Skip to main content

Overview

Transaction API supports two authentication methods depending on the endpoint you’re using:
  • JWT Authentication - For user account operations
  • API Key Authentication - For payment and merchant operations

JWT Authentication

JWT tokens are used for user account operations like registration, login, and profile management.

Getting a JWT Token

1

Register or Login

Use the /auth/register or /auth/login endpoints to get a JWT token.
2

Include in Headers

Add the token to the Authorization header:
Authorization: Bearer <jwt_token>

Example

# Login to get JWT token
curl -X POST https://api.transaction.gg/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "password123"
  }'

# Use JWT token for authenticated requests
curl -X GET https://api.transaction.gg/auth/me \
  -H "Authorization: Bearer jwt_token_here"

API Key Authentication

API keys are used for payment processing and merchant operations.

API Key Types

Public Key

Format: pk_*Used for:
  • Creating payments
  • Public operations
Safe to use in client-side code

Secret Key

Format: sk_*Used for:
  • Merchant operations
  • Wallet management
  • Webhook logs
Never expose in client-side code

Getting API Keys

  1. Log in to your dashboard
  2. Navigate to API Keys section
  3. Copy your public and secret keys

Example

# Create payment with public key
curl -X POST https://api.transaction.gg/payment/create \
  -H "Authorization: Bearer pk_your_public_key" \
  -H "Content-Type: application/json" \
  -d '{"amount": "29.99", "currency": "USD"}'

# Check wallet balance with secret key
curl -X GET https://api.transaction.gg/merchant/wallet/balances \
  -H "Authorization: Bearer sk_your_secret_key"

Token Expiration

JWT Tokens

  • Expire after 24 hours
  • Use /auth/login to get new token
  • No refresh token mechanism

API Keys

  • Do not expire
  • Can be regenerated from dashboard
  • Regeneration invalidates old keys

Security Best Practices

1

Store Keys Securely

Use environment variables or secure key management systems.
2

Use HTTPS

Always make requests over HTTPS to protect credentials.
3

Rotate Keys Regularly

Regenerate API keys periodically for enhanced security.
4

Monitor Usage

Check your dashboard for unusual API activity.

Error Handling

Common authentication errors:
Error CodeStatusDescription
UNAUTHORISED401Invalid or missing authentication
INVALID_CREDENTIALS401Invalid login credentials
RATE_LIMITED429Too many authentication attempts
Rate Limits: Authentication endpoints are limited to 5 requests per minute to prevent brute force attacks.