Authentication

Drinah Pay uses API keys for authentication to ensure secure and authorized access to your payment processing functions. This page explains how to authenticate using your public and secret API keys.

API Keys

After registering as a merchant with Drinah Pay, you will receive two API keys:

• Public Key: Used in frontend integration, typically in JavaScript code (e.g., for Drinah Pay's checkout popup).
• Secret Key: Used in backend integration to authenticate API requests (e.g., for charging customers, verifying payments).

Authentication Process

To authenticate API requests, include your **secret key** in the `Authorization` header. The format should be:

Authorization: Bearer YOUR_SECRET_KEY
    

This header ensures that only authenticated requests can interact with the API, protecting your data and transactions.

Backend Authentication Example

Here’s an example of how to authenticate when making a request to the `/v1/charge` endpoint using your secret API key:

$ curl -X POST https://api.drinah.com/v1/charge \
    -H "Authorization: Bearer YOUR_SECRET_KEY" \
    -H "Content-Type: application/json" \
    -d '{
          "amount": 1000,
          "phone": "2547XXXXXXXXX",
          "description": "Payment for goods"
        }'
    

Replace `YOUR_SECRET_KEY` with your actual secret key. The API will authenticate your request based on the secret key provided in the `Authorization` header.

Frontend Authentication Example

For frontend integration, you'll use the **public key** to authenticate transactions through the Drinah Pay checkout popup. Here’s an example of how you can include the public key in your frontend JavaScript:

This will trigger the Drinah Pay popup for the user to complete the payment.

Securing Your API Keys

It's important to securely store your API keys. Do not expose your **secret key** in public-facing code, as it could be misused.

• Store Secret Key: On the server side, in a secure environment (e.g., environment variables, server configurations).
• Keep Public Key Public: The public key can be safely exposed to the frontend.

Rotating API Keys

You can rotate your API keys at any time for added security. If you suspect that your keys have been compromised, it’s recommended to regenerate them.

You can regenerate your API keys by logging into your merchant dashboard, navigating to the **API Keys** section, and requesting a new pair of keys.

Error Handling

If you make a request with an invalid or expired key, you will receive an authentication error response, similar to the following:

{
    "error": "Unauthorized",
    "message": "Invalid or expired API key."
}
    

Always ensure that your API keys are correct, valid, and not expired.

Test vs Live Keys

Drinah Pay uses separate keys for testing and live environments:

• Test Keys: For development and testing purposes. Payments made with these keys will not be processed on M-Pesa.
• Live Keys: For production use. Payments made with these keys will be processed and charged on M-Pesa.

Make sure you’re using the correct keys depending on your environment (testing or production).