Authentication and Authorization
π¦ Authenticating with the API
The Mesta Platform uses API keys and secrets to authenticate requests to the platform. Each API key and secret can be scoped to specific permissions.
API keys can be generated in the "API" section of the Mesta Sandbox Portal and Mesta Merchant Portal. Access is given after merchant is approved by the Mesta team.
β οΈ Never share your API key or API secret publicly or in your source code repository.
β οΈ Never embed your API key or API secret in client-side code.
π Generating an API Key
To generate an API key, follow these steps:
- Go to the "API Keys" section of the Mesta Merchant Portal.
- Click on "Create API Key".
- Enter a key name (e.g.,
'scope-read'). - Select the needed permissions for the API key. Refer to the permissions list below for details.
π API Key Permissions
When generating an API key and secret, you can select the needed permissions. Below is a guide to the available permissions grouped by functionality:
π Full Access
Full platform access with all permissions enabled.
- Permission Key:
merchant:*:*
π₯ Customer Management
Manage customer data, including senders and beneficiaries.
View Permissions:
merchant:sender:readmerchant:beneficiary:read
Manage Permissions:
merchant:sender:writemerchant:beneficiary:write
πΈ Payment Operations
Handle payment-related operations, including orders and transactions.
View Permissions:
merchant:order:readmerchant:batch-order:readmerchant:quote:readmerchant:transaction:read
Manage Permissions:
merchant:order:writemerchant:batch-order:writemerchant:quote:write
π Wallet Management
Manage cryptocurrency wallet addresses.
View Permissions:
merchant:source_wallet_address:readmerchant:deposit_wallet_address:read
Manage Permissions:
merchant:source_wallet_address:write
βοΈ Account Settings
Configure account settings, webhooks, and basis points.
View Permissions:
merchant:webhook:readmerchant:account:readmerchant:basis-points-config:read
Manage Permissions:
merchant:webhook:writemerchant:account:write
π€ User & Role Management
Manage users, roles, and access control.
View Permissions:
merchant:user:readmerchant:role:readmerchant:api-key:readmerchant:merchant:read
Manage Permissions:
merchant:user:writemerchant:role:writemerchant:api-key:writemerchant:merchant:write
Best Practice: Follow the principle of least privilege - only grant permissions that are absolutely
π‘ Example Request Using API Credentials
Here is an example of how to make an authenticated request using your API key and secret:
curl -X GET "https://api.dev.mesta.xyz/v1/orders?pageSize=10" \
-H "x-api-key: <Your API key>" \
-H "x-api-secret: <Your API secret>" \
-H "Content-Type: application/json"In this example:
- Replace Your API key and Your API secret with your actual API key and secret.
- Authentication Details: The API key and secret are passed using custom headers x-api-key and x-api-secret.
- Authorization: The request will be scoped according to the permissions selected when the API key was generated.
- Request Parameters: The parameters include
_ordersandorder_limitare included as query parameters in the URL, which is appropriate for a GET request. - Content-Type Header: Although not strictly necessary for a GET request without a body, the Content-Type: application/json header is included for consistency.
Important Notes
- Ensure the permissions you select align with the actions you need to perform with the API.
- Keep your API key and secret secure. Do not share or expose them in public repositories or client-side code.
- This approach ensures secure and scoped access to the Mesta platform, tailored to your specific needs and permissions.
Updated 3 months ago