Authentication
Every request must be authenticated. This takes seconds to set up.
Two separate authentication layers exist:
| Layer | Who | How |
|---|
| Console | You (the merchant) | Email + password at console.palpluss.com |
| Developer API | Your application | HTTP Basic Auth with an API key |
Step 1 — Create your account
Register at console.palpluss.com. After email verification and KYC approval your account is active.
KYC is required before initiating live STK Push or B2C transactions. You can generate API keys and test immediately after registration.
Step 2 — Generate an API key
- Log in to console.palpluss.com
- Go to Settings → API Keys
- Click Create API Key, name it, and select the required scopes
- Copy the key — it is shown only once
pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Store your API key in environment variables or a secrets manager — never in source code or version control. Revoke and reissue immediately if compromised.
Step 3 — Authenticate requests
Set your API key as the Basic Auth username. Leave the password empty.
Authorization: Basic <base64(YOUR_API_KEY:)>
curl https://api.palpluss.com/v1/wallets/service/balance \
-u "pk_live_xxxxxxxxxxxxxxxxxxxx:"
How it works
Your server PalPluss API
───────── ────────────
Request + Authorization header
────────────────────────────────────►
Decode base64
Lookup API key
Verify account active
Check key scopes
200 OK / 401 Unauthorized
◄────────────────────────────────────
- Send
Authorization: Basic <base64(key:)> on every request
- PalPluss decodes the header and looks up the key
- Valid key + active account → request proceeds
- Invalid, revoked, or suspended →
401
API key scopes
| Scope | What it allows |
|---|
payments:write | Initiate STK Push payments |
b2c:write | Send B2C payouts |
transactions:read | List and retrieve transactions |
wallets:read | Read wallet balances |
wallets:write | Top up service wallet |
channels:write | Create, update, and delete payment channels |
Authentication errors
| HTTP | Code | Reason |
|---|
401 | INVALID_API_KEY | Key not found, revoked, or Authorization header is malformed |
401 | TENANT_INACTIVE | Account linked to this key is suspended |
403 | INSUFFICIENT_SCOPE | Key lacks the scope required for this endpoint |
{
"success": false,
"error": {
"message": "Invalid or revoked API key.",
"code": "INVALID_API_KEY",
"details": {}
},
"requestId": "c1b2a3d4-e5f6-7890-abcd-ef1234567890"
}
Rate limiting
60 requests per minute per API key. Every response includes:
| Header | Description |
|---|
x-ratelimit-limit | Maximum requests per minute (always 60) |
x-ratelimit-remaining | Requests remaining in the current window |
x-ratelimit-reset | Unix timestamp when the window resets |
Retry-After | Seconds to wait — present only on 429 responses |
Key rotation
- Create first, then revoke — update your application before revoking the old key. Revoking first causes downtime.
- One key per environment — separate keys for development, staging, and production.
- One key per service — revoke one without affecting others.
- Rotate regularly — every 90 days at minimum; immediately if a key is exposed.
- Audit periodically — revoke keys that are no longer in use.
