1. Getting Started
Casharc
Merchant
  • Merchant
  • Getting Started
    • Introduction
    • Authentication
    • Quickstart
  • Core Concepts
    • Statuses
    • Reason Codes
  • Guides
    • Idempotency
    • Metadata
  • Payments
    • Create Payment
      POST
    • List Payments
      GET
    • Retrieve Payment
      GET
    • Confirm Payment
      POST
    • Cancel Payment
      POST
    • Refund Payment
      POST
  • Payouts
    • Create Payout
      POST
    • List Payouts
      GET
    • Retrieve Payout
      GET
    • Cancel Payout
      POST
  • Appeals
    • Create Appeal
      POST
    • List Appeals
      GET
    • Retrieve Appeal
      GET
    • Cancel Appeal
      POST
  • Balance
    • Retrieve Balance
      GET
  • Webhook
    • Verifying webhooks
    • On Status Change
  1. Getting Started

Authentication

Casharc authenticates API requests with a secret API key, passed as a bearer token.
Every request must include a valid key; requests without one are rejected.

API keys#

Create an API key in your project settings. On creation you receive your secret key, shown only once. Casharc stores only a hash of it and can never show it to you again — if you lose it, rotate the key and update your integration.
Keep your secret key server-side. Never expose it in client-side code, mobile apps, or public repositories. Anyone with your key can act as your project.

Authenticating a request#

Pass your secret key as a bearer token in the Authorization header:
Authorization: Bearer csh_your_secret_key
Example:

IP allow-listing (optional)#

For an additional layer of protection, you can restrict a key to one or more allow-listed IP addresses in your project settings. Once an allow-list is set, requests from any other address are rejected, even with a valid key. This is optional — a key is fully functional without an allow-list.
You can add individual IPv4 addresses or CIDR ranges (for example, 203.0.113.7 or 203.0.113.0/24). If you enable an allow-list, make sure your integration calls the API from a static, known IP address or range; for dynamic or serverless networking, route outbound traffic through a fixed egress IP (for example, a NAT gateway) and allow-list that.

Request signing#

Casharc does not require you to sign API requests. Your secret key, sent over HTTPS, is sufficient to authenticate every call. (Signing applies in the opposite direction: Casharc signs the webhooks it sends to you, so your endpoint can verify their authenticity.)

Permissions#

Each API key carries a set of permissions that control which endpoints it may call — for example, creating payments versus only reading them. There is no all-powerful key: grant a key the minimum permissions its integration needs, and use separate keys for separate integrations.
Previous
Introduction
Next
Quickstart
Built with