General

ChargeAfter API uses bearer authentication. Bearer authentication gives access to the “bearer of the token” and must be sent in the Authorization header of HTTP call.

Security scheme type: Bearer
Header parameter name: Authorization
Token: private apiKey
Example: "Authorization: Bearer 503b453d34e90de75e0f83749e293ab1e524b6a5"

If you do not include your apiKey when making an API request, or use an incorrect or outdated one, ChargeAfter returns a 401 - Unauthorized HTTP response code.

API Keys

Every account has a total of four keys: A _public _and a _private _key for test mode, and a _public _and _private _key for live mode

Public API key can be publicly accessible in the client side code. It is used for authorizing SDK calls that come from a merchant's client side.

Private API key must be secret and stored securely in the server side of a merchant. It is used to perform any API request without restriction.

The API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

Additional Headers

Distributors (merchants requesting information on behalf of another merchant) will be given an additional x-ca-impersonate key during onboarding. This key is required when sending an API request on behalf of a merchant. When sending a call via Postman, you should enter x-ca-impersonate and its value under Headers.

If you are a merchant requesting information for yourself, you do not need the x-ca-impersonate key.