Authentication methods
JWT bearer token
When you callPOST /auth/login, the API returns an access_token and a refresh_token. Include the access token in the Authorization header for subsequent requests:
When to use JWT tokens: Use bearer tokens for dashboard-style applications where a user actively signs in, or for any short-lived session where you want automatic expiry. Because access tokens expire in 15 minutes, they limit the blast radius if a token is intercepted.
API key
API keys are long-lived credentials tied to your merchant account. Pass one in theX-Api-Key header:
When to use API keys: Use API keys for server-side integrations — background jobs, webhooks, backend services — where there is no interactive login flow. The key must never be exposed in client-side JavaScript or mobile app bundles.
Refreshing an access token
When your access token expires, use the refresh token to obtain a new pair without requiring the user to log in again. Each refresh call issues a new access token and rotates the refresh token. Request bodyThe refresh token returned by
/auth/login or a previous /auth/refresh call.Authentication priority
When a request includes both anX-Api-Key header and an Authorization: Bearer header, Dubu Pay evaluates the API key first. If the API key is valid and active, the bearer token is ignored.
Error responses
Example 401 response
If you receive a
403 IP_NOT_WHITELISTED error, add your server’s outbound IP address to the IP whitelist in your account settings.Logging out
To invalidate a session and revoke the active refresh token, callPOST /auth/logout with a valid bearer token.
Next steps
API keys
Create and manage long-lived API keys for server-side integrations.
Quickstart
Follow the end-to-end guide to issue your first virtual bank account.