Base URL
All API requests go to:POST /auth/login means POST https://api.dubupay.com/api/v1/auth/login.
Request format
Send all request bodies as JSON and include theContent-Type header:
Authentication
Protected endpoints require you to identify yourself on every request. Dubu Pay supports two methods — use whichever fits your integration. Bearer token (JWT) Include the access token you received fromPOST /auth/login or POST /auth/refresh in the Authorization header:
POST /auth/refresh to rotate them without requiring the user to log in again.
API key
For server-to-server integrations, pass your API key in the X-Api-Key header:
dubu_sk_live_ prefix; test keys use dubu_sk_test_.
If you have configured an IP whitelist for your merchant account, requests from non-whitelisted addresses are rejected with 403 IP_NOT_WHITELISTED regardless of which auth method you use.
Response envelope
Every response body is a JSON object with asuccess field that tells you immediately whether the call succeeded.
Success
errors array is present on validation errors (HTTP 400) and contains one object per invalid field. For non-validation errors the array may be omitted or empty.
Pagination
List endpoints accept two query parameters:
Paginated responses include a
meta object inside data:
Rate limiting
The API enforces a limit of 100 requests per minute per merchant. Authentication endpoints (/auth/register, /auth/login, /auth/verify-email, /auth/resend-otp, /auth/forgot-password, /auth/reset-password) use a stricter limit to protect against brute-force attacks.
When you exceed the limit the API returns 429 Too Many Requests. The response includes a Retry-After header indicating how many seconds to wait before retrying.
Environments
The base URL is the same for both environments — your API key prefix (
test vs live) determines which environment you operate in.
Versioning
The current API version isv1. The version is part of the URL path. When breaking changes are introduced, a new version will be published and the old version will continue to work with a deprecation notice.