Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iterapay.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

API keys are how your application authenticates with the IteraPay API. Every request you make on behalf of your merchant account must include an active API key in the Authorization header. This page walks you through generating a key, checking its status, and revoking it when needed.
API keys are scoped to a single merchant. Each merchant account can have only one active API key at a time. If you generate a new key, the previous key is immediately invalidated.

Generating an API key

To start accepting payments, you need to generate an API key for your merchant account. You must authenticate this request with your Bearer token (JWT), which you receive when you log in.
1

Authenticate with your Bearer token

Make sure you have a valid JWT from your IteraPay login session. You’ll include this in the Authorization header as Bearer <your-jwt>.
2

Call the generate endpoint

Send a POST request to /key/generate/{merchantID}, replacing {merchantID} with your merchant ID.
generate-api-key.sh
curl --request POST \
  --url https://api.iterapay.com/key/generate/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN'
3

Store the returned key securely

The response contains your API key value. Copy it immediately and store it in a secure secrets manager or environment variable — IteraPay does not display the full key again after this point.
response
{
  "apiKey": "ipa_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Generating a new API key immediately revokes the previous key. Any running integrations using the old key will begin receiving authentication errors. Rotate keys during a maintenance window or update your application before generating a replacement.

Viewing key information

You can retrieve metadata about your current API key — such as when it was created and when it was last used — without exposing the key value itself. Use this to audit key activity or verify a key exists.
get-key-info.sh
curl --request GET \
  --url https://api.iterapay.com/key/info/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN'
The response includes fields like createdAt and lastUsedAt:
response
{
  "createdAt": "2026-03-15T10:22:00Z",
  "lastUsedAt": "2026-05-07T18:45:12Z"
}
If you notice a lastUsedAt timestamp from a time when you didn’t make any requests, your key may be compromised. Revoke it immediately and generate a new one.

Using your API key in requests

Once you have an API key, include it in the X-Api-Key header on every API request:
authenticated-request.sh
curl --request GET \
  --url https://api.iterapay.com/merchants/YOUR_MERCHANT_ID/invoices \
  --header 'X-Api-Key: ipa_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Store your API key in an environment variable (e.g., ITERAPAY_API_KEY) rather than hardcoding it in your application. This makes key rotation easier and avoids accidental exposure in version control.

Revoking an API key

Revoke your API key when you suspect it has been compromised, when offboarding a system that uses it, or as part of a planned key rotation. Once revoked, all requests using that key will fail until you generate a new one.
revoke-api-key.sh
curl --request DELETE \
  --url https://api.iterapay.com/key/revoke/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN'
A successful revocation returns 204 No Content with an empty response body. After revoking, you can immediately generate a new key using the generate endpoint described above.

Request and response reference

POST /key/generate/{merchantID}

merchantID
string
required
Your unique merchant identifier.
Authorization
string
required
Bearer JWT token from your login session. Format: Bearer <token>.
Response
apiKey
string
required
The newly generated API key. Store this value securely — it is not retrievable after this response.

GET /key/info/{merchantID}

merchantID
string
required
Your unique merchant identifier.
Authorization
string
required
Bearer JWT token. Format: Bearer <token>.
Response
createdAt
string
ISO 8601 timestamp of when the current key was generated.
lastUsedAt
string
ISO 8601 timestamp of the most recent authenticated request using this key.

DELETE /key/revoke/{merchantID}

merchantID
string
required
Your unique merchant identifier.
Authorization
string
required
Bearer JWT token. Format: Bearer <token>.
Returns 204 No Content on success.