Core Concepts
Authentication
YesPaisaPay authenticates every request with a secret API key. Server-to-server calls use HTTP Basic auth; browser-side calls use short-lived publishable keys.
Key types
| Prefix | Where it goes | Capabilities |
|---|---|---|
ypp_pk_* | Browser / mobile | Tokenize cards, create sessions |
ypp_sk_* | Server only | Full read & write |
ypp_rk_* | Restricted server | Scoped to specific endpoints |
Authenticating a request
Send the secret key as the HTTP Basic auth username, with an empty password:
curl https://api.yespaisapay.com/v1/payments \
-u ypp_sk_live_X9aB••••:Rotating keys
Rotate a key from Settings → API keys. The old key continues to work for 24 hours so you can deploy without downtime. After that window it is revoked permanently.
Never embed secret keys in client-side code, mobile apps, or public repositories. Compromised keys can be rotated, but funds moved before rotation cannot be reversed.