Getting Started

Authentication

The ExpressPayments API uses two kinds of credentials: API keys for backend requests, and webhook signing secrets to verify events you receive.

API keys

API keys live in the dashboard under Developers → API keys. Each key is scoped to a single mode.

KeyWhere it goesMode
pk_test_…Browser, mobile clientsTest
pk_live_…Browser, mobile clientsLive
sk_test_…Server onlyTest
sk_live_…Server onlyLive

Making authenticated requests

Pass your secret key as the username in HTTP basic auth. The password is empty.

terminal
curl https://api.expresspayments.ai/v1/customers \
  u sk_live_4f8a... :

Verifying webhook signatures

Every webhook event includes an EP-Signature header. Verify it using the signing secret from your endpoint configuration.

verify.ts
import { createHmac, timingSafeEqual } from "crypto";

export function verify(payload: string, header: string, secret: string) {
  const [t, v] = header.split(",").map((p) => p.split("=")[1]);
  const expected = createHmac("sha256", secret)
    .update(`${t}.${payload}`)
    .digest("hex");
  return timingSafeEqual(Buffer.from(v), Buffer.from(expected));
}

Connect access tokens

For platforms with multiple sellers, each connected account is identified by an ep_account ID. Pass it as the EP-Account header to act on behalf of that account.

terminal
curl https://api.expresspayments.ai/v1/charges \
  u sk_live_4f8a... : \
  -H "EP-Account: ep_acct_18cQX..." \
  -d amount=2400 -d currency=usd -d source=tok_visa