Authentication
Every request to the Strictly API must be authenticated using two required credentials:
| Header | Type | Description |
|---|---|---|
Authorization | HTTP Basic | Your merchant email and password, Base64-encoded |
key-hash | API key (header) | The API key hash issued to your integration |
Both headers are required on every request. A missing or invalid credential returns 401 Unauthorized.
Authorization header (HTTP Basic)
The Authorization header uses HTTP Basic authentication.
Encode your email:password as Base64 and prefix it with Basic .
Generate the token
Terminal
JavaScript
Python
Then set the header:
Code
key-hash header
The key-hash is a static API key unique to your integration. It is passed as a plain header value:
Code
Contact your account manager to obtain or rotate your key hash.
Complete example
cURL (shorthand -u flag)
JavaScript (fetch)
Python (requests)
Security considerations
:::warning Never expose credentials client-side
Your Authorization credentials and key-hash are server-side secrets. Never include them
in client-side JavaScript, mobile apps, or public repositories.
:::
- Always make API calls from your server, not the browser
- Rotate your key hash immediately if it is ever exposed
- Use environment variables to store credentials — never hardcode them
Sandbox credentials
For testing, use these demo credentials (see Sandbox & Testing):
| Field | Value |
|---|---|
integration@strictlyzero.com | |
| Password | demo123* |
| Key-hash | BL2H6LGNEUGSXTBARA59 |