> ## Documentation Index
> Fetch the complete documentation index at: https://docs.splashpay.co.tz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Securely authenticate requests to SplashPay APIs.

# Authentication

All SplashPay API requests require authentication using API credentials.

***

## API Credentials

Generate API credentials from:

**Merchant Portal → Developers → API Keys**

<Tabs>
  <Tab title="Test Keys">
    Used in Sandbox environment.

    ```http theme={null}
    X-API-KEY: pk_test_xxxxxxxxxxxxx
    X-API-SECRET: sk_test_xxxxxxxxxxxxx
    ```
  </Tab>

  <Tab title="Live Keys">
    Used in Production environment.

    ```http theme={null}
    X-API-KEY: pk_live_xxxxxxxxxxxxx
    X-API-SECRET: sk_live_xxxxxxxxxxxxx
    ```
  </Tab>
</Tabs>

***

## Required Headers

```http theme={null}
X-API-KEY: pk_live_xxxxxxxxxxxxx
X-API-SECRET: sk_live_xxxxxxxxxxxxx
Idempotency-Key: Unique-Request-ID
Content-Type: application/json
Accept: application/json
```

***

## Example Request

<Tabs>
  <Tab title="cURL">
    ```bash theme={null}
    curl --request GET \
      --url https://api.splashpay.co.tz/api/v1/payments/mobile-money \
      --header "X-API-KEY: pk_live_xxxxxxxxx" \
      --header "X-API-SECRET: sk_live_xxxxxxxxx" \
      --header "Idempotency-Key: Unique-Request-ID"
    ```
  </Tab>

  <Tab title="Laravel">
    ```php theme={null}
    $response = Http::withHeaders([
        'X-API-KEY' => env('SPLASHPAY_KEY'),
        'X-API-SECRET' => env('SPLASHPAY_SECRET'),
        'Idempotency-Key' => 'Unique-Request-ID',
    ])->get(
        'https://api.splashpay.co.tz/api/v1/payments/mobile-money'
    );
    ```
  </Tab>

  <Tab title="Node.js">
    ```javascript theme={null}
    const response = await fetch(
      'https://api.splashpay.co.tz/api/v1/payments/mobile-money',
      {
        headers: {
          'X-API-KEY': process.env.SPLASHPAY_KEY,
          'X-API-SECRET': process.env.SPLASHPAY_SECRET,
          'Idempotency-Key': 'Unique-Request-ID',
        },
      }
    );
    ```
  </Tab>

  <Tab title="Python">
    ```python theme={null}
    import requests

    response = requests.get(
        'https://api.splashpay.co.tz/api/v1/payments/mobile-money',
        headers={
            'X-API-KEY': os.getenv('SPLASHPAY_KEY'),
            'X-API-SECRET': os.getenv('SPLASHPAY_SECRET'),
            'Idempotency-Key': 'Unique-Request-ID',
        }
    )
    ```
  </Tab>

  <Tab title="Dart">
    ```dart Dart theme={null}
    import 'dart:convert';
    import 'package:http/http.dart' as http;
    import 'package:uuid/uuid.dart';

    Future<void> initiateMobileMoneyPayment() async {
     final response = await http.post(
       Uri.parse(
         'https://api.splashpay.co.tz/api/v1/payments/mobile-money',
       ),
       headers: {
         'Content-Type': 'application/json',
         'X-API-KEY': const String.fromEnvironment('SPLASHPAY_KEY'),
         'X-API-SECRET': const String.fromEnvironment('SPLASHPAY_SECRET'),
         'Idempotency-Key': const Uuid().v4(),
       },
     );
    }
    ```
  </Tab>
</Tabs>

***

## Authentication Errors

| Status | Description             |
| ------ | ----------------------- |
| 401    | Invalid API credentials |
| 403    | Access denied           |
| 429    | Too many requests       |

***

<Warning>
  Never expose your API Secret in frontend applications, mobile apps, or public repositories.
</Warning>

***

## Best Practices

<Check>
  Store API credentials in environment variables.
</Check>

<Check>
  Rotate API secrets regularly.
</Check>

<Check>
  Use Sandbox credentials during development.
</Check>

<Check>
  Keep API secrets private.
</Check>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Initiate Collection" href="/collections/initiate">
    Create payment requests and collect payments.
  </Card>

  <Card title="Webhooks" href="/webhooks/overview">
    Receive transaction updates automatically.
  </Card>
</CardGroup>
