Skip to main content

API Authentication

How to authenticate requests to the Anton Payments API using API keys, including key formats, Bearer token usage, and sandbox vs production keys.

Written by Ryan O
Updated today

Overview

Every request to the Anton Payments API must be authenticated using an API key. Keys are passed in the Authorization header using the Bearer scheme.

Using Your API Key

Include your API key in the Authorization header of every request:

curl https://api.antonpayments.dev/v1/payouts \
  -H "Authorization: Bearer ak_test_your_key_here"

The header format is Authorization: Bearer {your_api_key}. The word "Bearer" followed by a space and your key is required -- do not send the key alone.

API Key Formats

API keys are prefixed to indicate their environment:

Prefix

Environment

Purpose

ak_test_

Sandbox

Testing and development -- no real money moves

ak_live_

Production

Real payouts with real money

Sandbox keys only work against the sandbox API (api.antonpayments.dev). Production keys only work against the production API (api.antonpayments.com). Using a key against the wrong environment returns a 401 Unauthorized error.

Creating API Keys

API keys are created and managed in the merchant portal:

  1. Log in to the merchant portal at app.antonpayments.com

  2. Navigate to Settings > API Keys

  3. Select the environment (sandbox or production)

  4. Click Create Key and give it a descriptive name (e.g., "Production server", "Staging CI")

Important: The full API key is displayed only once at creation time. Anton hashes keys with SHA-256 before storage and cannot retrieve the original key for you. Copy it immediately and store it in your secrets manager.

Revoking API Keys

If a key is compromised, revoke it immediately from the merchant portal:

  1. Navigate to Settings > API Keys

  2. Find the key and click Revoke

  3. Confirm the revocation

Revoked keys stop working immediately. There is no undo.

Authentication Errors

If authentication fails, the API returns a 401 Unauthorized response:

{
  "error": {
    "code": 401,
    "message": "Invalid or missing API key"
  }
}

Common causes:

  • Missing Authorization header

  • Malformed header (must be Bearer {key}, not just the key)

  • Revoked or expired key

  • Using a test key against the production URL (or vice versa)

Security Best Practices

  • Store keys securely -- Use environment variables or a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault). Never hardcode keys in your source code.

  • Server-side only -- API keys must only be used from backend servers. Never expose them in browser JavaScript, mobile apps, or client-side code.

  • Use separate keys per environment -- Never use production keys in development or staging.

  • Rotate keys regularly -- Create a new key, update your systems, then revoke the old key.

  • Monitor key usage -- Review your API key list periodically and revoke any keys that are no longer in use.

Did this answer your question?