General
The ChargeAfter API uses Bearer Authentication to secure requests. Every API request must be made over HTTPS. Requests made over plain HTTP, or those missing a valid API key, will fail automatically.
To authenticate a request, include your secret API key in the Authorization header of your HTTP call:
Authorization: Bearer <YOUR_PRIVATE_API_KEY>
If your request is missing an API key, or if the key used is incorrect or outdated, ChargeAfter returns an HTTP 401 Unauthorized response code.
API Keys
Each of your environments (UAT, Sandbox, and Production) is provisioned with two distinct keys divided by access layer: one Public Key and one Private Key.
API keys are environment-specific; keys generated for UAT or Sandbox will not authenticate requests sent to the Production base URL.
Key Types and Scopes
| Key Type | Scope | Usage & Security |
|---|---|---|
| Public API Key | Client-Side | Used to authorize frontend SDK calls originating from your client-side application. It is safe to include in publicly accessible frontend code. |
| Private API Key | Server-Side | Used to perform backend API requests without restriction. Must remain secret and stored securely on your server. |
Security Best Practices
⚠️ Critical Security Warning: Your private API keys carry extensive account privileges.
- Never expose private API keys in client-side code, mobile applications, or frontend repositories.
- Never share secret keys in publicly accessible areas such as public GitHub repositories, community forums, or unencrypted messaging channels.
- Rotate keys immediately if you suspect a private key has been compromised.
Headers Example
POST /v1/checkout/prime HTTP/1.1
Host: api-sandbox.chargeafter.com
Authorization: Bearer 503b453d34e90de75e0f83749e293ab1e524b6a5
Content-Type: application/json