Authentication
The WasaaPay Partner API uses API keys to authenticate requests. You can manage your API keys from the dashboard.
API Key Authentication
All API requests must include your API key in the X-API-Key header:
curl https://api.wasaapay.com/api/v1/partner/users \-H "X-API-Key: sk_sandbox_abc123xyz"
API Key Types
| Type | Prefix | Environment | Use Case |
|---|---|---|---|
| Sandbox | sk_sandbox_ | Testing | Development and testing |
| Production | sk_live_ | Production | Real transactions |
Required Headers
Every API request must include these headers:
| Header | Required | Description |
|---|---|---|
X-API-Key | Yes | Your API key |
Content-Type | Yes (for POST/PUT) | Must be application/json |
X-Idempotency-Key | Yes (for POST) | Unique identifier to prevent duplicate requests |
Idempotency
All POST requests require an X-Idempotency-Key header. This prevents duplicate operations if you retry a request due to network issues.
// Generate a unique idempotency key for each operationconst idempotencyKey = `transfer_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;const response = await fetch('https://api.wasaapay.com/api/v1/partner/transfers', {method: 'POST',headers: {'Content-Type': 'application/json','X-API-Key': 'sk_sandbox_abc123xyz','X-Idempotency-Key': idempotencyKey,},body: JSON.stringify({// ... request body}),});
If you send the same idempotency key twice, you'll receive the same response without creating a duplicate transaction.
Rate Limiting
API requests are rate limited to protect the service. Current limits:
| Tier | Requests/Minute | Requests/Hour |
|---|---|---|
| Sandbox | 60 | 1,000 |
| Production (Default) | 120 | 5,000 |
| Production (Enterprise) | Custom | Custom |
Rate limit information is included in response headers:
X-RateLimit-Limit: 120X-RateLimit-Remaining: 118X-RateLimit-Reset: 1705312800
IP Whitelisting
For production environments, you can restrict API access to specific IP addresses. Configure this in your dashboard under Partner Settings.
Error Responses
Authentication errors return appropriate HTTP status codes:
| Status Code | Error Code | Description |
|---|---|---|
| 401 | MISSING_API_KEY | X-API-Key header is missing |
| 401 | INVALID_API_KEY | API key is invalid or revoked |
| 403 | INSUFFICIENT_PERMISSIONS | API key doesn't have required permissions |
| 403 | IP_NOT_WHITELISTED | Request IP is not in whitelist |
| 429 | RATE_LIMIT_EXCEEDED | Too many requests |
Best Practices
- Keep API keys secure: Never expose API keys in client-side code or public repositories
- Use environment variables: Store API keys in environment variables, not in code
- Rotate keys regularly: Create new keys and revoke old ones periodically
- Use separate keys: Use different keys for development and production
- Enable IP whitelisting: Restrict production access to known IP addresses