The Developer Hub compiles all tools and configuration parameters needed by developers to integrate OwnPay checkout workflows directly into their websites or custom applications.
Getting here
- Log in to the OwnPay admin dashboard
- Under the DEVELOPERS section in the left sidebar, click Developer Hub
Page sections
1. API Keys
Manage credentials used to authenticate requests to the OwnPay REST API:
- API Keys Table: Lists active keys, showing their user-defined label, key prefix, creation date, and last used timestamp
- Generate New API Key Form: Form to create a new key by entering a key label
- New Key Modal: Displays the newly generated key prefix only once
2. Endpoint Reference
Lists key endpoint pathways exposed by the platform (e.g., /api/v1/payment-intents, /api/v1/transactions).
3. Webhooks / IPN
Manage outbound webhooks (Instant Payment Notifications) sent to your server when payment events occur.
4. Rate Limits
Defines rate-limit settings to prevent API abuse.
Fields and options reference
Step-by-step: generating a new API key
- Navigate to the Developer Hub under the API Keys tab
- Type a descriptive Key Label (e.g.,
WooCommerce Plugin)
- Click the Generate Key button
- The screen will refresh and display the New API Key Generated alert showing your full key string
- Click Copy Key and save it securely inside your website’s environment variables
- Refreshing or leaving this page permanently conceals the key
Step-by-step: revoking an API key
- Find the target key label in the API Keys list table
- Click the Revoke button under the ACTIONS column
- Confirm the revocation dialog. The key is instantly deactivated
When executing requests to the OwnPay API, pass the key inside the HTTP headers:
Never hardcode or commit keys inside public code repositories. Always read them from your server’s .env configuration file.
Best practices
- Copy the full API key immediately upon generation, as it is only shown once
- Generate separate keys for different environments (e.g., one for
Staging Server and one for Production Server)
- Do not commit raw API keys to Git repositories or paste them in open support threads
- Do not share keys with non-developer staff
Webhooks/IPN signatures must be verified on your server. Always compare the incoming payload’s HMAC signature against your webhook secret key to prevent webhook spoofing attacks.
Related pages