Authentication

Every request to the Yusker Payments API is authenticated with an API key over HTTP Basic auth and TLS.

API keys

An API key is a username:secret pair scoped to one application and one environment (sandbox or live). Send it as HTTP Basic credentials on every request. Keys are shown once at creation — store the secret in a vault, never in client code or version control.

curl -u "USxxxxxxxx:secret" \
  https://api.yusker.com/v1/merchants

Environments

  • Sandboxhttps://api.sandbox.yusker.com/v1. Test cards, no real money, no signed agreement required.
  • Livehttps://api.yusker.com/v1. Real funds movement; requires an approved application.

Keys are environment-specific and never interchangeable. A sandbox key cannot move real money.

Keep secrets server-side
The Yusker Payments API must only be called from your backend. To collect card details in the browser, use yusker.js tokenization, which returns a single-use token you exchange for a Payment Instrument server-side — keeping you out of PCI cardholder-data scope.

Rotating keys

Create a new key, deploy it, then revoke the old one — keys can overlap so rotation is zero-downtime. Revoked keys stop working immediately.

Errors

A missing or invalid key returns 401 Unauthorized; a key without access to a resource returns 403 Forbidden.