Authentication

All Payments Central API requests are authenticated using API keys passed as Bearer tokens.

API keys

Payments Central uses API keys to authenticate requests. Every API key belongs to a merchant account and carries a set of scopes that restrict what it can do.

Key prefix	Environment	Real money	Cost
`pc_test_`	Sandbox (UAT)	No	Free
`pc_live_`	Production	Yes	Transaction fees apply

Sending the API key

Include your API key in the Authorization header on every request:

Authorization: Bearer pc_test_YOUR_KEY

Example with curl:

curl https://api.uat.payments-central.com/api/v1/transactions \
  -H "Authorization: Bearer pc_test_YOUR_KEY"

Never send keys in URLs Don't include API keys in query parameters or URLs — they appear in server logs and browser history. Always use the Authorization header.

Creating a key

Log in to core.payments-central.com
Go to Settings → API Keys → Create key
Give it a descriptive name (e.g. Backend service — production)
Choose the environment (sandbox or production)
Select the required scopes (see below)
Copy the key immediately — it won't be shown again

Scopes

Scopes limit what an API key can do. Follow the principle of least privilege: grant only the scopes your integration needs.

Scope	Allows
`transactions:write`	Create charges and refunds
`transactions:read`	List and retrieve transaction details
`ledger:read`	Read accounts, journal entries, trial balance
`ledger:write`	Create accounts and manual journal entries
`fraud:evaluate`	Call the fraud evaluation endpoint
`webhooks:manage`	Configure webhook endpoints
`sandbox`	Sandbox access (automatically set for `pc_test_` keys)

Key rotation

Rotate keys regularly and whenever you suspect a key may be compromised. Payments Central supports zero-downtime rotation:

Create a new key from the dashboard
Deploy your application with the new key
Revoke the old key from the dashboard once traffic has shifted

Revoked keys return 401 Unauthorized immediately on all requests.

Storing keys securely

Best practices for API key storage:

Store in environment variables (PC_API_KEY), not in code
Use a secrets manager (AWS Secrets Manager, HashiCorp Vault) in production
Add *.env and .env.local to .gitignore
Use separate keys per environment (dev, staging, production)
Use separate keys per service when using microservices

Server-side only API keys must only be used in server-side code. Never embed them in frontend JavaScript, mobile apps, or any code that runs on a client device.

Authentication errors

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "error": "unauthorized",
  "details": "Invalid or missing API key"
}

Common causes:

Missing Authorization header
Using a sandbox key (pc_test_) against the production URL
Key has been revoked or expired
Whitespace or extra characters in the key value