PagSeguro Payout API uses Basic Authentication over HTTPS to ensure secure communication between your application and the API. This method requires an Authorization header with your credentials encoded in a specific format.
How Authentication Works
Each API request must include the Authorization header using the Basic scheme. This header contains your API credentials (API key and Secret key) base64-encoded in the format:
Authorization: Basic base64(api-key:secret-key)
HTTPS Required
Because Basic Auth uses base64 encoding (which can be easily decoded), the API only accepts requests over HTTPS.
Example
If your API key is my-api-key and your secret key is my-secret-key, then the string:
my-api-key:my-secret-key
is base64-encoded into:
bXktYXBpLWtleTpteS1zZWNyZXQta2V5
Your final header becomes:
Authorization: Basic bXktYXBpLWtleTpteS1zZWNyZXQta2V5
PHP Example
Hereโs how to generate the Authorization header in PHP:
$apiKey = "3588f0e6653448a5b1c2be1e77bef2d7";
$secretKey = "041dfc2528904178a3d9a19dff5cb8a0";
$encodedString = base64_encode("$apiKey:$secretKey");
$authorizationHeader = "Authorization: Basic $encodedString";
echo $authorizationHeader;
// Output: Authorization: Basic MzU4OGYwZTY2NTM0NDhhNWIxYzJiZTFlNzdiZWYyZDc6MDQxZGZjMjUyODkwNDE3OGEzZDlhMTlkZmY1Y2I4YTA=
You can apply the same logic in any programming language that supports base64 encoding.
Receiving Your Credentials
Once your onboarding is complete, you will receive your credential pair:
api-keysecret-key
These credentials are tied to your business model and are required for all authenticated requests to the Payout API.
Keep Your Credentials Safe
Anyone with your API key and secret key can initiate payout requests on your behalf.
Recommendations Avoid Store credentials in secure server environments Expose credentials in frontend code or mobile apps. Use environment variables or secrets managers (e.g., AWS Secrets Manager, HashiCorp Vault) Commit them to Git or share in public repositories. - Log them in plain text.