Authentication

Test Mode vs Live Mode

There are two "modes" of operation for your Novac payment account:

Live Mode: Real money, real transactions, real effects. Only switch to this after you've tested your integration thoroughly.

Test Mode: No real money is involved. Only our test cards and bank accounts can be used. We'll still send webhooks and email notifications, and most of the API functions are the same.

You can easily switch between Live and Test modes with the toggle button at the bottom left portion of the navigation bar.

API keys

When you create a Novac payment account, you're given two kinds of API keys:

Secret key: The most powerful type of key. It can authorize any action on your account, so it should never be exposed to the public.
Public key: The key you'll use in "public" scenarios, such as in front-end JavaScript code.

Retrieving your API Keys

Your API keys are always available on your dashboard. To find your API keys,

• Login to your dashboard.
• Navigate to Settings on the side menu.
• Go to the 'API Keys' tab on the Settings page. In the Novac API's section, you’d see both your Public and Secret keys.
• 

Authorizing API calls

All API calls on Novac are authenticated. API requests made without authorization will fail with the status code 401: Unauthorized.

🚧

Your secret key can perform any actions on your Novac account without restriction. It should be kept confidential and only stored on your servers, preferably as an environment variable.

It should not be included in your Git repository or front-end JavaScript code.

To authorize API calls from your server, pass your secret key as a bearer token. This means passing an Authorization header with a value of "Bearer: YOUR_SECRET_KEY".

For example, an API call could look like this in Next.js:

const axios = require('axios');

// Load the secret key from an environment variable
const secretKey = process.env.SECRET_KEY;

let data = JSON.stringify({
  "data": ""
});

let config = {
  method: 'post',
  maxBodyLength: Infinity,
  url: 'https://api.novacpayment.com/api/v1/paymentlink/initiate',
  headers: { 
    'Authorization': `Bearer ${secretKey}`, // Use Authorization header with Bearer token
    'Content-Type': 'application/json'
  },
  data: data
};

axios.request(config)
.then((response) => {
  console.log(JSON.stringify(response.data));
})
.catch((error) => {
  console.log(error);
});

# Ensure SECRET_KEY is set in your environment

curl -X POST \
  https://api.novacpayment.com/api/v1/paymentlink/initiate \
  -H "Authorization: Bearer $SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": ""}'

import os
import http.client
import json

# Get the secret key from an environment variable
SECRET_KEY = os.getenv("SECRET_KEY")
if not SECRET_KEY:
    raise EnvironmentError("SECRET_KEY environment variable not set.")

conn = http.client.HTTPSConnection("api.novacpayment.com")

payload = json.dumps({
  "data": ""
})

headers = {
  'Authorization': f'Bearer {SECRET_KEY}',  # Use Authorization header with Bearer token
  'Content-Type': 'application/json'
}

# Make the POST request
conn.request("POST", "/payment/order/create", payload, headers)

# Get and print the response
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))