Authentication & Rate Limiting
Guide to Bearer token authentication and rate limiting for SePay API v2.
Authentication
All requests require a Bearer token in the Authorization header.
JSAuthorization Header
1
Authorization: Bearer {api_key}
- API key is a 64-character alphanumeric string
- Obtain from Company Settings > API Keys on the SePay portal
Information
See the guide for creating an API Token at Create API Token.
Rate Limiting
- 3 requests per second per IP address
- Rate limiting is checked before authentication
- Exceeding the limit returns HTTP 429
Authentication Error Responses
| Scenario | HTTP Status | error_code |
|---|---|---|
Missing Authorization header | 401 | unauthorized |
| Invalid token format | 401 | unauthorized |
| Invalid or disabled API key | 401 | unauthorized |
| Rate limit exceeded | 429 | rate_limited |
Response 401
JSON
1
2
3
4
5
{"status": "error","message": "Missing Authorization header","error_code": "unauthorized"}
Response 429
JSON
1
2
3
4
5
{"status": "error","message": "Too many requests","error_code": "rate_limited"}
Response 429 includes the following headers:
| Header | Description |
|---|---|
Retry-After | Seconds to wait before retrying |
X-RateLimit-Limit | Maximum requests per second (3) |
X-RateLimit-Remaining | Remaining requests (0 when rate limited) |
X-RateLimit-Reset | Seconds until token refill |