API Documentation

Authentication

Secret API keys over HTTPS
View as Markdown

Every call to https://api.senjaropay.com must include a valid Public Key and API secret in headers. In the dashboard, the Public Key maps directly to x-api-key.

The merchant API uses POST for every endpoint, including reads. Send a JSON body (use {} when there are no parameters).

Request headers

1x-api-key: <public_key>
2x-api-secret: <secret>

Use HTTPS only. API keys are for server-side use—never from browsers, mobile apps, or other untrusted environments.

Issuing and rotating keys

  1. Sign in to the SenjaroPay dashboard.
  2. Go to SettingsAPI keys.
  3. Copy the Public Key (use as x-api-key) and Secret Key (use as x-api-secret).
  4. Store both in server-side secrets. Do not expose them in client apps.

If a secret is lost, leaked, or no longer needed: revoke it in the dashboard and issue a new key. Prefer rotation over reusing compromised material.

Example

$curl -sS -X POST https://api.senjaropay.com/senjaropay/merchant/payments/status \
>  -H "Content-Type: application/json" \
>  -H "x-api-key: ${SENJARO_API_KEY}" \
>  -H "x-api-secret: ${SENJARO_API_SECRET}" \
>  -d '{"referenceId":"mock-ref-7b2a4f3e"}'

Supply the secret from your deployment configuration (environment variable, vault, or managed secrets). Use POST, Content-Type: application/json, and a JSON body on every call.

Raw request shape:

1POST /senjaropay/merchant/payments/status HTTP/1.1
2Host: api.senjaropay.com
3Content-Type: application/json
4x-api-key: <secret>
5x-api-secret: <secret>
6
7{"referenceId":"mock-ref-7b2a4f3e"}

Scopes

Request only the credentials that belong to the environment you are integrating (sandbox vs production), and keep them server-side.

Errors

Statuserror_codeMeaning
401unauthorizedKey missing, malformed, revoked, or used in the wrong environment
403forbiddenCredentials valid but operation not allowed for account

401 — response body (example)

1{
2  "status": "error",
3  "code": 401,
4  "error_code": "unauthorized",
5  "message": "invalid or missing API key"
6}

403 — response body (example)

1{
2  "status": "error",
3  "code": 403,
4  "error_code": "forbidden",
5  "message": "operation not allowed for merchant account"
6}

For 403, verify the account permissions and environment keys being used.

Security

  • Store secrets outside source control; never commit keys or paste them into tickets or chat.
  • Use distinct keys per environment where the product supports it (for example sandbox vs production).
  • Rotate on a schedule and revoke immediately if exposure is suspected.
  • Avoid logging request headers or full key values; redact when debugging.