Authentication
How to authenticate with the VINR API and manage your API keys securely.
API KeysAsk
VINR uses API keys to authenticate requests. You can manage your keys from the Merchant Dashboard.
Key Types
| Key Type | Prefix | Usage |
|---|---|---|
| Public Key | pk_live_ / pk_test_ | Client-side checkout initialization |
| Secret Key | sk_live_ / sk_test_ | Server-side API calls |
Never expose your secret key in client-side code, public repositories, or browser network requests.
Authentication HeaderAsk
Include your secret key in the Authorization header:
curl -X POST https://api.vinr.com/v1/payments \
-H "Authorization: Bearer sk_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{"amount": 1000, "currency": "EUR"}'Key RotationAsk
Rotate keys regularly for security:
- Generate a new key in the dashboard
- Update your application to use the new key
- Verify the new key works in production
- Revoke the old key
IP AllowlistingAsk
For additional security, restrict API access to specific IP addresses:
- Go to Settings → Security → IP Allowlist
- Add your server's IP addresses
- Enable the allowlist
Requests from non-allowlisted IPs will be rejected with a 403 Forbidden response.
Rate LimitsAsk
| Endpoint | Limit |
|---|---|
| Payment creation | 100 req/min |
| Payment status | 300 req/min |
| Refunds | 50 req/min |
| General | 1000 req/min |
Rate-limited responses return 429 Too Many Requests with a Retry-After header.
Was this page helpful?
Edit on GitHub
Last updated on
