> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nexapay.ng/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

# Authentication

All integration endpoints use API keys for server-to-server requests.

## API Key (Server-to-Server)

Use API keys for payment processing, virtual account creation, withdrawals, and bills.

**Header**

```
x-api-key: nexa-prod-... or nexa-test-...
```

## Environment Behavior

NexaPay determines merchant API mode from the API key you send:

* `nexa-prod-...` -> **production mode**
* `nexa-test-...` -> **test mode**

This behavior is tied to the merchant key itself, not to the server's deployment environment.

## Webhook Secret (Dashboard)

Your webhook secret is separate from your API keys.

* NexaPay uses your webhook secret to sign outbound webhook events sent to your `webhookUrl`
* Your backend uses the same secret to verify the signature before trusting the payload
* The secret is managed from the merchant dashboard and can also be revealed or rotated through authenticated dashboard actions

Webhook secret management requires a dashboard JWT, not an API key.

### Secret Management Endpoints

`GET /business/webhook-secret`

`POST /business/webhook-secret/regenerate`

### Webhook Signature Headers

NexaPay sends signed webhook deliveries with headers similar to:

* `x-nexapay-signature`
* `x-nexapay-timestamp`
* `x-nexapay-event`
* `x-nexapay-event-id`

### Production Key

Requests authenticated with a production key use the live merchant ledger and live provider flow.

### Test Key

Requests authenticated with a test key use a sandbox merchant ledger and simulated provider behavior.

In test mode:

* payments affect only test balances
* bill purchases are simulated and do not vend real services
* virtual accounts are simulated
* withdrawals are simulated and do not move real money
* transactions are tagged with `environment: "test"`
