Authentication
The Muamla API uses API keys to authenticate requests over HTTPS Basic Auth. Your key is sent as the username, with an empty password.
Key types
| Key | Prefix | Use |
|---|---|---|
| Publishable | pk_test_… / pk_live_… | Client-side (checkout, mobile apps) |
| Secret | sk_test_… / sk_live_… | Server-side only — never expose |
Environments
The environment is determined by the key. test keys operate in the sandbox and never touch banking networks; live keys process real payments.
Making an authenticated request
bash
curl https://app.muamla.org/v1/invoices \
-u sk_test_your_key:The trailing colon sends an empty password. All requests must use HTTPS.
Never embed a secret key in client-side code or commit it to source control. Store it in an environment variable and rotate it if it is ever exposed.