API Keys & Authentication

Generate API keys, authenticate requests, configure webhooks, and understand Reevit's security model for your integration.

WrittenBeginner8 min2026-02-01

Overview

Every API request to Reevit must be authenticated with a secret key. This guide covers how to generate keys, authenticate requests, set up webhooks, and follow security best practices.

API key types

Reevit provides two key pairs — one for each mode:

KeyPrefixPurpose
Sandbox Secretsk_sandbox_Test API calls, no real money
Sandbox Publicpk_sandbox_Client-side checkout in test mode
Live Secretsk_live_Production API calls, real money
Live Publicpk_live_Client-side checkout in production

Secret keys are secret

Never expose secret keys in client-side code, public repositories, or logs. Use environment variables and server-side calls only.

Generate your API keys

Go to Developers → API Keys

From your dashboard, navigate to DevelopersAPI Keys tab. You'll see your sandbox keys immediately.

Copy your sandbox keys

Click the copy icon next to your sandbox secret key. This is what you'll use for all API calls during development.

Generate live keys (when ready)

Live keys require KYC approval. Once your organization is verified, click Generate Live Keys to create your production credentials.

You can build your entire integration with sandbox keys. The API surface is identical — only switch to live keys when you're ready to process real money.

Authenticate API requests

Include your secret key in the Authorization header:

code
curl -X GET https://sandbox-api.reevit.io/v1/payments \
  -H "Authorization: Bearer sk_sandbox_your_key_here" \
  -H "Content-Type: application/json"

All API endpoints follow the same pattern:

  • Sandbox: https://sandbox-api.reevit.io/v1/...
  • Live: https://api.reevit.io/v1/...

Idempotency

For POST requests that create resources (payments, refunds, subscriptions), include an idempotency key to prevent duplicate operations:

code
curl -X POST https://sandbox-api.reevit.io/v1/payments \
  -H "Authorization: Bearer sk_sandbox_your_key_here" \
  -H "X-Idempotency-Key: unique-request-id-abc123" \
  -H "Content-Type: application/json" \
  -d '{ "amount": 5000, "currency": "GHS" }'

If you retry the same request with the same idempotency key, Reevit returns the original response instead of creating a duplicate.

Configure webhooks

Go to Developers → Webhooks

Navigate to DevelopersWebhooks tab in your dashboard.

Add an endpoint

Click Add Endpoint and enter your webhook URL. Choose which events to subscribe to:

  • payment.succeeded
  • payment.failed
  • payment.refunded
  • subscription.created
  • subscription.canceled
  • payment_link.paid

Verify webhook signatures

Every webhook includes a signature in the X-Reevit-Signature header. Verify it to ensure the webhook came from Reevit:

code
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Rate limits

EndpointLimit
Payment creation100 req/min
Read operations500 req/min
Webhook deliveryUnlimited

Rate-limited responses return HTTP 429 with a Retry-After header.

Stop losing revenue to payment failures

Connect your existing PSP accounts in minutes. Get automatic failover, unified webhooks, and cross-provider analytics — without changing how you handle funds.

No credit card required
Connect in under 5 minutes
Your keys, your funds — always

Need a custom solution? Talk to our team