Skip to main content

API key

You can create and manage API keys in the Backoffice (Production, Sandbox). Each environment requires its own key. All API requests must include your API key in the Authorization header using the Bearer scheme. 
curl https://api.pawapass.com/v2/verifications/ \
  -H "Authorization: Bearer YOUR_API_KEY"
Legacy API keys that use the X-AUTH-KEY header continue to work. See Key rotation for migration steps.

Environments

All endpoints use the same paths, only the base URL differs.
EnvironmentBase URL
Productionhttps://api.pawapass.com/v2
Sandboxhttps://api-sandbox1.pawapass.com/v2
Keep your API key secret. Do not expose it in client-side code or public repositories. All API calls should be made from your server.

Key rotation

Multiple API keys may be active at the same time, so you can rotate keys without downtime:
  1. Create a new key in the Backoffice.
  2. Update your integration to use the new key.
  3. Verify everything works correctly.
  4. Deactivate or delete the old key.

Migrating from legacy keys

Legacy keys use the X-AUTH-KEY header instead of Authorization: Bearer. When migrating, you need to switch both the key and the header.
  1. Create a new key in the Backoffice.
  2. Update your integration to use the new key with the Authorization: Bearer header.
  3. Verify everything works correctly.
  4. Deactivate or delete the legacy key.
Your legacy key may be shared across multiple integrations, since previously only one key could be issued per environment. Make sure all integrations have switched before deactivating it.
Legacy integrations used a single shared secret for both API authentication and webhook signing. These are now independent. Migrating your API key does not affect your webhook signing secret, and vice versa.

Error response

If the API key is missing or invalid, the API returns 401 Unauthorized: 
{
  "statusCode": 401,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized"
}