Authentication

Secure communication is a core requirement when integrating with the WagaPay API. To ensure that only authorized parties can initiate or receive payment-related operations, WagaPay supports two primary authentication mechanisms:

1. API Key Authentication for all API endpoints
2. HMAC Signature Verification for incoming webhooks

API Key Authentication

All requests to the WagaPay API must be authenticated using an API key. API keys are unique to each merchant and can be managed from the WagaPay Merchant Dashboard.

You will use the apiKey header in your HTTP request to authenticate your API calls.

API Key Types

There are two types of API keys:

⚠️ Always ensure you are using the correct API key for the appropriate environment to avoid unexpected results.

Sending the API Key

Include your API key in the apiKey header for every request:

POST /api/v1/register
Host: api.wagapay.net
apiKey: your_api_key_here
Content-Type: application/json

Example Header

-H "apiKey: sk_test_abc123xyz"

If the API key is missing or invalid, the server will return a 401 Unauthorized response.

Webhook Authentication with HMAC

WagaPay uses HMAC (Hash-based Message Authentication Code) signatures to verify the integrity and authenticity of webhook events sent to your server.

Each webhook request contains an X-WAGA-HMAC-Signature header. This signature is computed using a shared secret key and the payload body. You must use this key to verify that the webhook request originated from WagaPay and was not altered in transit. See Webhooks to learn more.

X-WAGA-HMAC-Signature: <signature>

Summary