
res.json({ token: token.jwt })Python
token = hedge.auth.create_token(
expires_in='1h', # Token expires in 1 hour
scope=['payments:read', 'payments:create']
)
# Send token to client
return {'token': token.jwt}Using JWT Tokens
Use JWT tokens the same way as API keys, in the Authorization header:
// Client-side code (safe to use)
const response = await fetch('https://api.hedgepayments.com/api/payments', {
method: 'POST',
headers: {
'Authorization': `Bearer ${jwtToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
amount: 100.00,
currency: 'USD',
customerEmail: 'user@example.com'
})
})Scopes and Permissions
Control access to your API resources using scopes. Each scope grants specific permissions:
| Scope | Description |
|---|---|
payments:read | View payment information |
payments:create | Create new payments |
payments:refund | Process payment refunds |
balance:read | View account balance |
payouts:create | Create payout requests |
Security Best Practices
- ๐ Use environment variables:
Store API keys in environment variables, never hard-code them in your application. - โฑ๏ธ Set appropriate expiration times:
JWT tokens should have short expiration times (1-24 hours) to minimize security risks. - ๐ฏ Use minimal scopes:
Only grant the permissions necessary for each token's intended use. - ๐ Rotate keys regularly:
Periodically regenerate your API keys, especially if you suspect they may have been compromised. - ๐ซ Never expose keys client-side:
API keys should only be used on your backend servers. Use JWT tokens for client-side operations.
Error Handling
When authentication fails, Hedge Payments returns a 401 Unauthorized status code:
{
"error": {
"code": "unauthorized",
"message": "Invalid or expired API key",
"type": "authentication_error"
}
}Common authentication errors:
invalid_api_key- The provided API key is invalidexpired_token- The JWT token has expiredinsufficient_permissions- The token doesn't have the required scopemissing_authorization- No Authorization header was provided