Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.useaxra.com/llms.txt

Use this file to discover all available pages before exploring further.

Every request to the Axra Pay API must be authenticated. Axra supports two methods: passing your API key directly in a request header, or exchanging your key and secret for a short-lived JWT token. Both methods work for all endpoints — choose the one that fits your architecture.

Method 1: API key header

The simplest way to authenticate is to include your API key in the x-api-key header on every request. This approach works well for server-side integrations where your API key is stored securely in an environment variable. 
x-api-key: bk_live_abc123...
Example request: 
curl -X POST https://api.useaxra.com/api/v1/business/checkout/session \
  -H "x-api-key: bk_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 100.00,
    "currency": "USD",
    "customerEmail": "customer@example.com",
    "successUrl": "https://yoursite.com/success"
  }'
Never expose your API key in client-side code, public repositories, or frontend JavaScript. Always make Axra Pay API calls from your server.

Method 2: JWT token exchange

For integrations that prefer short-lived credentials, you can exchange your apiKey and apiSecret for a JWT bearer token. The token expires after one hour and must be refreshed before it does.
Your webhookSecret doubles as your apiSecret for token authentication. They are the same credential.

Step 1: Request a token

Send a POST request to /business/auth/token with your apiKey and apiSecret in the request body. 
curl -X POST https://api.useaxra.com/api/v1/business/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "apiKey": "bk_live_abc123...",
    "apiSecret": "bs_live_xyz789..."
  }'
Request body parameters:
apiKey
string
required
Your business API key. Starts with bk_live_ for production or bk_test_ for sandbox.
apiSecret
string
required
Your API secret. This is the same value as your webhookSecret.

Step 2: Read the response

A successful request returns the following fields: 
{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "tokenType": "Bearer",
  "expiresIn": 3600,
  "businessId": "biz_01H...",
  "businessName": "Acme Corp"
}
accessToken
string
required
The JWT token to include in subsequent requests.
tokenType
string
required
Always "Bearer". Use this as the prefix in your Authorization header.
expiresIn
number
required
Token lifetime in seconds. Always 3600 (one hour).
businessId
string
The unique identifier for your business profile.
businessName
string
Your registered business name.

Step 3: Use the token

Include the accessToken in the Authorization header of every subsequent request: 
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Example authenticated request: 
curl -X GET https://api.useaxra.com/api/v1/business/payments \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
Refresh your token before it expires by calling POST /business/auth/token again with the same credentials. Build a refresh mechanism into your application rather than handling 401 errors reactively.

Token error responses

HTTP statusMeaning
401 UnauthorizedThe apiKey or apiSecret is invalid.
400 Bad RequestThe request body is missing apiKey or apiSecret.

Getting your credentials

1

Create an account

Register at the Axra dashboard to create a business profile and generate your API credentials.
2

Copy your credentials immediately

Your apiKey (format: bk_live_...) and webhookSecret are shown only once when your account is created. Copy both values to a secure password manager or secrets vault before leaving the page.
3

Store credentials securely

Never hard-code credentials in your source code. Store them as environment variables or in a secrets management service such as AWS Secrets Manager, HashiCorp Vault, or your hosting provider’s secret store.
4

Regenerate a lost API key

If you lose your API key, call POST /business/regenerate-api-key to issue a new one. Your previous key is immediately invalidated — update any running services before regenerating.
curl -X POST https://api.useaxra.com/api/v1/business/regenerate-api-key \
  -H "x-api-key: bk_live_your_current_key"
Axra stores API keys as SHA-256 hashes. Your raw key is never stored on Axra’s servers, which is why it cannot be retrieved after creation — only regenerated.

Choosing an authentication method

API key headerJWT token
Setup complexityMinimalRequires token exchange and refresh logic
Best forServer-side integrations, scripts, internal toolsArchitectures that require short-lived credentials
Token lifetimeLong-lived (until regenerated)1 hour
RevocationRegenerate key to invalidateTokens expire automatically
For most server-side integrations, the API key header is the simplest and most practical choice. Use JWT tokens if your security policy requires credentials that expire automatically.

Next steps

Payments

Start accepting payments with server-to-server card charging.

Checkout Sessions

Use a hosted payment page to accept payments without handling card data.