# Authentication

The Easypay API uses API Key authentication to secure server-to-server requests.

## How It Works

All API requests must include two HTTP headers:


```
AccountId: <YOUR_ACCOUNT_ID>
ApiKey: <YOUR_API_KEY>
```

These credentials authenticate your application and authorize access to your Easypay account resources.

## Getting Your Credentials

To create credentials for your account:

1. Log in to your Easypay account
2. Follow [this guide](https://www.easypay.pt/blog/como-gerar-chaves-de-autenticacao/) to generate your API keys


## Test Credentials

For development and testing, you can use these credentials:


```
AccountId: 2b0f63e2-9fb5-4e52-aca0-b4bf0339bbe6
ApiKey: eae4aa59-8e5b-4ec2-887d-b02768481a92
```

**Important**:

- These credentials only work in the **test environment**
- They will **not work** in production
- Never use production credentials in your test environment


## Authentication Errors

When authentication headers are missing or incorrect, the API returns a `403 Forbidden` HTTP status code.

### Common Authentication Errors

**Missing Headers**


```json
{
  "status": "error",
  "message": "Authentication Error: Missing AccountId or ApiKey headers"
}
```

**Invalid Credentials**


```json
{
  "status": "error",
  "message": "Authentication Error: Invalid AccountId or ApiKey"
}
```

**Account Blocked**


```json
{
  "status": "error",
  "message": "Authentication Error: Your account has been blocked"
}
```

**Insufficient Permissions**


```json
{
  "status": "error",
  "message": "Authentication Error: Insufficient permissions for this action"
}
```

## Example Request

Here's an example of a properly authenticated request:


```bash
curl -L -X GET 'https://api.test.easypay.pt/2.0/single/5eca7446-14e9-47bb-aabb-5ee237159b8b' \
  -H 'AccountId: 2b0f63e2-9fb5-4e52-aca0-b4bf0339bbe6' \
  -H 'ApiKey: eae4aa59-8e5b-4ec2-887d-b02768481a92'
```

## Security Best Practices

1. **Keep Credentials Secret**: Never expose your API keys in client-side code, public repositories, or logs
2. **Use Environment Variables**: Store credentials in environment variables, not in your source code
3. **Rotate Keys Regularly**: Periodically regenerate your API keys
4. **Use Different Keys**: Use separate keys for test and production environments
5. **Monitor Usage**: Regularly review API usage logs for suspicious activity


## Next Steps

- [Environments](/docs/environments) - Learn about test and production environments
- [Error Handling](/docs/error-handling) - Handle authentication and other errors
- [Quick Start](/docs/quickstart) - Make your first authenticated API call