API key
Every request to the DPay Web EID API requires an API key sent as a Bearer token in the Authorization header.
Generating a key
You can obtain an API key in the administration panel at /admin/api-keys. Each key is assigned to a tenant and can be deactivated or revoked at any time.
Key format
| Environment | Prefix | Example |
|---|---|---|
| Production | deid_live_ | deid_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Test / Sandbox | deid_test_ | deid_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
Both key types work identically at the API level. The difference is that sessions created with a test key are marked as test sessions and are not billed.
Using the key in a request
curl https://hub.dpay.pl/api/v1/verifications \
-H "Authorization: Bearer deid_live_your_api_key" \
-H "Content-Type: application/json"
Security
Never disclose your key
- Do not commit the key to a source code repository
- Do not include the key in frontend code or mobile applications
- Store the key only in server-side environment variables (
.env, secrets vault) - If the key is exposed, revoke it immediately in the panel and generate a new one
Authentication error codes
| HTTP code | Error code | Description |
|---|---|---|
| 401 | AUTHENTICATION_REQUIRED | Missing Authorization header |
| 401 | INVALID_API_KEY | The key is invalid, expired or revoked |
| 401 | TENANT_NOT_FOUND | No tenant found for this key |
| 403 | TENANT_SUSPENDED | The tenant account has been suspended |
Example error response
{
"error": {
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid, expired, or has been revoked."
}
}