Request Authentication

Key Management

Unlike the previous version of the Khipu instant payment API, the new API 3.0 uses API keys to authenticate requests.

Keys are managed from the Merchant Account Options dashboard (you need an active session and a valid account). For example, to create a new key, follow these steps:

  1. Open the section "To integrate Khipu into your website"
  2. Find the "API Keys" section
  3. Click on the "New API Key" button
  4. Optionally, enter an alias, which is useful for associating each key with different functions

A box with the newly generated key value will appear, which must be copied and securely stored. This will be the only opportunity to do so.


In the same section, it is possible to expire a secret key (click on "Expire now" button).

Security Considerations

Please note that each key allows the use of all methods of the instant payment API, so we emphasize keeping them secure. Do not share the keys via email or in code repositories. If you suspect a key has been compromised, you can expire it and create a new one.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without the authentication header will also fail.