Skip to content

Authentication

The Paygasus Pay API authenticates every request with a secret key sent as a bearer token. There are no other auth methods — no OAuth, no query-string keys.

Terminal window
curl https://api.paygasus.com/payments/card \
-H "Authorization: Bearer sk_test_…"

A request without a valid key is rejected before any processing happens.

Your key’s prefix selects the environment:

Prefix Mode Effect
sk_live_… Live Moves real money. Responses have "livemode": true.
sk_test_… Test No money moves. Responses have "livemode": false.

The two are otherwise identical: same endpoints, same object shapes. Build and test against sk_test_, then swap the key to go live. See Test mode for simulating specific outcomes.

Secret keys are created, rotated, and revoked in the Paygasus dashboard — there is no key-management endpoint in this API. Rotate immediately if a key is ever exposed; the old key stops working the moment you revoke it.