Documentation

Copy page

Authentication

The Strictly platform uses two separate credential systems depending on where in your integration you are. Understanding which one to use where is the most important thing to get right before writing any code.

	API credentials	Tokenization key
Objective	Authenticate and validate API requests	Enable the tokenization form / library on your web page
Used by	Your server	Browser / ZeroGateway.js
Sent as	Authorization + key-hash headers	Query param in script URL
Safe to expose?	No — keep secret	Yes — client-side safe
Where to find	Settings → Security Keys → API Key	Settings → Security Keys → Tokenization Source

---

Server-side: API credentials

These two headers are required on every call your server makes to the Strictly API. A missing or invalid credential returns 401 Unauthorized.

Authorization header

Encode your merchant email:password as Base64 and prefix it with Basic :

Terminal
echo -n "[email protected]:yourpassword" | base64
# → eW91ckBlbWFpbC5jb206eW91cnBhc3N3b3Jk

JavaScript
const token = btoa("[email protected]:yourpassword");
// → "eW91ckBlbWFpbC5jb206eW91cnBhc3N3b3Jk"

Then set the header:

Code
Authorization: Basic eW91ckBlbWFpbC5jb206eW91cnBhc3N3b3Jk

key-hash header

A static API key issued to your integration, passed as a plain header value:

Code
key-hash: YOUR_KEY_HASH

Complete example

cURL
curl -X GET https://api.paywithzero.net/v1/public/customer/ \
  -H "Authorization: Basic $(echo -n '[email protected]:yourpassword' | base64)" \
  -H "key-hash: YOUR_KEY_HASH"

JavaScript (fetch)
const response = await fetch(
  "https://api.paywithzero.net/v1/public/customer/",
  {
    headers: {
      Authorization: `Basic ${btoa("[email protected]:yourpassword")}`,
      "key-hash": "YOUR_KEY_HASH",
    },
  }
);

---

Client-side: Tokenization key

The tokenization key is used exclusively with ZeroGateway.js in the browser to collect card data. It is safe to expose in client-side code because it can only be used to tokenize cards — it cannot make API calls or access your account.

Code
<script src="https://secure.safewebservices.com/token/Collect.js"
        data-tokenization-key="YOUR_TOKENIZATION_KEY">
</script>

To get your tokenization key: Settings → Security Keys → Tokenization Source.

See Tokenization for the full ZeroGateway.js setup guide.

---

Getting your credentials

Both credentials live in the Strictly dashboard:

1. Log in and go to Settings → Security Keys
2. Copy your API key → used as the key-hash header
3. Copy your Tokenization Source key → used with ZeroGateway.js in the browser
4. Your Authorization header uses your merchant account email and password

If you don't have an account yet, contact your account manager or reach out to us to request sandbox access.