Skip to main content

Overview

All protected Daya Onramp API requests require authentication using API keys. Each key is tied to a specific merchant and environment (Sandbox or Production).
API keys grant full access to your account. Never share them publicly or commit them to version control.

API Keys

Generating Keys

  1. Sign up at dashboard.daya.co
  2. Navigate to API Keys
  3. Generate separate keys for Sandbox and Production

Key Format

EnvironmentPrefixExample
Sandboxsk_sandbox_sk_sandbox_abc123...
Productionsk_live_sk_live_xyz789...

Environments

EnvironmentPurposeBase URL
SandboxTesting with fake fundshttps://api.sandbox.daya.co
ProductionLive transactions with real moneyhttps://api.daya.co
Sandbox and Production environments are completely isolated. Data and keys do not cross environments.

Making Authenticated Requests

Include your API key in the X-Api-Key header on every protected request: 
curl --request GET \
  --url https://api.daya.co/v1/rates \
  --header 'X-Api-Key: YOUR_API_KEY'

Idempotent Write Requests

Endpoints that create resources, such as POST /v1/onramp and POST /v1/merchant/withdrawals, also require an X-Idempotency-Key header. Use a new value for each new write attempt, and reuse the same value only when retrying the exact same request.
cURL
curl --request POST \
  --url https://api.daya.co/v1/onramp \
  --header 'X-Api-Key: YOUR_API_KEY' \
  --header 'X-Idempotency-Key: onramp-20260320-0001' \
  --header 'Content-Type: application/json'

Environment Isolation

For: Integration testing, developmentCharacteristics:
  • Separate API keys from production
  • Simulated NGN deposits
  • Testnet USDC/USDT (no real value)
  • Same API surface as production
  • No KYB required
Use when: Building and testing your integration
Never use production keys in sandbox or vice versa. The API will reject cross-environment requests.

Security Best Practices

  • Use environment variables or secret management systems (AWS Secrets Manager, HashiCorp Vault)
  • Never hardcode keys in source code
  • Never commit keys to Git repositories
.env
DAYA_SANDBOX_KEY=sk_sandbox_abc123...
DAYA_PRODUCTION_KEY=sk_live_xyz789...
Rotate API keys every 90 days or immediately if compromised:
  1. Generate new key in dashboard
  2. Update your application configuration
  3. Verify new key works
  4. Delete old key
Implement client-side rate limiting to avoid hitting API limits:
  • 100 requests per minute per key
  • 1,000 onramp creations per day (see Limits)

Error Responses

401 Unauthorized

Missing or invalid API key: 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key",
    "details": "Ensure the X-Api-Key header is present and contains a valid API key"
  }
}
Common causes:
  • Missing X-Api-Key header
  • Empty or malformed API key value
  • Invalid or revoked API key
  • Using sandbox key with production URL (or vice versa)

403 Forbidden

Merchant account frozen or suspended: 
{
  "error": {
    "code": "merchant_frozen",
    "message": "Merchant account is frozen",
    "details": "Contact support@daya.co for assistance"
  }
}
Why merchants are frozen:
  • Exceeded onramp creation limit (1,000/day)
  • Risk or compliance review triggered
  • Manual suspension by operations
If your merchant account is frozen, new onramps, FX conversions, and withdrawals are blocked. Contact support for resolution.

Webhook Authentication

Webhooks use HMAC-SHA256 signatures, not API keys. See Webhook Verification.

Testing Authentication

Verify your API key works: 
curl --request GET \
  --url https://api.sandbox.daya.co/v1/rates?from=NGN \
  --header 'X-Api-Key: YOUR_SANDBOX_KEY'
Expected response (if successful): 
{
  "rate_id": "rate_abc123",
  "from": "NGN",
  "to": "USDC",
  "rate": 1545.50,
  ...
}

Next Steps

Core Concepts

Understand onramps, deposits, and rates

Quick Start

Create your first onramp