Authentication
How requests to the Merchant Dashboard's APIs are authenticated.
Page draft pending
Skeleton only. Send: the auth scheme(s), header format, whether tokens or just keys, scope/permission model, and any IP allowlisting story.
Authentication scheme
The dashboard's API uses API key authentication. Create a key from Connect → API keys, then send it on every request:
GET /v1/transactions HTTP/1.1
Host: https://api.pomelopay.com
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxx
Confirm header name + key prefix.
Errors
| Status | Meaning |
|---|---|
401 Unauthorized | Missing, malformed, or revoked key. |
403 Forbidden | Key is valid but doesn't have permission for the endpoint. |
429 Too Many Requests | Rate limit hit. Back off and retry. |
Confirm the error envelope (JSON shape) and rate limit headers.