Authentication
The Paygasus Pay API authenticates every request with a secret key sent as a bearer token. There are no other auth methods — no OAuth, no query-string keys.
curl https://api.paygasus.com/payments/card \ -H "Authorization: Bearer sk_test_…"A request without a valid key is rejected before any processing happens.
Live vs. test keys
Section titled “Live vs. test keys”Your key’s prefix selects the environment:
| Prefix | Mode | Effect |
|---|---|---|
sk_live_… |
Live | Moves real money. Responses have "livemode": true. |
sk_test_… |
Test | No money moves. Responses have "livemode": false. |
The two are otherwise identical: same endpoints, same object shapes. Build and
test against sk_test_, then swap the key to go live. See
Test mode for simulating specific outcomes.
Managing keys
Section titled “Managing keys”Secret keys are created, rotated, and revoked in the Paygasus dashboard — there is no key-management endpoint in this API. Rotate immediately if a key is ever exposed; the old key stops working the moment you revoke it.