Skip to main content
The Developer Hub compiles all tools and configuration parameters needed by developers to integrate OwnPay checkout workflows directly into their websites or custom applications.

Getting here

  1. Log in to the OwnPay admin dashboard
  2. Under the DEVELOPERS section in the left sidebar, click Developer Hub

Page sections

1. API Keys

Manage credentials used to authenticate requests to the OwnPay REST API:
  • API Keys Table: Lists active keys, showing their user-defined label, key prefix, creation date, and last used timestamp
  • Generate New API Key Form: Form to create a new key by entering a key label
  • New Key Modal: Displays the newly generated key prefix only once

2. Endpoint Reference

Lists key endpoint pathways exposed by the platform (e.g., /api/v1/payment-intents, /api/v1/transactions).

3. Webhooks / IPN

Manage outbound webhooks (Instant Payment Notifications) sent to your server when payment events occur.

4. Rate Limits

Defines rate-limit settings to prevent API abuse.

Fields and options reference

Step-by-step: generating a new API key

  1. Navigate to the Developer Hub under the API Keys tab
  2. Type a descriptive Key Label (e.g., WooCommerce Plugin)
  3. Click the Generate Key button
  4. The screen will refresh and display the New API Key Generated alert showing your full key string
  5. Click Copy Key and save it securely inside your website’s environment variables
  6. Refreshing or leaving this page permanently conceals the key

Step-by-step: revoking an API key

  1. Find the target key label in the API Keys list table
  2. Click the Revoke button under the ACTIONS column
  3. Confirm the revocation dialog. The key is instantly deactivated

Bearer authentication headers

When executing requests to the OwnPay API, pass the key inside the HTTP headers:
Never hardcode or commit keys inside public code repositories. Always read them from your server’s .env configuration file.

Best practices

  • Copy the full API key immediately upon generation, as it is only shown once
  • Generate separate keys for different environments (e.g., one for Staging Server and one for Production Server)
  • Do not commit raw API keys to Git repositories or paste them in open support threads
  • Do not share keys with non-developer staff
Webhooks/IPN signatures must be verified on your server. Always compare the incoming payload’s HMAC signature against your webhook secret key to prevent webhook spoofing attacks.
Last modified on July 15, 2026