Skip to main content

API keys

Every request to the Anton Payments API must include an API key in the Authorization header using the Bearer scheme: 
Authorization: Bearer ak_test_your_key_here
API keys are created and managed in the merchant portal. Navigate to Settings > API Keys to generate, view, and revoke keys.

Key formats

API keys are prefixed to indicate their environment:
PrefixEnvironmentPurpose
ak_test_SandboxTesting and development — no real money moves
ak_live_ProductionReal payouts with real money
Never expose live API keys. Store them in environment variables or a secrets manager. Never commit them to version control, embed them in client-side code, or log them.

Key management

You create, view, and revoke API keys through the merchant portal at Settings > API Keys. There is no API endpoint for key management — all key operations are performed in the portal.

Creating a key

  1. Log in to the merchant portal
  2. Navigate to Settings > API Keys
  3. Select the environment (sandbox or production)
  4. Click Create Key and give it a descriptive name (e.g., “Production server”, “Staging CI”)
The full API key is displayed once at creation time. We hash keys with SHA-256 before storage — we cannot retrieve the original key for you. Copy it immediately and store it in your secrets manager.

Revoking a key

If a key is compromised, revoke it immediately from the merchant portal:
  1. Navigate to Settings > API Keys
  2. Find the key and click Revoke
  3. Confirm the revocation
Revoked keys stop working immediately. There is no undo.

Security best practices

Create a new key, update your systems to use it, then revoke the old key. This limits exposure if a key is leaked.
Never use production keys in development. Create dedicated test keys for sandbox.
API keys should only be used from your backend servers. Never include them in mobile apps, browser JavaScript, or client-side code.
Review your API key list periodically in the merchant portal. Revoke any keys that are no longer in use or that you do not recognize.

Error responses

If authentication fails, you receive a 401 Unauthorized response: 
{
  "error": {
    "code": 401,
    "message": "Invalid or missing API key"
  }
}
Common causes:
  • Missing Authorization header
  • Malformed header (must be Bearer <key>, not just the key)
  • Revoked key
  • Using a test key against the production URL (or vice versa)