The SandPay API authenticates via API key passed in the Authorization HTTP header using the Bearer format.
Every key follows the sp_sk_<env>_<random> prefix:
| Prefix | Environment | Transactions |
|---|
sp_sk_test_... | Sandbox | Simulated, at no cost |
Authorization: Bearer sp_sk_test_a1b2c3d4e5f6...
Never commit a key to Git. Store it in an environment variable (SANDPAY_API_KEY) or a secret manager (Doppler, AWS Secrets Manager, Vercel Env Vars). Any key pushed publicly will be automatically revoked by our GitHub scanner.
Creating a key
From the dashboard:
- Go to
/settings/api-keys.
- Click New key.
- Give it a label (e.g.
backend-server, ci-pipeline).
- Copy the full value. It is shown only once — only the prefix remains visible afterwards.
Rotation and revocation
Any key can be revoked individually from the same page. For a clean rotation:
- Create a new key.
- Deploy it across your environments.
- Once traffic has switched over, revoke the old key.
No grace period is applied: revocation is immediate. In-flight requests still using the old key will receive 401 unauthorized.
Sandbox mode
All transactions are simulated through the scenario engine — no money moves, and no network calls are made to real operator APIs.
Auth errors
A missing, malformed, revoked, or expired key returns 401 unauthorized. See the Errors page for the full error code reference. 
