Skip to main content
Every Payfonte API request is authenticated using two headers:
  • client-id
  • client-secret
Never expose client-secret in frontend apps, mobile apps, browser storage, or public repositories.

Authentication Model

client-id

Public identifier for your account and environment.

client-secret

Secret key used to authorize requests. Store only on trusted backend systems.

Header-Based Auth

Pass both credentials in request headers on every API call.

Environment-Specific Keys

Sandbox and Production use different credentials. Do not mix them.

Where To Get Your Keys

1

Sign in to Dashboard

Use sandbox-app.payfonte.com for testing or app.payfonte.com for live operations.
2

Open API key settings

Navigate to Settings -> API Keys/Webhooks.
3

Copy credentials securely

Save your client-id and client-secret into server environment variables.

Request Example

curl --location 'https://sandbox-api.payfonte.com/payments/v1/checkouts' \
  --header 'client-id: <your-client-id>' \
  --header 'client-secret: <your-client-secret>' \
  --header 'Content-Type: application/json' \
  --data '{
    "reference": "test-001",
    "amount": 1000,
    "currency": "NGN",
    "country": "NG",
    "user": {
      "phoneNumber": "08012345678"
    }
  }'

Common Mistakes

Sandbox and production are separate environments. Use the matching base URL and matching credentials together.
Frontend code is public to end users. Keep all authenticated Payfonte API calls on your backend.
Requests without either client-id or client-secret will fail authentication.
Always load credentials from environment variables or a secure secret manager.

Security Checklist

  • Keep client-secret on backend only.
  • Use HTTPS for API and webhook endpoints.
  • Rotate credentials if exposure is suspected.
  • Restrict internal access to production secrets.

Environments

Sandbox and production URL/key setup.

Getting Started

Make your first successful API call.

API Reference

Full endpoint and schema details.