API Security

Authentication

MockPay API uses Bearer token authentication. All API requests must include your Server Key in the Authorization header. Keys are scoped to your client account, and all data is strictly isolated per client.

Setup

Obtaining API Keys

API keys are available exclusively for registered clients. Follow these steps to obtain your credentials:

1
2
3

Navigate to Client Dashboard → API Keys

4

Click "Generate New Key" to create your Server Key

Header Format

Authorization Header

Include your Server Key in the Authorization header for every API request: 

Authorization: Bearer sandbox_sk_test_xxxxxxxxxx

Implementation Examples

Code Examples

$ cURL 

curl -X POST https://m.next-it.my.id/api/v1/payment/create \
  -H "Authorization: Bearer sandbox_sk_test_xxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"order_id": "ORDER-123", "amount": 100000}'

P PHP (Laravel HTTP Client) 

$apiKey = 'sandbox_sk_test_xxxxxxxxxx';

$response = Http::withHeaders([
    'Authorization' => 'Bearer ' . $apiKey,
    'Content-Type' => 'application/json',
])->post('https://m.next-it.my.id/api/v1/payment/create', [
    'order_id' => 'ORDER-123',
    'amount' => 100000
]);

JS JavaScript (Fetch API) 

const apiKey = 'sandbox_sk_test_xxxxxxxxxx';

const response = await fetch('https://m.next-it.my.id/api/v1/payment/create', {
    method: 'POST',
    headers: {
        'Authorization': `Bearer ${apiKey}`,
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({
        order_id: 'ORDER-123',
        amount: 100000
    })
});

Error Handling

Authentication Errors

401 Unauthorized

Missing or invalid API key

{
    "success": false,
    "error": {
        "code": "UNAUTHORIZED",
        "message": "Invalid or missing API key"
    }
}

403 Forbidden

API key lacks required permissions for the operation

{
    "success": false,
    "error": {
        "code": "FORBIDDEN",
        "message": "Insufficient permissions for this operation"
    }
}

Security

Best Practices

Use Environment Variables

Store API keys in environment variables, never hardcode them in source code

Rotate Keys Regularly

Use separate keys for development and testing, rotate and revoke unused keys

Server-Side Only

Never expose Server Keys in client-side code or browser applications

Use HTTPS

Always use secure HTTPS connections to protect API credentials in transit

Need Assistance?

Review our code examples for complete implementations or contact support for technical assistance.