Skip to main content

API Keys

Niftipay uses API keys to authenticate server-to-server requests. You can create keys from the dashboard under Settings > API Keys. This page covers:
  • IP allowlisting (restrict which IPs can use your key)
  • Key rotation (swap keys with a zero-downtime grace period)
All endpoints below require authentication via x-api-key header or dashboard session.

IP Allowlisting

Restrict which server IPs are allowed to use your API key. When no IPs are configured, all IPs are allowed (opt-in model). Once you add at least one IP, only requests from allowlisted IPs will be accepted. Requests from other IPs will receive 403 Forbidden. Supported formats:
  • IPv4203.0.113.50
  • IPv62001:db8::1
  • CIDR203.0.113.0/24

List allowed IPs

GET /api/user/api-keys/allowed-ips Returns your current IP allowlist. Example request
Response (no IPs configured)
Response (IPs configured)

Add an IP to the allowlist

POST /api/user/api-keys/allowed-ips Body
FieldTypeRequiredDescription
ipstringYesIPv4, IPv6, or CIDR notation
labelstringNoFriendly label for your reference
Example request
Response 201 Created
Error responses
  • 400 — Invalid IP format
  • 409 — IP already in allowlist

Remove an IP from the allowlist

DELETE /api/user/api-keys/allowed-ips Remove by id or by ip address (query parameter). Example request (by id)
Example request (by ip)
Response
Error responses
  • 400 — Missing id or ip query parameter
  • 404 — IP not found in allowlist

IP allowlisting best practices

  • Always allowlist your production server IPs before going live
  • Use CIDR ranges if your servers share a subnet (e.g. 203.0.113.0/24)
  • Add before removing — when migrating servers, add the new IP first, verify it works, then remove the old one
  • If you lock yourself out (removed all valid IPs), you can manage allowlisted IPs from the dashboard session

API Key Rotation

Rotate your API key with zero downtime using a grace period. During the grace period, both the old and new keys are valid, giving you time to update your servers.

Rotate a key

POST /api/user/api-keys/rotate Body
FieldTypeRequiredDescription
oldKeyIdstringNoID of the key to retire. If omitted, a new key is created without expiring the old one.
gracePeriodHoursnumberNoHours the old key stays valid (default: 24, max: 168 / 7 days)
namestringNoFriendly name for the new key
Example request
Response
Response (without oldKeyId)
The new key value is shown once. Store it securely immediately.

Rotation best practices

  1. Create the new key with a grace period on the old key:
  1. Store the new key in your environment variables / secret manager
  2. Deploy your updated server(s) with the new key
  3. Verify requests succeed with the new key
  4. The old key expires automatically after the grace period — no manual cleanup needed

Tips

  • Use at least 24 hours of grace period to give yourself time to deploy across all environments
  • Rotate regularly (e.g. every 90 days) as a security best practice
  • If you need to revoke immediately (compromised key), set gracePeriodHours: 0 — the old key expires instantly
  • The new key has no expiration by default — it stays valid until you rotate again

Troubleshooting

Getting 403 Forbidden after adding IPs

  • Verify your server’s outbound IP matches what you allowlisted (use curl ifconfig.me on your server)
  • If behind a load balancer or proxy, allowlist the external/NAT IP, not the internal one
  • CIDR notation must be valid (e.g. 203.0.113.0/24, not 203.0.113.0/33)

Locked out of the API

  • Log into the Niftipay dashboard (session auth bypasses IP allowlisting)
  • Remove or update the IP allowlist from Settings > API Keys

Old key stopped working before expected

  • Check the expiresAt value returned during rotation
  • Grace period is calculated from the moment of rotation, not from your last request