Skip to main content

Authentication

Every request to the Tranzzo API must be authenticated. Authentication takes place using HTTP headers and the following variables:

$ curl "https://cpay.tranzzo.com/api/v1/pos/${POS_ID}/orders/0" \
-H "X-API-AUTH: CPAY ${API_KEY}:${API_SECRET}" \
-H "X-API-KEY: ${ENDPOINTS_KEY}"

Use these headers in all API requests to the server, including both GET and POST requests.

Note that header values are case sensitive, but header names are not.
If data about these headers is missing in the request or is incorrect, in this case the response will be returned as follows:

{
"args": {
"code": "S-404"
},
"message": "Invalid pos_id field or credentials"
}
caution

Credentials are confidential. Please adhere to these recommendations when handling them:

  • Do not share them with anyone who is not involved in the integration process.
  • Ensure that credentials are stored securely, using encrypted storage solutions such as a secrets management system.
  • Never hard-code credentials directly into your source code or commit them to version control systems. Educate team members about the importance of credential security and enforce strict policies to protect sensitive information.
  • Regularly rotate credentials and review access permissions to ensure only authorized personnel have access. You can find out which roles allow users to access your projects' credentials in the Team section of the Merchant Portal.
  • Monitor the usage of credentials to detect any unauthorized access or suspicious activity promptly. If credentials are compromised, follow the incident response plan to revoke and replace them immediately. Please notify Tranzzo support team immediately in order to aid in key rotation.