Authentication

How to authenticate with the VINR API and manage your API keys securely.

API Keys

VINR uses API keys to authenticate requests. You can manage your keys from the Merchant Dashboard.

Key Types

Key TypePrefixUsage
Public Keypk_live_ / pk_test_Client-side checkout initialization
Secret Keysk_live_ / sk_test_Server-side API calls

Never expose your secret key in client-side code, public repositories, or browser network requests.

Authentication Header

Include your secret key in the Authorization header:

curl -X POST https://api.vinr.com/v1/payments \
  -H "Authorization: Bearer sk_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"amount": 1000, "currency": "EUR"}'

Key Rotation

Rotate keys regularly for security:

  1. Generate a new key in the dashboard
  2. Update your application to use the new key
  3. Verify the new key works in production
  4. Revoke the old key

IP Allowlisting

For additional security, restrict API access to specific IP addresses:

  1. Go to Settings → Security → IP Allowlist
  2. Add your server's IP addresses
  3. Enable the allowlist

Requests from non-allowlisted IPs will be rejected with a 403 Forbidden response.

Rate Limits

EndpointLimit
Payment creation100 req/min
Payment status300 req/min
Refunds50 req/min
General1000 req/min

Rate-limited responses return 429 Too Many Requests with a Retry-After header.

Next

Getting Started

On this page

API KeysKey TypesAuthentication HeaderKey RotationIP AllowlistingRate Limits
Edit on GitHub