MakeCrypto

API Reference

Authentication

API key headers, secret handling, permissions, and rotation.

Credential model

MakePay API keys are created from the MakeCrypto developer area and scoped to one team. Each key has a public key ID and a secret. The secret is stored as a hash and is shown only once after creation.

HeaderValueNotes
x-makecrypto-key-idMakePay API key IDStarts with mk_makepay_ for MakePay payment APIs.
x-makecrypto-key-secretOne-time API secretShown only when the key is created. Store it in your server-side secret manager.

API key creation

Signed-in users with settings.manage permission can create keys through the portal or through the team integration route.

Use the signed-in company discovery route when a portal tool needs to show the teams available to the current user:

GET /api/partner/v1/companies

The returned company id is used for dashboard/key-management routes only. MakePay server-to-server payment routes resolve the company from the API key, so they do not require a company ID in the URL.

POST /api/partner/v1/companies/{companyId}/integrations
Content-Type: application/json

{
  "name": "Production backend",
  "appSlug": "makepay",
  "allowedOrigins": ["https://merchant.example"]
}

The response includes integration.key_id, integration.partner_id, and integration.keySecret. Save keySecret immediately.

Request authentication

Send the key ID and secret as headers to MakePay payment-link routes.

x-makecrypto-key-id: mk_makepay_...
x-makecrypto-key-secret: mksec_...

The API also accepts signed-in MakeCrypto browser sessions for portal UI calls. Server-to-server integrations should use the key headers so requests are independent from a user session.

Permissions

Read routes accept any signed-in team member or a valid MakePay API key. Mutating routes require settings.manage for browser sessions. API keys are treated as trusted server credentials for the owning team, so keep them limited to backend systems you control.

Rotation and revocation

Create a new key, deploy it to your backend, then disable or delete the old key in the MakeCrypto developer area. Existing secrets cannot be revealed again after creation.

Authentication errors

  • 401 Unauthorized means the request has no valid session and no valid API key pair.
  • 401 Invalid MakePay API credentials means the key ID, secret, product scope, or enabled state did not match.
  • 403 Forbidden means the signed-in user cannot access the team or lacks the required permission.
  • 404 API key not found is returned by key-management routes when the selected partnerId does not exist for the team.

Need partner setup help?

Open the payment link details view in MakeCrypto to copy the generated snippets for a real payment UID, or return to the portal to manage merchant settings.

Open portal