Skip to main content

Overview

ZAFA PAY API uses Bearer Token authentication. All API requests must include an access token in the Authorization header.

Obtaining Access Token

You can obtain an access token from the merchant dashboard.
1

Log in to Dashboard

Log in to the merchant dashboard (https://app.zafapay.com)
2

Open Merchant Settings

Select “Merchant Settings” from the side menu
3

Get Access Token

Use the access token displayed in the “API Access” section

API Endpoints

EnvironmentBase URLPurpose
Sandboxhttps://api.sandbox.zafapay.comTesting & Development
Productionhttps://api.zafapay.comProduction
Different access tokens are required for Sandbox and Production environments.

Authentication Method

Set the Authorization header in all API requests.
cURL
curl https://api.sandbox.zafapay.com/v1/payments \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json"
Node.js
const response = await fetch('https://api.sandbox.zafapay.com/v1/payments', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_ACCESS_TOKEN',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify(data)
});

Authentication Errors

Error CodeHTTP StatusCause
unauthorized401Invalid or expired token
forbidden403Account is deactivated

Error Response Examples

401 Unauthorized
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid authorization header"
  }
}
403 Forbidden
{
  "error": {
    "code": "forbidden",
    "message": "Merchant account is inactive"
  }
}

Security Best Practices

🔒 Store Tokens Securely
Store access tokens in environment variables or secret management services. Never hardcode them in your code. 🛡️ Use HTTPS
Always make API requests over HTTPS. 🖥️ Server-Side Calls
Never expose access tokens in client-side (browser) code. 🔄 Regular Rotation
Regularly regenerate access tokens for security.