Authentication
NextAPI uses HTTP Basic Auth for all requests. Your credentials are your Client ID and Client Secret, combined and Base64-encoded in the Authorization header.
How it works
Basic Auth encodes your credentials directly into the request header. Every API request must include this header — there are no sessions, cookies, or tokens to manage.
Authorization: Basic <Base64(CLIENT_ID:CLIENT_SECRET)>
The colon (:) separates the Client ID from the Client Secret before encoding.
Constructing the header
Step 1: Combine credentials
YOUR_CLIENT_ID:YOUR_CLIENT_SECRET
Step 2: Base64-encode the combined string
echo -n "YOUR_CLIENT_ID:YOUR_CLIENT_SECRET" | base64
Example output:
WVVVX0NMSUVOVF9JRDpZT1VSX0NMSUVOVF9TRUNSRVQ=
Step 3: Add the Authorization header
Authorization: Basic WVVVX0NMSUVOVF9JRDpZT1VSX0NMSUVOVF9TRUNSRVQ=
Making authenticated requests
Most HTTP clients handle Basic Auth natively — you provide the credentials and the client constructs the header automatically.
- cURL
- Node.js
- Python
curl https://api.partners.nextpay.world/v2/merchants \
-u "YOUR_CLIENT_ID:YOUR_CLIENT_SECRET"
The -u flag handles Base64 encoding automatically.
const response = await fetch("https://api.partners.nextpay.world/v2/merchants", {
headers: {
Authorization:
"Basic " +
Buffer.from("YOUR_CLIENT_ID:YOUR_CLIENT_SECRET").toString("base64"),
},
});
import requests
response = requests.get(
"https://api.partners.nextpay.world/v2/merchants",
auth=("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET"),
)
The auth tuple handles Base64 encoding automatically.
Sandbox vs production credentials
NextAPI provides two separate sets of credentials:
| Environment | Base URL | Purpose |
|---|---|---|
| Sandbox | https://api.partners.nextpay.world/v2/ | Development and testing — no real money moves |
| Production | https://api.partners.nextpay.world/v2/ | Live transactions |
Both environments share the same base URL — the difference is in the credentials themselves. Sandbox credentials only authorize test operations; production credentials authorize real financial transactions.
Request sandbox credentials via the Sandbox page.
Security best practices
Never expose your Client Secret client-side. Any code that runs in a browser, mobile app, or other client environment can be inspected by end users. Your Client Secret must only live in server-side code or environment variables.
| Do | Don't |
|---|---|
| Store credentials in environment variables | Hardcode credentials in source code |
| Call NextAPI from your backend server | Call NextAPI directly from the browser |
| Rotate credentials if compromised | Ignore a suspected credential leak |
| Use separate sandbox/production credentials | Use production credentials for testing |
If you suspect your Client Secret has been exposed, contact NextPay support immediately to rotate your credentials.
Authentication errors
| HTTP Status | Meaning | Resolution |
|---|---|---|
401 Unauthorized | Missing or malformed Authorization header | Verify your header is Basic <base64> |
401 Unauthorized | Invalid credentials | Check your Client ID and Client Secret |
403 Forbidden | Valid credentials, insufficient permissions | Contact NextPay to verify your account access |
Related
- Security & Compliance — TLS, HMAC webhook signatures, OPS license
- Sandbox vs Production — test environments and go-live checklist
- Your First API Call — hands-on tutorial using Basic Auth