Authentication
PayzCore uses two authentication methods: Project API Key (x-api-key) for payment operations and Master Key (x-master-key) for admin project management.
Authentication
PayzCore uses key-based authentication for all API requests. There are two authentication methods, each scoped to a different part of the system.
Authentication Methods
| Method | Header | Format | Purpose |
|---|---|---|---|
| Project API Key | x-api-key | pk_live_... | Payment operations (create, list, check payments) |
| Master Key | x-master-key | mk_... | Admin-only project management |
Project API Key (x-api-key)
This is the primary authentication method. Every project gets a unique API key when created. Use it to authenticate all payment-related API calls.
curl -X POST https://api.payzcore.com/api/v1/payments \
-H "x-api-key: pk_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{"amount": 50, "chain": "TRC20", "external_ref": "customer-1"}'The API key identifies which project the request belongs to. All data is scoped to that project — you can only see and manage payments created under the same API key.
Endpoints authenticated with x-api-key:
| Method | Endpoint | Description |
|---|---|---|
POST | /api/v1/payments | Create a payment monitoring request |
GET | /api/v1/payments | List payments for this project |
GET | /api/v1/payments/:id | Get payment status with real-time blockchain check |
POST | /api/v1/payments/:id/confirm | Submit a transaction hash (pool+txid mode) |
GET | /api/v1/config | Get available chains and tokens for this project |
Master Key (x-master-key)
The Master Key is used for administrative project management. It is not tied to any specific project — it grants access to create and list all projects.
curl -X POST https://api.payzcore.com/api/v1/projects \
-H "x-master-key: mk_your_master_key" \
-H "Content-Type: application/json" \
-d '{"name": "New Store", "webhook_url": "https://example.com/webhook"}'Endpoints authenticated with x-master-key:
| Method | Endpoint | Description |
|---|---|---|
POST | /api/v1/projects | Create a new project |
GET | /api/v1/projects | List all projects |
This key should only be used in server-to-server contexts. Never expose it in client-side code.
Getting Your Credentials
When you create a project (via the dashboard or Master Key API), three credentials are generated and displayed once:
| Credential | Format | Usage |
|---|---|---|
| API Key | pk_live_... | Send in x-api-key header for all payment API calls |
| API Secret | sk_live_... | For your records. Used in some SDK configurations for additional verification |
| Webhook Secret | whsec_... | Verify incoming webhook signatures (HMAC-SHA256) |
How to create a project
- Log in to the dashboard at app.payzcore.com
- Navigate to Projects in the sidebar
- Click Create Project
- Fill in the project name, webhook URL, and select your wallet
- On the success screen, copy all three credentials immediately
These credentials are shown only once. They are not stored in a recoverable format. If you navigate away without saving them, you will need to regenerate.
Credential Security
Store credentials in environment variables
Never hardcode credentials in your source code. Use environment variables:
# .env (server-side only)
PAYZCORE_API_KEY=pk_live_abc123def456
PAYZCORE_API_SECRET=sk_live_xyz789
PAYZCORE_WEBHOOK_SECRET=whsec_abc123// In your server code
const apiKey = process.env.PAYZCORE_API_KEY;Never expose credentials client-side
API keys and secrets must only be used in server-side code. Never include them in:
- Frontend JavaScript bundles
- Mobile app source code
- Public repositories
- Browser-accessible configuration files
- Client-side API calls
Rotate credentials if compromised
If you suspect a credential has been exposed:
- Go to Projects in the dashboard
- Open the affected project
- Click Regenerate Keys (admin only)
- All three credentials (API Key, API Secret, Webhook Secret) are regenerated together
- Update your server configuration with the new values immediately
The old credentials stop working as soon as regeneration is complete. There is no grace period.
Regenerating Keys
Key regeneration resets all three credentials at once. You cannot regenerate them individually.
Who can regenerate:
- Admin users can regenerate keys for any project
- Owner users cannot regenerate keys (contact your admin)
What happens:
- A new API Key (
pk_live_...), API Secret (sk_live_...), and Webhook Secret (whsec_...) are generated - The old credentials are invalidated immediately
- The new credentials are displayed in a dialog — save them before closing
- Any API calls using the old key will return
401 Invalid API key - Any webhooks signed with the old secret will fail signature verification on your end
Rate Limiting
Every API key is subject to two layers of rate limiting:
Burst rate limit
Each API key is limited to 60 requests per minute. This protects against accidental loops or runaway scripts.
When exceeded, the API returns 429 Too Many Requests with these headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests per window (60) |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Daily plan limit
API calls also count against your plan's daily limit (500/day for Free, 25,000/day for Pro). When the daily limit is exceeded, the response includes:
| Header | Description |
|---|---|
X-RateLimit-Daily | true — indicates this is a daily limit, not a burst limit |
X-RateLimit-Limit | Your daily API call limit |
X-RateLimit-Reset | Unix timestamp for midnight UTC (daily reset) |
See Rate Limits & Plans for full details on plan limits and daily counters.
Error Responses
| Status | Error | Meaning |
|---|---|---|
| 401 | Missing x-api-key header | No authentication header provided |
| 401 | Invalid API key | The API key does not match any active project |
| 403 | Project is deactivated | The project has been disabled by an admin |
| 403 | Account suspended. Contact support. | The project owner's account is suspended |
| 429 | Rate limit exceeded. Try again later. | Burst rate limit (60/min) exceeded |
| 429 | Daily API call limit exceeded. | Plan daily limit reached |
Health Check
The health endpoint requires no authentication:
curl https://api.payzcore.com/api/healthIt returns the system health status and uptime. Use it to verify that the API is operational.