Authentication is a critical part of the Hydrogen API, as it ensures that all requests made to the API are authorized and authenticated before they are processed. The Hydrogen API requires that all requests be authenticated using an API key, a unique identifier assigned to each user account.

Obtaining the API Keys

To integrate with the Hydrogen API, you need to obtain your API keys, which can be easily accessed through your Profile Settings on the merchant portal. You will find two types of keys:

Public Key: This key is designed for front-end use, particularly when integrating using Hydrogenpay Inline or any of our Mobile SDKs.
Secret Key: This key is intended for back-end use only and ensures that your requests are securely authorized. It should never be exposed in front-end code and should be regenerated immediately if compromised.

Both Public and Secret keys come in two versions:

Test Keys: For sandbox environments.
Live Keys: For production environments.

Using API Keys as Bearer Tokens

When making requests to the Hydrogen platform, you must include either the Public or Secret API key in the request headers as a bearer token. Depending on your use case:

Public Key: Use this key for front-end integrations such as Hydrogenpay Inline or Mobile SDKs. This key is safe to use in client-side applications.
Secret Key: Use this key exclusively in your server-side code to authenticate API requests. Keep this key confidential and do not expose it in any front-end code.

Required Headers for Every Request

Include the necessary headers in your HTTP requests to ensure proper communication with the Hydrogen API. The "Authorization" is mandatory and should include your API key as a bearer token. Here's how your headers should look:

Content-Type: application/json
Cache-Control: no-cache
Authorization: Bearer <your API key>

❗️
Integration with Instant Pay requires the Secret Key to be passed in the headers as x-api-key.

Best Practices for API Keys

Understanding how and where to use each type of API key is important for securing your integration:

Public Key: This key is safe for use in client-side code and is ideal for integrations that run in a browser or mobile application.
Secret Key: This key must be used only in server-side environments. It should never be exposed in client-side code or public repositories. If this key is compromised, you should regenerate it immediately using the button on the dashboard.

Note: Always use your Test keys in development or test environments and your Live keys in production to avoid unintended transactions or data exposure.