Authentication

All Astro API requests are authenticated via API keys passed in HTTP headers.

Key Types

Key	Header	Who uses it	Prefix
Merchant API Key	`Authorization: Bearer {key}`	Your server backend	`mk_live_` / `mk_test_`
Bank Partner Key	`X-OpenWave-Bank-Key: {key}`	Bank systems	`owbk_`
Admin Key	`X-OpenWave-Admin-Key: {key}`	Internal admin ops	`owadmin_`
Session Token	`X-Session-Token: {token}`	Client-side (checkout)	`ost_`

Merchant API Key

The merchant key is used for all payment session and mandate operations. Never expose it in client-side code.

typescript

// ✅ Server-side only
import { createClient } from '@neptune.fintech/astro-sdk'

const astro = createClient({
  baseUrl: 'https://astro.neptune.ly/api/v1',
  merchantKey: process.env.ASTRO_MERCHANT_KEY
})

dart

// ✅ Flutter: keep key in secure backend, not in the app
final astro = AstroClient(AstroConfig(
  baseUrl: Uri.parse('https://astro.neptune.ly/api/v1'),
  merchantKey: const String.fromEnvironment('ASTRO_KEY'),
));

Test vs Live Keys

Keys prefixed mk_test_ hit the sandbox. Keys prefixed mk_live_ are production.

Keep keys secret

Never commit API keys to source control. Use environment variables or a secrets manager.

Session Tokens

Short-lived session tokens (ost_) are issued by Astro for individual payment sessions. They are scoped to a single session and have a 15-minute TTL. The checkout UI uses these automatically — you never need to handle them directly.

Authentication ​

Key Types ​

Merchant API Key ​

Test vs Live Keys ​

Session Tokens ​

Authentication

Key Types

Merchant API Key

Test vs Live Keys

Session Tokens