Overview
Every API request to Reevit must be authenticated with a secret key. This guide covers how to generate keys, authenticate requests, set up webhooks, and follow security best practices.
API key types
Reevit provides two key pairs — one for each mode:
| Key | Prefix | Purpose |
|---|---|---|
| Sandbox Secret | sk_sandbox_ | Test API calls, no real money |
| Sandbox Public | pk_sandbox_ | Client-side checkout in test mode |
| Live Secret | sk_live_ | Production API calls, real money |
| Live Public | pk_live_ | Client-side checkout in production |
Secret keys are secret
Never expose secret keys in client-side code, public repositories, or logs. Use environment variables and server-side calls only.
Generate your API keys
Go to Developers → API Keys
From your dashboard, navigate to Developers → API Keys tab. You'll see your sandbox keys immediately.
Copy your sandbox keys
Click the copy icon next to your sandbox secret key. This is what you'll use for all API calls during development.
Generate live keys (when ready)
Live keys require KYC approval. Once your organization is verified, click Generate Live Keys to create your production credentials.
You can build your entire integration with sandbox keys. The API surface is identical — only switch to live keys when you're ready to process real money.
Authenticate API requests
Include your secret key in the Authorization header:
curl -X GET https://sandbox-api.reevit.io/v1/payments \
-H "Authorization: Bearer sk_sandbox_your_key_here" \
-H "Content-Type: application/json"
All API endpoints follow the same pattern:
- Sandbox:
https://sandbox-api.reevit.io/v1/... - Live:
https://api.reevit.io/v1/...
Idempotency
For POST requests that create resources (payments, refunds, subscriptions), include an idempotency key to prevent duplicate operations:
curl -X POST https://sandbox-api.reevit.io/v1/payments \
-H "Authorization: Bearer sk_sandbox_your_key_here" \
-H "X-Idempotency-Key: unique-request-id-abc123" \
-H "Content-Type: application/json" \
-d '{ "amount": 5000, "currency": "GHS" }'
If you retry the same request with the same idempotency key, Reevit returns the original response instead of creating a duplicate.
Configure webhooks
Go to Developers → Webhooks
Navigate to Developers → Webhooks tab in your dashboard.
Add an endpoint
Click Add Endpoint and enter your webhook URL. Choose which events to subscribe to:
payment.succeededpayment.failedpayment.refundedsubscription.createdsubscription.canceledpayment_link.paid
Verify webhook signatures
Every webhook includes a signature in the X-Reevit-Signature header. Verify it to ensure the webhook came from Reevit:
const crypto = require('crypto');
function verifyWebhook(payload, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
Rate limits
| Endpoint | Limit |
|---|---|
| Payment creation | 100 req/min |
| Read operations | 500 req/min |
| Webhook delivery | Unlimited |
Rate-limited responses return HTTP 429 with a Retry-After header.