.onion

Authentication

Rebel Pay uses two authentication methods: API keys for charge operations and JWT tokens for account management.

API Key Authentication

API keys are used for creating and managing charges. Include your key in the x-api-key header.

Key Types

  • Production: rp_live_... - Use for real transactions
  • Sandbox: rp_test_... - Reserved for future test mode

Using API Keys

curl https://your-server.com/api/charges \
  -H "x-api-key: rp_live_your_api_key_here"

Security

  • Never expose API keys in client-side code
  • Store keys in environment variables
  • Regenerate keys immediately if compromised
  • Use sandbox keys for development

JWT Authentication

JWT tokens are used for account management operations like updating settings, managing webhooks, and changing passwords.

Obtaining a Token

Login to receive a JWT token:

curl -X POST https://your-server.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your_password"}'

Response:

{
  "merchant": {
    "id": 1,
    "email": "you@example.com",
    "businessName": "Your Business"
  },
  "token": "eyJhbGciOiJIUzI1NiIs..."
}

Using JWT Tokens

Include the token in the Authorization header:

curl https://your-server.com/api/auth/me \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Token Expiration

JWT tokens expire after 7 days. After expiration, you'll need to log in again to get a new token.

Two-Factor Authentication

Enable 2FA for additional account security. When enabled, login requires a 6-digit code from your authenticator app.

Setup 2FA

# Step 1: Initialize setup
curl -X POST https://your-server.com/api/auth/2fa/setup \
  -H "Authorization: Bearer YOUR_TOKEN"

# Response includes QR code and backup codes
{
  "secret": "ABCD1234...",
  "qrCode": "data:image/png;base64,...",
  "backupCodes": ["ABC123", "DEF456", ...]
}

# Step 2: Verify with code from authenticator
curl -X POST https://your-server.com/api/auth/2fa/verify \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"code": "123456"}'

Login with 2FA

When 2FA is enabled, the first login request returns:

{"requires_2fa": true}

Send a second request with the TOTP code:

curl -X POST https://your-server.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "password": "your_password",
    "totp_code": "123456"
  }'

API Endpoints by Auth Type

Endpoint Auth Type
POST /api/charges API Key
GET /api/charges API Key
GET /api/charges/:id API Key
POST /api/webhooks JWT
GET /api/webhooks JWT
PUT /api/account/payout JWT
GET /api/price/xmr None