Skip to main content

Overview

All Daya API requests require authentication using API keys. Each key is tied to a specific merchant and environment (Sandbox or Production)
API keys grant full access to your account. Never share them publicly or commit them to version control.

API Keys

Generating Keys

  1. Sign up at dashboard.daya.xyz
  2. Navigate to API Keys
  3. Generate separate keys for Sandbox and Production

Key Types

EnvironmentPurposeBase URL
SandboxTesting with fake fundshttps://sandbox-api.daya.co
ProductionLive transactions with real moneyhttps://api.daya.co
Sandbox and Production environments are completely isolated. Data and keys do not cross environments.

Making Authenticated Requests

Include your API key in the Authorization header using Bearer authentication: 
curl --request GET \
  --url https://api.daya.co/v1/rates \
  --header 'Authorization: Bearer YOUR_API_KEY'

Environment Isolation

For: Integration testing, developmentCharacteristics:
  • Separate API keys from production
  • Simulated NGN deposits
  • Testnet USDC/USDT (no real value)
  • Same API surface as production
  • No KYB required
Use when: Building and testing your integration
Never use production keys in sandbox or vice versa. The API will reject cross-environment requests.

Security Best Practices

  • Use environment variables or secret management systems (AWS Secrets Manager, HashiCorp Vault)
  • Never hardcode keys in source code
  • Never commit keys to Git repositories
.env
DAYA_SANDBOX_KEY=sk_sandbox_abc123...
DAYA_PRODUCTION_KEY=sk_live_xyz789...
Rotate API keys every 90 days or immediately if compromised:
  1. Generate new key in dashboard
  2. Update your application configuration
  3. Verify new key works
  4. Delete old key
Implement client-side rate limiting to avoid hitting API limits:
  • 100 requests per minute per key
  • 1,000 onramp creations per day (see Limits)

Error Responses

401 Unauthorized

Missing or invalid API key: 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key",
    "details": "Ensure the Authorization header is present and contains a valid Bearer token"
  }
}
Common causes:
  • Missing Authorization header
  • Malformed header (e.g., missing “Bearer” prefix)
  • Invalid or revoked API key
  • Using sandbox key with production URL (or vice versa)

403 Forbidden

Merchant account frozen or suspended: 
{
  "error": {
    "code": "merchant_frozen",
    "message": "Merchant account is frozen",
    "details": "Contact [email protected] for assistance"
  }
}
Why merchants are frozen:
  • Exceeded onramp creation limit (1,000/day)
  • Risk or compliance review triggered
  • Manual suspension by operations
If your merchant account is frozen, new onramps, FX conversions, and withdrawals are blocked. Contact support for resolution.

Webhook Authentication

Webhooks use HMAC-SHA256 signatures, not API keys. See Webhook Verification.

Testing Authentication

Verify your API key works: 
curl --request GET \
  --url https://sandbox-api.daya.co/v1/rates?from=NGN \
  --header 'Authorization: Bearer YOUR_SANDBOX_KEY'
Expected response (if successful): 
{
  "rate_id": "rate_abc123",
  "from": "NGN",
  "to": "USDC",
  "rate": 1545.50,
  ...
}

Next Steps

Core Concepts

Understand onramps, deposits, and rates

Quick Start

Create your first onramp