# API Credentials

PaySimple assigns API credentials to each merchant or reseller account. Most PaySimple partners choose to be issued a single reseller key so only one shared secret needs to be securely stored. Your production API username and API key will be delivered initially via encrypted email. Please ensure the API key is stored encrypted in a secured location on your server, and never sent to a browser or via unencrypted email.

# Authorization Header

PaySimple requires an Authorization Header to be included in each request. The header value will vary in format depending if you are using a merchant or reseller key.

## Reseller Authorization

If you are issued a reseller API key, input the string `reseller` as the authentication header scheme, followed by a space and the reseller API key. You can then access reseller level API endpoints.

The format is for the value is the word "reseller", followed by a space, followed by your reseller api key. The key starts with a number and pipe character followed by a string. `reseller INSERT_YOUR_KEY`

Example Reseller Authentication Header:

### Merchant Id Header

When using a reseller key and the call is made in the security context of a merchant (most calls), add a header with key `PaySimple-Merchant-Id` and the PaySimple Merchant Id of the merchant for the value. The merchant id can be retrieved via the [GET Merchants](🔗) call in the `merchant_activated_for_payment_type` [webhook](🔗).

## Merchant Authorization

You will only be issued a merchant api key if you need to process for one merchant account. This is typically when you are billing your customer (house account).

Use your PaySimple API username as the user name and API key as the password. Please note that the header value is not base 64 encoded.

Example Merchant Authentication Header:

## Client Token Authorization (rarely used)

In order to use certain features of the PaySimple API you may need a client token. To get a client token you need to use your Reseller API key. This method should only be called server side where the Reseller key is securely stored. It should never be called directly from a client side application.

Example Implementation: