Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.zafapay.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

ZAFA PAY API uses Bearer Token authentication. All API requests must include an access token in the Authorization header.

Obtaining Access Token

You can obtain an access token from the merchant dashboard.
1

Log in to Dashboard

Log in to the merchant dashboard (https://app.zafapay.com)
2

Open Merchant Settings

Select “Merchant Settings” from the side menu
3

Get Access Token

Use the access token displayed in the “API Settings” section

API Endpoints

EnvironmentBase URLPurpose
Sandboxhttps://api.sandbox.zafapay.comTesting & Development
Productionhttps://api.zafapay.comProduction
Different access tokens are required for Sandbox and Production environments.

Authentication Method

Set the Authorization header in all API requests.
cURL
curl https://api.sandbox.zafapay.com/v1/payments \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json"
Node.js
const response = await fetch('https://api.sandbox.zafapay.com/v1/payments', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_ACCESS_TOKEN',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify(data)
});

Authentication Errors

Error CodeHTTP StatusCause
unauthorized401Invalid or expired token
forbidden403Account is deactivated

Error Response Examples

401 Unauthorized
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid authorization header"
  }
}
403 Forbidden
{
  "error": {
    "code": "forbidden",
    "message": "Merchant account is inactive"
  }
}

Publishable Key (for S2S Payments)

For server-to-server payments, a separate publishable key is used to tokenize card details from the browser.
Key TypePrefixUsageExposure
Access TokenAll API operations (server-side)Never expose to client
Publishable Keypk_test_* / pk_live_*Token creation only (browser)Safe to use in frontend code
You can obtain your publishable key from the merchant dashboard under Merchant Settings > API Settings.
Browser
// Publishable key — safe for client-side use
const zafapay = Zafapay('pk_test_xxxxx');
const { token } = await zafapay.createToken({ ... });
Publishable keys can only create tokens. They cannot access payments, customers, or any other API resources.

Security Best Practices

🔒 Store Tokens Securely
Store access tokens in environment variables or secret management services. Never hardcode them in your code. 🛡️ Use HTTPS
Always make API requests over HTTPS. 🖥️ Server-Side Calls
Never expose access tokens in client-side (browser) code. 🔄 Regular Rotation
Regularly regenerate access tokens for security.