Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.swiftpay.finance/llms.txt

Use this file to discover all available pages before exploring further.

Base URL

All endpoints are relative to the following production base URL: 
https://api.swiftpay.finance

Authentication

Both key types are found under Settings → API Keys in the SwiftPay dashboard.
KeyPrefixVisibilityWhere used
Secret keysk_live_*Shown once at creation/rotation — store it securelyServer-side only — invoice and transaction endpoints
Publishable keypk_live_*Always visible in the dashboardClient-side safe — checkout integration and hosted widget
Pass the secret key via the X-Swift-Key header on protected server-side requests: 
X-Swift-Key: sk_live_...
Public endpoints (GET /v1/utils/chains, GET /v1/utils/tokens) require no authentication.
Never expose your secret key (sk_live_*) in client-side code, public repositories, or logs. Store it in an environment variable or secrets manager and only use it server-side. If you believe your secret key has been compromised, rotate it immediately from Settings → API Keys.

Sandbox environment

🧪 Test before going live

SwiftPay provides a complete sandbox environment for safe testing. Get test keys, testnet faucets, webhook testing tools, and best practices in the Sandbox Environment Guide.

Key rotation

To rotate either key from the dashboard:
  1. Open Settings → API Keys
  2. Click Rotate next to the key you want to rotate
  3. Confirm the dialog — a new key is generated immediately
  4. Update your environment variables or secrets manager with the new value
Rotated keys are invalidated immediately. Copy and deploy the new key to your environment before your next request — any request still using the old key will be rejected.

Rate limiting

All endpoints are rate-limited using a sliding window algorithm.
Endpoint groupLimit
Authenticated endpoints120 requests / minute
Utility endpoints60 requests / minute

Headers

Every response from a rate-limited endpoint includes:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed per minute (currently 120)
X-RateLimit-RemainingRequests remaining in the current window
When the limit is exceeded, the response also includes:
HeaderDescription
Retry-AfterSeconds to wait before retrying

Exceeded limit response

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 0
Retry-After: 4

{
  "success": false,
  "error": "too many requests",
  "traceId": "f47ac10b-58cc-4372-a567-0e02b2c3d479"
}
Always check X-RateLimit-Remaining in your responses and honour Retry-After when you receive a 429. If you need a higher limit, contact support@swiftpay.finance.

Checkout integration (publishable key)

The publishable key (pk_live_*) is the credential used when embedding the SwiftPay hosted checkout or iFrame widget. It is safe to include in client-side code because it can only create checkout sessions — it cannot access merchant data or transaction history.