To integrate QUID into your website or application, you must generate at least one API key and secret pair.
The API key serves two purposes:
- It authorizes your website to accept QUID payment requests, and,
- It associates your website with your merchant ID. Every key has a list of origin URLs that restrict where the keys can be used.
API keys are publicly visible and do not need to be secured.
The API secret is used for advanced authentication and receipt verification. This must be treated as sensitive information, and be secured appropriately.
Test and live keys
There are two types of API keys,
live. When you get started you can only use
test API keys. This protects your users from accidentally using real money on your website during the testing phase.
You can switch to a
live API key by submitting a Go Live application. Note that
live API keys must use secure
Creating your key and secret
- First, go to the merchant dashboard (click the Merchant button on the menu bar.)
- Scroll down to the API Keys section and click the + button to create a new API key. An API secret will also be generated for you.
- Add an origin for each website you want to use with this key. This must be a URL such as, https://myveganblog.com.
Securing your API secret
As mentioned above, your API secret should be considered sensitive data, and not be widely shared.
For payment verifications, you do need only the SHA256 hash of the key, and not the key itself. It is safer to pre-calculate the hash and distribute it to your applications than distributing the actual key.