Unzer

Authentication

Authenticate requests to the Unzer API.

Overview

The Unzer API uses HTTP basic authentication (BA) over HTTPS. Any requests to the API must be authenticated using either your public or private key obtained after signing contract with Unzer.

Private key

Private key allows you to identify yourself while sending Unzer API requests on the server side. Your private key has multiple permissions, so be sure to keep it safe. You should never make your private key accessible on the web.

icon
If your private key is compromised, please contact our support team immediately to change it.

Public key

Public key allows you to identify yourself while sending Unzer API requests on the client side. This is utilized when integrating using Unzer UI components.

Authentication

HTTP basic authentication requires a username and password. In the Unzer API, the username is your API key, and the password is empty. To provide an empty password, add a colon (:) at the end of your key. Remember to encode your API key with a Base64 encoder.

curl https://api.unzer.com/v1/keypair \
--header "Authorization: Basic cy1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOg=="
// You do not need to hash the secret key because it is done for you by the SDK.
// You can just create the Unzer object and pass your private key as parameter one
$unzer = new Unzer('s-priv-xxxxxxxxxx', SupportedLocale::GERMAN_GERMAN);
// Use the public key when calling Unzer API on the client side.
var unzer = new Unzer('s-pub-xxxxxxxxxx');
// Use the public key when calling Unzer API on the client side.
var unzer = new Unzer('s-pub-xxxxxxxxxx');

Unzer API keys

If you request for a test account, you will receive two sandbox API keys:

  • Your sandbox public key (e.g. s-pub-xxxxxxxxxx)
  • Your sandbox private key (e.g. s-priv-xxxxxxxxxx)

Sandbox keys allow you to make test transactions.

After signing your Unzer contract, you get your production API keys:

  • Your production public key (e.g. p-pub-xxxxxxxxxx)
  • Your production private key (e.g. p-priv-xxxxxxxxxx)

Your API keys are configured with permissions valid for your specific account. They are tied to you as a merchant.

Key Infix Sandbox key example Production key example
Public key pub s-pub-xxxxxxxxxx p-pub-xxxxxxxxxx
Private key priv s-priv-xxxxxxxxxx p-priv-xxxxxxxxxx

Depending on the resource and method used, you either need your public key or your private key to authenticate your request. For details on which features require a public key or a private key, as shown in the following table.

Endpoint POST GET PUT DELETE
/payments/authorize Private key Private key Not allowed Not allowed
/payments/charges Private key Private key Not allowed Not allowed
/payments/authorize/cancels Private key Private key Not allowed Not allowed
/payments/charges/cancels Private key Private key Not allowed Not allowed
/payments/shipments Private key Private key Not allowed Not allowed
/customers Public key Private key Public key Private key
/types/{paymentType} Public key Private key Not allowed Not allowed

See also

Check your key configuration: