Skip to main content
The Wayex API authenticates with an API key. Send it on every request in either header:

Key types

Treat your secret key like a password. If a key is exposed, rotate it immediately from the console (Developers → API keys). Wayex will never ask you for your secret key.

Tenant binding

Every API key belongs to one tenant account. Its requests can read and change only that account’s customers, wallet, configuration, webhooks, and reporting. Create and store credentials separately for every tenant account. Choose the credential before making a request; the key determines the account for every Treasury call. Never reuse an idempotency key across separate credential stores.

Roles

Each key is bound to a role that scopes what it can do. Reads are available to your role’s scope. Value-affecting writes — creating a customer, a payment route, a webhook subscription, or an API key, or submitting a Treasury wallet operation — require a secret key with write access.

Treasury scopes

Keys created without an explicit scope list retain their role-implied access for backwards compatibility. When you provide a scope list, include the Treasury scopes your integration needs.
Direct-route transfers are recorded automatically when a customer funds a payment route. Treasury is different: you create payouts, withdrawals and quoted wallet conversions against a prefunded wallet owned only by the authenticated tenant account. See the Treasury overview and API reference.
A request made with an out-of-scope key returns 403.

Example request

An unauthenticated or invalid request returns 401. See Errors for the full error shape.