The Developer Hub consolidates every tool a developer needs to integrate OwnPay into external platforms — whether that is a WooCommerce store, a custom mobile app, or an internal backend service. From this single section you can generate authenticated API keys, configure outbound webhook endpoints for real-time payment notifications, review endpoint references, and manage API rate-limit thresholds. All communication with the OwnPay REST API is authenticated using Bearer tokens issued here.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/own-pay/OwnPay-Documentation/llms.txt
Use this file to discover all available pages before exploring further.
Accessing the Developer Hub
Log in to the Admin Panel
Sign in to the OwnPay admin dashboard with your administrator credentials.
API Keys
Overview
The API Keys tab lists all active keys associated with your account, showing each key’s user-defined label, key prefix (e.g.op_8ae87c48...), creation date, and last-used timestamp.
Generating a New API Key
Enter a Key Label
In the Generate New API Key form, type a descriptive Key Label that identifies where the key will be deployed (e.g.
WooCommerce Plugin, Production Server, Staging Backend).After navigating away from the generation screen, only the key prefix (e.g.
op_8ae87c48...) remains visible in the table — the full secret is never shown again. If a key is lost, revoke it and generate a replacement.API Key Field Reference
| Field | Type | Required | Example | Description |
|---|---|---|---|---|
| Key Label | Text | Yes | WooCommerce Plugin | Human-readable name for the deployment using this key. |
| Generate Key | Button | Yes | — | Creates and displays the Bearer token credentials. |
Revoking an API Key
Using API Keys for Authentication
All requests to the OwnPay REST API must include the key in the HTTPAuthorization header:
curl request to create a payment intent:
Webhooks / IPN
The Webhooks / IPN tab manages outbound webhook endpoints. OwnPay sends HTTP POST requests to your configured URL when payment events occur, enabling your application to react in real time — for example, marking an order as paid in your e-commerce system when apayment.completed event fires.
Common Webhook Events
| Event | Trigger |
|---|---|
payment.completed | A transaction is verified as successfully paid. |
payment.failed | A gateway returns a failure or the customer aborts. |
Endpoint Reference
The Endpoint Reference tab lists the key REST API paths exposed by the platform:| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/payment-intents | POST | Create a new payment intent and receive a checkout token. |
/api/v1/transactions | GET | List transactions for the authenticated brand. |
/api/v1/transactions/{id} | GET | Retrieve details for a single transaction. |
https://{your_brand_domain}/api/v1.
Rate Limits
The Rate Limits tab defines threshold constraints on the number of API requests permitted per minute. Adjusting these values prevents API abuse and protects system stability under high-volume integration traffic.Rate limiting is enforced by
RateLimiterMiddleware. Requests that exceed the configured threshold receive a 429 Too Many Requests response. Build retry logic with exponential backoff into your integration to handle rate-limit responses gracefully.Best Practices
One Key per Environment
Generate separate API keys for staging and production environments. This makes key rotation straightforward and ensures a compromised staging key cannot affect production traffic.
Copy Keys Before Leaving the Page
The full API key is displayed only at generation. Copy it to your environment configuration before navigating away — there is no recovery mechanism other than revoking and regenerating.
Verify Webhook Signatures
Every webhook handler in your integration must verify the HMAC signature. Processing unverified webhooks enables spoofing attacks that could incorrectly mark orders as paid.
Never Commit Keys to Version Control
Store API keys exclusively in server-side environment variables or a dedicated secrets manager. A key committed to a Git repository should be considered compromised and revoked immediately.
Related Pages
System Settings
Configure global server timezone and application settings.
Payment Gateways
Configure manual and API gateway credentials for checkout flows.
Audit Log
Monitor all security-relevant administrative access and API activity.
Public Checkout
Understand the customer-facing payment flow your API integrations initiate.