Authentication
How to authenticate with the VINR API and manage your API keys securely.
API Keys
VINR uses API keys to authenticate requests. You can manage your keys from the Merchant Dashboard.
Key Types
| Key Type | Prefix | Usage |
|---|---|---|
| Public Key | pk_live_ / pk_test_ | Client-side checkout initialization |
| Secret Key | sk_live_ / sk_test_ | Server-side API calls |
Never expose your secret key in client-side code, public repositories, or browser network requests.
Authentication Header
Include your secret key in the Authorization header:
Key Rotation
Rotate keys regularly for security:
- Generate a new key in the dashboard
- Update your application to use the new key
- Verify the new key works in production
- Revoke the old key
IP Allowlisting
For additional security, restrict API access to specific IP addresses:
- Go to Settings → Security → IP Allowlist
- Add your server's IP addresses
- Enable the allowlist
Requests from non-allowlisted IPs will be rejected with a 403 Forbidden response.
Rate Limits
| Endpoint | Limit |
|---|---|
| Payment creation | 100 req/min |
| Payment status | 300 req/min |
| Refunds | 50 req/min |
| General | 1000 req/min |
Rate-limited responses return 429 Too Many Requests with a Retry-After header.