Authenticate your requests to the Unzer API.

Public key vs private key

After you sign your Unzer contract, you get four API keys:

  • Your sandbox public key (e.g. s-pub-xxxxxxxxxx)
  • Your sandbox private key (e.g. s-priv-xxxxxxxxxx)
  • Your production public key (e.g. p-pub-xxxxxxxxxx)
  • Your production private key (e.g. p-priv-xxxxxxxxxx)

Your API keys are configured with permissions valid for your specific account. They are tied to you as a merchant.

Key Infix Sandbox key example Production key example
Public key pub s-pub-xxxxxxxxxx p-pub-xxxxxxxxxx
Private key priv s-priv-xxxxxxxxxx p-priv-xxxxxxxxxx

Depending on the resource and method used, you either need your public key or your private key to authenticate your request.

For details on which features require a public key or a private key, go to: Authentication reference.

Keep your private key safe

Your private key has multiple permissions. Make sure you keep it safe.

Never make your private key accessible on the web.

Compromised private key
If your private key has been compromised, contact us to change it.

HTTP basic authentication

The Unzer API uses HTTP basic authentication (BA) over HTTPS.

HTTP basic authentication requires a username and password. In the Unzer API, the username is your API key, and the password is empty:

  • Username: your API key
  • Password:

To provide an empty password, add a colon (:) at the end of your key, like this:

-u s-priv-xxxxxxxxxx:

Remember to encode your API key with a Base64 encoder:

curl \
  -u s-priv-xxxxxxxxxx:
var heidelpay = new Heidelpay('s-priv-xxxxxxxxxx');
Heidelpay heidelpay = new Heidelpay("s-priv-xxxxxxxxxx")
// In PHP you do not need to hash the secret key because it is done for you.
// You can just create the Heidelpay object and pass your private key as parameter one
$heidelpay = new Heidelpay('s-priv-xxxxxxxxxx', SupportedLocale::GERMAN_GERMAN);