> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minisend.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Minisend API requests with your API key, and learn which endpoints are public and require no authentication at all.

Two auth models:

* **API key** — for creating checkout sessions and all [off-ramp endpoints](/offramp/overview)
* **None** — for session status, payment link info, and payment link session creation

## API key

All keys use the `ms_live_` prefix.

<Warning>
  Never put your API key in frontend JS, mobile apps, or public repos. Backend only.
</Warning>

### Header

```text theme={null}
Authorization: Bearer ms_live_your_key_here
```

### Example

```bash theme={null}
curl -X POST https://merchant.minisend.xyz/api/merchant/checkout \
  -H "Authorization: Bearer ms_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"amount": 25.00, "description": "Order #4821"}'
```

### Generate a key

1. Open [merchant.minisend.xyz/dashboard](https://merchant.minisend.xyz/dashboard).
2. Go to **API Keys** → **New Key**.
3. Copy the full value immediately; it's shown once. Minisend stores only a hash.

<Note>
  `401` = invalid/missing key. `403` = key valid but merchant account inactive.
</Note>

### Key scopes

Keys carry scopes that gate which endpoint families they can call:

| Scope      | Grants                         | How to get it                                                                   |
| ---------- | ------------------------------ | ------------------------------------------------------------------------------- |
| `checkout` | Checkout session creation      | On every key by default                                                         |
| `offramp`  | All `/api/offramp/*` endpoints | [Contact Minisend](https://t.me/minisendapp) to enable off-ramp on your account |

Calling an off-ramp endpoint without the `offramp` scope returns `403`.

## Rate limits

**60 requests / minute / IP.** Response includes `X-RateLimit-Remaining`. Exceeding it returns `429`. Contact support for higher limits.

## Public endpoints

No `Authorization` header needed:

| Endpoint                                  | Use                               |
| ----------------------------------------- | --------------------------------- |
| `GET /api/merchant/checkout/{session_id}` | Session status                    |
| `GET /api/merchant/pay/info?slug={slug}`  | Merchant display info + live rate |
| `POST /api/merchant/pay`                  | Create session from payment link  |

Safe to call from a browser or mobile app.
