Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/own-pay/OwnPay-Documentation/llms.txt

Use this file to discover all available pages before exploring further.

The Developer Hub consolidates every tool a developer needs to integrate OwnPay into external platforms — whether that is a WooCommerce store, a custom mobile app, or an internal backend service. From this single section you can generate authenticated API keys, configure outbound webhook endpoints for real-time payment notifications, review endpoint references, and manage API rate-limit thresholds. All communication with the OwnPay REST API is authenticated using Bearer tokens issued here.
API keys are shown only once at generation time. After you leave or refresh the page, the full key string is permanently hidden and cannot be recovered. Copy and store every new key in a secure location (such as your server’s .env file or a secrets manager) immediately after generation.

Accessing the Developer Hub

1

Log in to the Admin Panel

Sign in to the OwnPay admin dashboard with your administrator credentials.
2

Open Developer Hub

In the left sidebar under the DEVELOPERS section, click Developer Hub.

API Keys

Overview

The API Keys tab lists all active keys associated with your account, showing each key’s user-defined label, key prefix (e.g. op_8ae87c48...), creation date, and last-used timestamp.

Generating a New API Key

1

Open the API Keys Tab

Navigate to Developer Hub → API Keys.
2

Enter a Key Label

In the Generate New API Key form, type a descriptive Key Label that identifies where the key will be deployed (e.g. WooCommerce Plugin, Production Server, Staging Backend).
3

Generate the Key

Click the Generate Key button.
4

Copy the Key Immediately

The screen displays a New API Key Generated alert showing the full key string (e.g. op_8ae87c48.aae2b54e89c755d768a9db81b820643d3da4257474735ebd). Click Copy Key and paste it into your environment variable configuration right away.
After navigating away from the generation screen, only the key prefix (e.g. op_8ae87c48...) remains visible in the table — the full secret is never shown again. If a key is lost, revoke it and generate a replacement.

API Key Field Reference

FieldTypeRequiredExampleDescription
Key LabelTextYesWooCommerce PluginHuman-readable name for the deployment using this key.
Generate KeyButtonYesCreates and displays the Bearer token credentials.

Revoking an API Key

1

Locate the Key

Find the target key by its label in the API Keys list table.
2

Click Revoke

Click the Revoke button in the Actions column.
3

Confirm

Confirm the revocation dialog. The key is instantly deactivated. Any API request using that token returns a 401 Unauthorized error immediately.

Using API Keys for Authentication

All requests to the OwnPay REST API must include the key in the HTTP Authorization header:
Authorization: Bearer op_<your-full-key>
Example curl request to create a payment intent:
curl -X POST https://pay.yourdomain.com/api/v1/payment-intents \
  -H "Authorization: Bearer op_8ae87c48.aae2b54e89c755..." \
  -H "Content-Type: application/json" \
  -d '{"amount": 2500, "currency": "BDT", "description": "Order #1042"}'
Never hardcode API keys in client-side JavaScript, public source code, or Git repositories. Always load keys from your server’s .env configuration file or a secrets management service. Exposed keys grant full access to your OwnPay account’s payment operations.

Webhooks / IPN

The Webhooks / IPN tab manages outbound webhook endpoints. OwnPay sends HTTP POST requests to your configured URL when payment events occur, enabling your application to react in real time — for example, marking an order as paid in your e-commerce system when a payment.completed event fires.

Common Webhook Events

EventTrigger
payment.completedA transaction is verified as successfully paid.
payment.failedA gateway returns a failure or the customer aborts.
Always verify the HMAC signature on your server before processing any incoming webhook payload. Skipping this step exposes your system to webhook spoofing attacks where a malicious actor fabricates payment completion events.

Endpoint Reference

The Endpoint Reference tab lists the key REST API paths exposed by the platform:
EndpointMethodPurpose
/api/v1/payment-intentsPOSTCreate a new payment intent and receive a checkout token.
/api/v1/transactionsGETList transactions for the authenticated brand.
/api/v1/transactions/{id}GETRetrieve details for a single transaction.
For brands using custom domains, replace the base URL with https://{your_brand_domain}/api/v1.

Rate Limits

The Rate Limits tab defines threshold constraints on the number of API requests permitted per minute. Adjusting these values prevents API abuse and protects system stability under high-volume integration traffic.
Rate limiting is enforced by RateLimiterMiddleware. Requests that exceed the configured threshold receive a 429 Too Many Requests response. Build retry logic with exponential backoff into your integration to handle rate-limit responses gracefully.

Best Practices

One Key per Environment

Generate separate API keys for staging and production environments. This makes key rotation straightforward and ensures a compromised staging key cannot affect production traffic.

Copy Keys Before Leaving the Page

The full API key is displayed only at generation. Copy it to your environment configuration before navigating away — there is no recovery mechanism other than revoking and regenerating.

Verify Webhook Signatures

Every webhook handler in your integration must verify the HMAC signature. Processing unverified webhooks enables spoofing attacks that could incorrectly mark orders as paid.

Never Commit Keys to Version Control

Store API keys exclusively in server-side environment variables or a dedicated secrets manager. A key committed to a Git repository should be considered compromised and revoked immediately.

System Settings

Configure global server timezone and application settings.

Payment Gateways

Configure manual and API gateway credentials for checkout flows.

Audit Log

Monitor all security-relevant administrative access and API activity.

Public Checkout

Understand the customer-facing payment flow your API integrations initiate.

Build docs developers (and LLMs) love