Merchants & API keys
Create a merchant, copy your API key, and manage its lifecycle from the dashboard.
A merchant is the top-level container for everything in payzum: invoices, payment links, subscriptions, POS terminals, and conversions all belong to a merchant. Each merchant has exactly one API key used by your server to authenticate requests.
Creating a merchant
Navigate to Dashboard → New merchant. Enter a display name and, optionally, a webhook URL where payzum will send IPN events. Click Create.
After creation, payzum redirects you to the credentials reveal page. This is the only time the plaintext API key is shown. Copy it to a secrets manager or environment variable immediately — the key cannot be recovered afterwards.
Leave the reveal page without copying and you will need to rotate the key to regain API access. There is no way to retrieve a plaintext key after this page is closed.
The API key preview
After the reveal page, the API key page (Merchants → [your merchant] → API key) shows only the last 4 characters of your key (the "preview"). This is enough to confirm which key is active without exposing the secret.
Rotating the key
Go to Merchants → [your merchant] → API key and click Rotate key. A new 64-character hex key is generated immediately. The old key is invalidated immediately — rotation takes effect on the next request. Allow a few seconds for the change to propagate fully.
Rotation is the only recovery path if a key is lost or compromised.
Rotation is non-destructive to your invoices, subscriptions, and other data — only the authentication credential changes.
Suspending a merchant
A suspended merchant returns 403 MERCHANT_SUSPENDED on every authenticated API request. No new invoices can be created, but existing open invoices continue to receive payments and trigger webhooks. Suspension is managed from the admin panel, not from the merchant dashboard.
For full details on the authentication header and error codes, see Authentication.