Authentication
Every request to the Yusker Payments API is authenticated with an API key over HTTP Basic auth and TLS.
API keys
An API key is a username:secret pair scoped to one application and one environment (sandbox or live). Send it as HTTP Basic credentials on every request. Keys are shown once at creation — store the secret in a vault, never in client code or version control.
curl -u "USxxxxxxxx:secret" \
https://api.yusker.com/v1/merchantsEnvironments
- Sandbox —
https://api.sandbox.yusker.com/v1. Test cards, no real money, no signed agreement required. - Live —
https://api.yusker.com/v1. Real funds movement; requires an approved application.
Keys are environment-specific and never interchangeable. A sandbox key cannot move real money.
Keep secrets server-side
The Yusker Payments API must only be called from your backend. To collect card details in the browser, use
yusker.js tokenization, which returns a single-use token you exchange for a Payment Instrument server-side — keeping you out of PCI cardholder-data scope.Rotating keys
Create a new key, deploy it, then revoke the old one — keys can overlap so rotation is zero-downtime. Revoked keys stop working immediately.
Errors
A missing or invalid key returns 401 Unauthorized; a key without access to a resource returns 403 Forbidden.