Skip to main content

Authentication

How authentication works

The Moyasar PG REST API uses Bearer authentication with acquirer API keys generated from the Acquirer Dashboard.

An acquirer API key has the following form:

acquirer_key_123

where 123 is a unique secure random string. The acquirer_key_ prefix is what identifies the token as an acquirer API key — send the full string, prefix included.

To authenticate an API call, add the following header to each request:

Authorization: Bearer <api_key>

Note: replace <api_key> with the actual key.

Every request authenticated with an acquirer API key is automatically scoped to your acquirer: the API only ever returns — and only ever modifies — merchants, orders, transactions, agreements, card authentications, payment controls, audit logs and EOD statements that belong to your acquirer. Resources of other acquirers behave as if they do not exist (HTTP 404).

If the key is missing, unknown or disabled, the API responds with HTTP 401:

{
"message": "Invalid authentication information"
}

Keys can additionally be restricted to a set of IP addresses — see IP Whitelisting.

Getting an API key

API keys are managed from the Acquirer Dashboard by any acquirer user holding the acquirer_api_keys_create permission:

  1. Log in to the Acquirer Dashboard.
  2. Navigate to API Keys and click Create.
  3. Give the key a description (e.g. "Reconciliation service").
  4. Select the permissions the key needs — grant only what the integration actually uses.
  5. Optionally restrict the key to your servers' IP addresses.
  6. Save, then copy the generated acquirer_key_... value into your integration's secret store.

Keys do not expire, but they can be disabled at any time from the same page (disabling is permanent — create a new key to rotate). The key's permissions and IP whitelist can be edited after creation by users holding acquirer_api_keys_update.

Keep it secret

The API key carries the full authority of the permissions granted to it. Store it in a secrets manager, never commit it to source control, and rotate it immediately if it leaks.

Permissions

Each API key carries an explicit set of permissions and is only allowed to call the services selected when the key was created. Calling an endpoint without the required permission returns HTTP 403:

{
"message": "Unauthorized"
}

A permission string is formed as <group>_<action>. The following permissions are available to acquirer API keys:

PermissionGrants
merchants_createCreate merchants
merchants_readList and retrieve merchants
merchants_updateUpdate, activate and deactivate merchants
merchants_deleteDelete merchants
merchant_users_createCreate merchant users (sends invitation emails)
merchant_users_readList and retrieve merchant users
merchant_users_updateUpdate merchant users and resend invitations
merchant_users_disableDisable merchant users
merchant_users_enableEnable merchant users
merchant_users_password_resetSend password reset emails to merchant users
orders_readList and retrieve orders, list transactions, and export transactions as CSV
3ds_readList and retrieve card authentications (3-D Secure)
agreements_readList and retrieve stored agreements
agreements_disableDisable stored agreements
payment_controls_createCreate payment controls
payment_controls_readList and retrieve payment controls
payment_controls_updateUpdate payment controls
payment_controls_deleteDelete payment controls
eod_list, eod_readList and download End-of-Day statements
audit_logs_readQuery the audit trail of your acquirer and its merchants

The current permission catalogue can also be fetched programmatically from GET /v1/acquirer/api_keys/permissions using any authenticated principal, including the API key itself.