Authentication
Table of Contents
API Keys
This section describes what API keys are and how to retrieve them.
Monnify authenticates your API requests using your account’s API keys. If you do not include your key when making an API request or use one that is incorrect or outdated, Monnify will return an error.
All API requests exist in either test or live mode, and one mode cannot be manipulated by data in the other. To get your live and test API keys sign up here
We use two types of API keys on Monnify:Â Â API Keys
 and Secret Keys
Credential | Description |
---|---|
API Key | This is required together with your secret key to generate your basic token |
Secret Key | This should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any API request to Monnify without restriction. The secret key is used to authorize all your API calls on Monnify. |
How to Obtain your API Keys
Your API keys are available on your Monnify Dashboard. You can find it by following the steps below:
Login to your Monnify dashboard.
Navigate to settings.
Select API Keys and Webhooks on the settings tab.
The image below shows you where your unique API Key and Secret Key is located.
You can get your credentials for both live mode and test mode by switching the switch between both choices. See sample below:
Generating New API Keys
In cases where your API keys have been compromised, you can easily generate new API keys. Simply click the 'Reset API Keys' text under the API Keys and Webhooks tab on the Settings page.
Â
This action will deactivate your current API key and secret immediately and new ones will be generated. You'll need to update your integrations (i.e. backend server configurations, mobile apps, websites, etc) with the new values once this is done.
Authentication
Monnify uses OAuth 2.0 as the basic security protocol. To access monnify endpoints you'd need to get an access token that grants you access to other endpoints.
HTTP METHOD - POST: https://sandbox.monnify.com/api/v1/auth/login
With Monnify, you can authorize your API calls by generating a token. To get one, you simply need to call the login endpoint. You send HTTP requests with the Authorization
 header that contains the word Basic followed by a space and a base64-encoded string apiKey:clientSecret.
For example, to authorize with public keys:
Credentials | Value |
---|---|
API Key | MK_TEST_SAF7HR5F3F |
Secret Key | 4SY6TNL8CK3VPRSBTHTRG2N8XXEGC6NL |
Authorization sample header: Basic base64(ApiKey:SecretKey)
Authorization sample header: Basic TUtfVEVTVF9TQUY3SFI1RjNGOjRTWTZUTkw4Q0szVlBSU0JUSFRSRzJOOFhYRUdDNk5M
Once done, you then make a request to the login API using OAuth2 protocol to generate an access token that will be used to make calls to other monnify endpoints.
Immediately you make a call to the login endpoint, you will get a response that comes with an access token for you to access other monnify endpoints.
{
"requestSuccessful": true,
"responseMessage": "success",
"responseCode": "0",
"responseBody": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"expiresIn": 3599
}
}
The access token needed to call any other monnify endpoints is in responseBody.accessToken.
Our endpoints are either protected by Basic Authentication or OAuth (Bearer Tokens) so you will need to send an Authorization header in either of the formats specified below:
OAuth 2.0 Authorization Header
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Basic Authentication Authorization Header
Authorization: Basic ZGVtbzpwQDU1dzByZA==
Possible Response Messages And Meaning
Response Message | Meaning | Action |
---|---|---|
Access token expired | This implies that the generated access token has exceeded its 1 hour time limit | Kindly regenerate a new access token. |
Cannot convert access token to json | This occurs when the access token generated is malformed or is not in the usual access token format. | Kindly recheck if there are any missing characters or if it’s poorly formatted. You can easily generate a new access token. |