Skip to main content

Overview

Your API credentials are the foundation of your 88Pay integration. This guide will walk you through obtaining, securing, and managing your API Key and Merchant ID.
Prerequisites: You must have an approved 88Pay account before you can access API credentials.

What Are API Credentials?

88Pay uses two pieces of information to authenticate your requests:

API Key

A unique secret key that identifies your applicationFormat: sk_test_... (sandbox) or sk_live_... (production)

Merchant ID

Your unique merchant identifier in the 88Pay systemFormat: MCH-{COUNTRY}-{ID}
Keep your API Key secure! Anyone with your API Key can make requests on your behalf. Never share it publicly or commit it to version control.

Step-by-Step: Get Your Credentials

Follow these steps to obtain your API credentials:
1

Login to the Dashboard

Navigate to dash.88pay.io and log in with your credentials.
88Pay Login Screen
Don’t have an account yet? Sign up here
2

Complete Account Verification

Before accessing API credentials, you must complete the verification process:
  1. Navigate to SettingsAccount Details
  2. Upload all required documents:
    • Government-issued ID
    • Proof of address
    • Business registration (if applicable)
    • Tax information
Document Upload Section
Document approval typically takes 24-48 hours. You’ll receive an email notification once approved.
3

Navigate to API Credentials

Once your documents are approved:
  1. Click on Settings in the left sidebar (bottom left corner)
  2. Select API Credentials from the settings menu
API Credentials Menu
4

View and Copy Credentials

In the API Credentials section, you’ll see:
  • API Key: Pre-generated secret key
  • Merchant ID: Your unique identifier
  • Environment: Sandbox or Production
API Credentials Page
Click the Copy button to safely copy your credentials to the clipboard.

Understanding Environments

88Pay provides two separate environments, each with their own credentials:

Sandbox Environment

Purpose: Development and testingCharacteristics:
  • No real money is transferred
  • Test payment methods available
  • Faster transaction processing
  • Separate credentials from production
Base URL: https://api-sandbox.88pay.ioCredential Format:
    API Key: sk_test_a1b2c3d4e5f6g7h8i9j0
    Merchant ID: MCH-COL-TEST-12345
When to Use:
  • Initial integration development
  • Testing new features
  • QA and staging environments
  • Training and demos
Sandbox credentials are available immediately after account creation.

Credential Management

Storing Credentials Securely

Store credentials in environment variables, never hardcode them:Bad Practice ❌
    const API_KEY = 'sk_test_a1b2c3d4e5f6g7h8';
Good Practice ✅
    // .env file
    EIGHTY_EIGHT_PAY_API_KEY=sk_test_a1b2c3d4e5f6g7h8
    EIGHTY_EIGHT_PAY_MERCHANT_ID=MCH-COL-TEST-12345
    
    // In your code
    const apiKey = process.env.EIGHTY_EIGHT_PAY_API_KEY;
    const merchantId = process.env.EIGHTY_EIGHT_PAY_MERCHANT_ID;
For production, use dedicated secret management:
  • AWS Secrets Manager
  • Google Cloud Secret Manager
  • Azure Key Vault
  • HashiCorp Vault
    // Example with AWS Secrets Manager
    const AWS = require('aws-sdk');
    const secretsManager = new AWS.SecretsManager();
    
    const secret = await secretsManager.getSecretValue({
      SecretId: '88pay-production-credentials'
    }).promise();
    
    const credentials = JSON.parse(secret.SecretString);
Prevent accidental commits of credentials:
    # .gitignore
    .env
    .env.local
    .env.production
    config/credentials.json
Maintain separate credentials for each environment:
    // config.js
    const config = {
      development: {
        apiKey: process.env.DEV_API_KEY,
        merchantId: process.env.DEV_MERCHANT_ID,
        baseUrl: 'https://api-sandbox.88pay.io'
      },
      production: {
        apiKey: process.env.PROD_API_KEY,
        merchantId: process.env.PROD_MERCHANT_ID,
        baseUrl: 'https://api.88pay.io'
      }
    };
    
    module.exports = config[process.env.NODE_ENV];

Rotating API Keys

For security, you should rotate your API keys periodically:
1

Generate New Key

In the dashboard, click Generate New API Key
2

Update Your Application

Deploy your application with the new credentials
3

Verify Operation

Test that everything works with the new key
4

Revoke Old Key

Once confident, revoke the old key in the dashboard
Plan your key rotation during low-traffic periods to minimize disruption.

Security Best Practices

Server-Side Only

Never expose credentials in client-side code, mobile apps, or public repositories

Use HTTPS

Always make API requests over HTTPS. HTTP requests will be rejected

Rotate Regularly

Rotate API keys every 90 days or immediately if compromised

Monitor Usage

Regularly review API usage logs in the dashboard for suspicious activity

IP Whitelisting

Enable IP whitelisting in production for an extra layer of security

Separate Keys

Use different API keys for different applications or services

Troubleshooting

Cause: Your account or documents are not yet approvedSolution:
  1. Check your email for approval status
  2. Verify all required documents are uploaded
  3. Contact support if waiting more than 48 hours
Cause: Using wrong environment credentialsSolution:
  • Verify you’re using sandbox credentials with sandbox API
  • Check for typos or extra spaces
  • Ensure key hasn’t been revoked
Cause: Incorrect Merchant ID formatSolution:
  • Format should be MCH-{COUNTRY}-{ID}
  • Copy directly from dashboard to avoid errors
  • Don’t add quotes or spaces

Testing Your Credentials

Verify your credentials are working correctly: 
curl -X POST "https://api-sandbox.88pay.io/api/auth/token" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "x-merchant-id: YOUR_MERCHANT_ID"
Expected Response: 
{
  "status": "Success",
  "code": 200,
  "message": "Token generated successfully",
  "data": {
    "access_token": "eyJhbGciOiJFUzI1NiIs...",
    "expires_in": 60,
    "session_id": "sess_..."
  }
}
If you receive a 200 Success response, your credentials are configured correctly!

Next Steps

Now that you have your credentials, learn how to use them:

Generate Token

Learn how to generate authentication tokens

Create Operation

Make your first API request

Authentication Guide

Deep dive into authentication

Security Best Practices

Keep your integration secure