# Generate API keys

KwikPaisa API credentials are required to authenticate requests, generate secure signatures, verify webhooks, and access Sandbox or Production banking services.

This guide explains how to generate and manage your API credentials securely using the KwikPaisa Developer Console.

***

## Before You Begin

Before generating API credentials, ensure:

* Your merchant account is created
* Profile verification is completed
* Banking services are activated
* Payment Gateway and/or Payout activation requests are submitted

***

## Access Developer Console

Login to the KwikPaisa Dashboard and navigate to:

```
Dashboard → Developer → Console
```

The Developer Console allows you to:

* Generate API credentials
* Manage API environments
* Configure webhooks
* Monitor API access
* Access integration settings

***

## Available Environments

KwikPaisa provides separate credentials for:

| Environment | Purpose                            |
| ----------- | ---------------------------------- |
| Sandbox     | Testing and development            |
| Production  | Live payment and payout processing |

***

## Sandbox Credentials

Sandbox credentials are used for:

* API integration testing
* Signature generation testing
* Webhook testing
* UAT validation
* Mock transaction flows

Sandbox transactions do not involve real money movement.

***

## Generate Sandbox Credentials

Inside the Developer Console:

1. Open the Sandbox environment
2. Click:

```
Generate API Credentials
```

3. KwikPaisa will generate:

* API Key
* Secret Key

***

## Example Sandbox Credentials

```
X-API-KEY: pk_test_xxxxxxxxx
SECRET_KEY: sk_test_xxxxxxxxx
```

***

## Credential Components

### API Key

The API Key is used to identify your merchant account during API requests.

Example:

```
pk_test_xxxxxxxxx
```

The API Key is sent in request headers:

```
X-API-KEY: pk_test_xxxxxxxxx
```

***

### Secret Key

The Secret Key is used for:

* Signature generation
* Webhook verification
* Request authentication

Example:

```
sk_test_xxxxxxxxx
```

Secret Keys should always remain private and server-side only.

***

## Production Credentials

Production credentials become available after:

* Compliance approval
* Banking verification
* Risk assessment
* Production onboarding review

Production credentials allow real transaction processing.

***

## Example Production Credentials

```
X-API-KEY: pk_live_xxxxxxxxx
SECRET_KEY: sk_live_xxxxxxxxx
```

***

## Credential Security Guidelines

Never:

* Expose Secret Keys publicly
* Store credentials in frontend applications
* Commit credentials to Git repositories
* Share production keys insecurely

Recommended storage methods:

* Environment variables
* Secret management systems
* Encrypted backend storage

***

## Environment Separation

Sandbox and Production credentials are completely separate.

| Environment | Credential Prefix       |
| ----------- | ----------------------- |
| Sandbox     | `pk_test_` / `sk_test_` |
| Production  | `pk_live_` / `sk_live_` |

Never mix Sandbox and Production credentials.

***

## Using Credentials in API Requests

Example authenticated request headers:

➡️ Authentication → [Headers](/v3-guide/authentication/signature.md)

## Signature Generation

All API requests require:

* HMAC SHA256 signatures
* UNIX timestamps
* Secure authentication headers

Signature formula:

➡️ Authentication → [Signature](/v3-guide/authentication/signature.md)

## Recommended Workflow

1. Generate Sandbox credentials
2. Configure API authentication
3. Integrate Sandbox APIs
4. Configure webhook verification
5. Complete UAT testing
6. Request Production activation
7. Generate Production credentials
8. Move to live environment safely

***

## Regenerating Credentials

If credentials are compromised:

1. Revoke existing keys
2. Generate new credentials
3. Update backend systems immediately
4. Rotate webhook verification secrets
5. Review API access logs

***

## Important Notes

* Production credentials process real financial transactions
* Secret Keys should never leave backend systems
* API credentials are merchant-specific
* Webhook verification depends on your Secret Key

***

## Security Recommendations

KwikPaisa strongly recommends:

* HTTPS-only communication
* IP whitelisting
* Webhook verification
* Replay attack protection
* Secure credential storage
* Audit logging

for all production integrations.

***

## Best Practices

* Use separate environments for testing and production
* Rotate credentials periodically
* Restrict backend API access
* Store credentials securely
* Validate signatures server-side


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.kwikpaisa.com/v3-guide/quick-start/generate-api-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.