Skip to main content

API keys

Every request to the Anton Payments API must include an API key in the Authorization header using the Bearer scheme: 
Authorization: Bearer ak_test_your_key_here

Key formats

API keys are prefixed to indicate their environment:
PrefixEnvironmentPurpose
ak_test_SandboxTesting and development — no real money moves
ak_live_ProductionReal payouts with real money
Never expose live API keys. Store them in environment variables or a secrets manager. Never commit them to version control, embed them in client-side code, or log them.

Key management

You can create, list, and revoke API keys through the API or the merchant dashboard.

Create a key

curl https://api.antonpayments.com/v1/api-keys \
  -X POST \
  -H "Authorization: Bearer ak_test_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production server",
    "environment": "live"
  }'
The full API key is only returned once at creation time. We hash keys with SHA-256 before storage — we cannot retrieve the original key for you. Save it securely immediately.

Revoke a key

If a key is compromised, revoke it immediately: 
curl https://api.antonpayments.com/v1/api-keys/key_abc123/revoke \
  -X POST \
  -H "Authorization: Bearer ak_test_your_key_here"
Revoked keys stop working immediately. There is no undo.

Security best practices

Create a new key, update your systems to use it, then revoke the old key. This limits exposure if a key is leaked.
Never use production keys in development. Create dedicated test keys for sandbox.
API keys should only be used from your backend servers. Never include them in mobile apps, browser JavaScript, or client-side code.
Review your API key list periodically. Revoke any keys that are no longer in use or that you don’t recognize.

Error responses

If authentication fails, you’ll receive a 401 Unauthorized response: 
{
  "error": {
    "code": 401,
    "message": "Invalid or missing API key"
  }
}
Common causes:
  • Missing Authorization header
  • Malformed header (must be Bearer <key>, not just the key)
  • Revoked or expired key
  • Using a test key against production (or vice versa)