Introduction

API keys are used as the main authentication mechanism for the HUB2 API, therefore it’s really important to understand what they are and how to use them. API Key management is accessible on the Hub2 Dashboard, in the “Developer” section, as illustrated below:
The following screenshot shows the list of existing keys:

Keys management

Creating a key

The API key is only visible when it is created and can no longer be consulted after this stage, for security reasons.
1

Create a key

Click on the “Create a key” button to access the following window:
2

Details

  • (Optional) Enter a name and a description for the new key.
  • The parameter environment (sandbox or live) is required. The new key will be restricted to this environment. Read more about environments.
3

IP Whitelist

In this section, it’s possible to restrict which originating IP addresses can use the newly created API key.
4

Permissions

Permissions of the new API key can be set here.Permissions set on an API key allows the segregation of responsibilities and advanced configuration. This section allows a merchant to use different API keys, whether its software has several components, each with a different role, or not.
5

Checking and validating

On the summary page, review the settings for the new API key, and then, click Validate.
The API key is only displayed once. Save it now in a secure vault. It will not be accessible later.

Editing a key

On each API key row, in the “Actions” column, an Edit button is available to change the settings of a key. This edition process is the same as the creation process, except that you will not be able to view the key. Every setting can be edited.
Changes to permissions and IP address restrictions are taken into account as soon as they are modified. Special attention is required before committing changes.

Deleting a key

In the “Actions” column, a Delete button is available to delete a key.
Deleting a key is irreversible. HTTP traffic using the deleted key will be stopped immediately after deletion.

Using the keys

In the API reference, the endpoints requiring authentication by merchant ID and API key are listed. For these endpoints, HTTP headers must be configured in the HTTP request to identify and authenticate the emitter.

API key configuration

Environment

  • sandbox: This is a closed environment for integration testing. No traffic or real world transactions will be created if the API key used is set to the sandbox environment. Provider behaviour is simulated by Hub2. Also, the transfer and collection accounts used for sandbox transactions will be the sandbox accounts.
  • live : NB: Requires GO LIVE and an integration review by Hub2 before traffic can be sent in a live (real world) environment. This is the real world environment, a key in this environment allows real traffic to be processed and providers will be contacted if the transaction endpoints are called.
More on transfer and collection accounts.

IP address restriction

IP address restriction is an optional feature available to merchants to further secure exchanges between the merchant platform and Hub2. When an IP address restriction has been set on an API key, Hub2 checks that the IP address originating the HTTP request is authorized to use the API key it contains.

Permissions

Configurable permissions per API key allows merchants to create multiple keys with different permissions, so that each key has a different responsibility. The full list of permissions and their description is as follows:
PermissionDescription
Api.transfer_createAllows the creation of transfers
Api.transfer_readAllows the reading of transfers
Api.payment_intent_createAllows the creation of payment intents
Api.payment_intent_readAllows the reading of payment intents
Api.payment_intent_auth_createAllows the authentication of a payment
Api.payment_fees_readAllows the reading of payment fees
Api.payment_createAllows the creation of a payment in a payment intent
Api.provisioning_readAllows the reading of provisioning requests
Api.provisioning_createAllows the creation of a provisioning request
Api.merchant_balance_readAllows the reading of transfer and collection accounts balance
Api.terminal_payment_createAllows the creation of payments to be made via payment terminal
Api.terminal_payment_readAllows the reading of payments made via payment terminal
Api.kyb_readAllows the reading of kyb / kyb-transaction
Api.kyb_updateAllows the update of kyb
Api.kyb_deleteAllows the deletion of kyb / kyb-transaction
Api.kyb_createAllows the creation of kyb / kyb-transaction

Good practices

Security

A good security practice is to renew API keys on a regular basis. If a key has been inadvertently disclosed to a third party, or stolen by a malicious third party, deleting the keys concerned and recreating new ones can limit the impact on a merchant’s business.
Disclaimer: The merchant is responsible for the manner in which the API Key has been securely stored on its platform. Hub2 cannot be held responsible for the processing of illegitimate traffic associated with a Merchant API Key that has been stolen or disclosed.