Authentication

Gateway API authentication using x-api-key. Optional one-time bearer token for API_KEY_AND_TOKEN partners.

The Gateway API (src/gateway in rdbs_core) uses GatewayApiKeyGuard on all protected routes. There is no SDK — integrate via HTTPS from your server.

API key (primary)

Send your partner API key using the preferred header:

x-api-key: YOUR_API_KEY

Also accepted:

Authorization: Bearer YOUR_API_KEY (treated as API key for API_KEY_ONLY partners)
Query ?api_key= or body field apiKey

cURL

curl https://api.rukapay.net/api/v1/gateway/process-transfer \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"transactionMode":"PARTNER_SEND_MNO","amount":50000,"currency":"UGX","phoneNumber":"256700000000","mnoProvider":"MTN","narration":"Test","partnerReference":"REF-001"}'

One-time bearer token

Partners configured with API_KEY_AND_TOKEN must also send a short-lived JWT:

POST /api/v1/gateway/partners/generate-token — returns token (5 min, single use)
Subsequent calls: both x-api-key and Authorization: Bearer <token>

Rate limits

GatewayRateLimitGuard enforces per-partner limits. Returns HTTP 429 when exceeded. See Rate Limits.

Manage keys via API Keys or the partner dashboard.