Skip to main content

Authentication

Plug’s API services are protected through access keys. You can manage your access keys through your dashboard.

It is important to store your keys privately and safely since they have modification privileges in your account. Do not share your keys, do not leave them fixed in your code, and do not store them on your version control server. We recommend using secret environment variables to make the key available to your application.

::info Authentication for all API calls is done through HTTP headers, requiring you to enter your Plug client identifier and secret access key. :::

  curl --location --request GET 'https://api.plugpagamentos.com/v1/' \
--header 'X-Client-Id: <YOUR_CLIENT_ID>' \
--header 'X-Api-Key: <YOUR_SECRET_KEY>'

Client Token

You can create temporary public keys to access the API with limited scope and expiration time.

We recommend using this type of key when you need to expose the key in a client-side application.

tip

In this case, you should make a call to the /auth service from your secret key, requesting the creation of a public key with limited scope.

  curl --location --request POST 'https://api.plugpagamentos.com/v1/auth' \
--header 'X-Client-Id: <YOUR_CLIENT_ID>' \
--header 'X-Api-Key: <YOUR_SECRET_KEY>' \
--header 'Content-Type: application/json' \
--data-raw '{
"scope":["tokens"],
"expires": 31104000"
}'

< HTTP/2 201
< content-type: application/json; charset=utf-8
{
"clientId":"<YOUR_CLIENT_ID>",
"publicKey":"<YOUR_PUBLIC_KEY>",
"scope":["tokens"],
"expires": 31104000,
"createdAt": "20200110 00:00:00"
}
caution

The created public key can be used normally as if it were your account's secret key, but with the scope restriction and being invalidated upon expiration.

  curl --location --request GET 'https://api.plugpagamentos.com/v1/tokens' \
--header 'X-Client-Id: <YOUR_CLIENT_ID>' \
--header 'X-Api-Key: <YOUR_PUBLIC_KEY>'