Authentication¶
Nivatio API uses three authentication mechanisms depending on the endpoint.
Authentication Methods¶
| Header | Used For | Format |
|---|---|---|
Authorization: Bearer <JWT> |
Merchant & Admin endpoints | JWT token from login |
x-api-key |
Order creation/retrieval | API key from your Project |
x-Nivatio-internal-key |
Sandbox simulate-pay, internal | Internal service key |
JWT Authentication¶
Obtaining a JWT Token¶
curl -X POST https://api.nivat.io/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "merchant@yourcompany.com",
"password": "yourpassword"
}'
Response:
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": 3600
}
Token Expiry
JWT tokens expire after 60 minutes. You'll need to login again or implement token refresh.
Using JWT Tokens¶
Include the token in the Authorization header:
curl https://api.nivat.io/v1/projects \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
API Key Authentication¶
For order-related endpoints, use your Project's API key:
curl https://api.nivat.io/v1/orders/{orderId} \
-H "x-api-key: YOUR_API_KEY"
API Key Location
Find your API keys in the Dashboard → Projects → Your Project → API Keys
API Key Permissions¶
| Permission | Description |
|---|---|
read |
View orders and project details |
write |
Create orders and update metadata |
admin |
Full access including webhook config |
Internal Key (Sandbox Only)¶
The internal key is used for: - Simulating payments in sandbox - Internal service-to-service calls
curl https://sandbox.nivat.io/v1/sandbox/simulate-pay \
-H "x-Nivatio-internal-key: YOUR_INTERNAL_KEY" \
-H "Content-Type: application/json" \
-d '{"orderId": "order_abc123"}'
Production Restriction
The internal key only works in sandbox. It is rejected in production.
Rate Limiting¶
Authentication endpoints are rate-limited:
| Endpoint | Limit |
|---|---|
POST /v1/auth/register |
3 requests / 60 seconds |
POST /v1/auth/login |
5 requests / 60 seconds |
| All other endpoints | 100 requests / minute |