Get your API key
Every request to the QuataPay API is authenticated with a merchant API key. Create and manage keys from the merchant panel under Developer → API keys.
- Test keys start with
qpay_test_and only touch the sandbox. - Live keys start with
qpay_live_and move real money — protect them like a password.
Bearer token header
Send the key in the standard Authorization header on every request:
Authorization: Bearer qpay_test_xxxxxxxxxxxxxxxxxxxxxxxxRotation and revocation
Keys can be rotated at any time — the old key continues to work for 24 hours so deployments can roll forward without downtime. Revoke a leaked key immediately from the same panel; revoked keys stop working instantly.
Never embed keys in client code
API keys belong on your backend. For browser checkout, use the public payment-link slug or our hosted checkout — never expose a secret key to end users.