Authentication

Topics covered on this page

To authenticate a given API request, you must use one of the API keys specific to your account. Find these keys on your dashboard. We use HTTP Basic Authentication. The key is your username, and the password may be left blank.

Each type of key has a live and a test version. Use test keys while building your integration. Test keys include the string _test_. Once you have activated your live account, requests authenticated with live keys create actual transactions, so you should use live keys only in your production environment.

Different types of keys serve various purposes. See the sections below for details. The incorrect key may result in an HTTP authentication_failure error.

Our integrations provide convenient methods and forms for setting your API keys

Public key

Use the public key when accepting sensitive cardholder data on your customer's browser. This key can only create and view tokens and sources, so it is safe to store on a web page.

curl https://vault.omise.co/tokens \
  -X POST \
  -u $OMISE_PUBLIC_KEY: \
  -d "card[name]=Somchai Prasert" \
  -d "card[city]=Bangkok" \
  -d "card[postal_code]=10320" \
  -d "card[number]=4242424242424242" \
  -d "card[security_code]=123" \
  -d "card[expiration_month]=12" \
  -d "card[expiration_year]=2022"

Secret key

Use the secret key for requests initiated on your server relating to your account. The secret key must not be shared, and we highly recommend encrypting the key on your server for maximum protection.

If you believe your secret key has been compromised, log in to your Omise account, generate a new key using the Roll key button, and make sure your integration is updated accordingly.

curl https://api.omise.co/charges \
  -X POST \
  -u $OMISE_SECRET_KEY: \
  -d "amount=10000" \
  -d "currency=THB" \
  -d "card=$TOKEN_ID"

Chain key

Use the sub-merchant's chain key for requests initiated on your server relating to your sub-merchant. See Account Chaining for more details. The chain key must be treated like a secret key: it must never be shared nor stored unsecurely.

curl https://api.omise.co/charges \
  -X POST \
  -u $OMISE_CHAIN_KEY: \
  -d "amount=10000" \
  -d "currency=THB" \
  -d "card=$TOKEN_ID_FOR_CHAIN"
Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more