Getting Started
Authentication
The ExpressPayments API uses two kinds of credentials: API keys for backend requests, and webhook signing secrets to verify events you receive.
API keys
API keys live in the dashboard under Developers → API keys. Each key is scoped to a single mode.
| Key | Where it goes | Mode |
|---|---|---|
pk_test_… | Browser, mobile clients | Test |
pk_live_… | Browser, mobile clients | Live |
sk_test_… | Server only | Test |
sk_live_… | Server only | Live |
Making authenticated requests
Pass your secret key as the username in HTTP basic auth. The password is empty.
terminal
curl https://api.expresspayments.ai/v1/customers \
u sk_live_4f8a... :Verifying webhook signatures
Every webhook event includes an EP-Signature header. Verify it using the signing secret from your endpoint configuration.
verify.ts
import { createHmac, timingSafeEqual } from "crypto";
export function verify(payload: string, header: string, secret: string) {
const [t, v] = header.split(",").map((p) => p.split("=")[1]);
const expected = createHmac("sha256", secret)
.update(`${t}.${payload}`)
.digest("hex");
return timingSafeEqual(Buffer.from(v), Buffer.from(expected));
}Connect access tokens
For platforms with multiple sellers, each connected account is identified by an ep_account ID. Pass it as the EP-Account header to act on behalf of that account.
terminal
curl https://api.expresspayments.ai/v1/charges \
u sk_live_4f8a... : \
-H "EP-Account: ep_acct_18cQX..." \
-d amount=2400 -d currency=usd -d source=tok_visa