Authentication

Topics covered on this page

To authenticate a given API request, you must use one of the API keys specific to your account. Find these keys on your dashboard. We use HTTP Basic Authentication. The key is your user name, and the password may be left blank.

For each type of key, there is a live and a test version. Use test keys while building your integration. Test keys include the string _test_. Once you have activated your live account, requests authenticated with live keys create real transactions, so you should use live keys only in your production environment.

Different types of keys serve different purposes. See the sections below for details. Using the incorrect key may result in an HTTP authentication_failure error.

Our integrations provide convenience methods and forms for setting your API keys

Public key

When accepting sensitive cardholder data on your customer's browser, use the public key. This key can only create and view tokens and sources, so it is safe to store on a web page.

curl https://vault.omise.co/tokens \
  -X POST \
  -u $OMISE_PUBLIC_KEY: \
  -d "card[name]=Somchai Prasert" \
  -d "card[city]=Bangkok" \
  -d "card[postal_code]=10320" \
  -d "card[number]=4242424242424242" \
  -d "card[security_code]=123" \
  -d "card[expiration_month]=12" \
  -d "card[expiration_year]=2022"

Secret key

For requests initiated on your server relating to your account, use the secret key. The secret key must not be shared, and we highly recommend encrypting the key on your server for maximum protection.

If you believe your secret key has been compromised, log in to your Omise account, generate a new key using the Roll key button and make sure your integration is updated accordingly.

curl https://api.omise.co/charges \
  -X POST \
  -u $OMISE_SECRET_KEY: \
  -d "amount=10000" \
  -d "currency=THB" \
  -d "card=$TOKEN_ID"

Chain key

For requests initiated on your server relating to your sub-merchant, use the sub-merchant's chain key. See Account Chaining for more details. The chain key must be treated like a secret key: it must never be shared nor stored unsecurely.

curl https://api.omise.co/charges \
  -X POST \
  -u $OMISE_CHAIN_KEY: \
  -d "amount=10000" \
  -d "currency=THB" \
  -d "card=$TOKEN_ID_FOR_CHAIN"
Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more