API calls need to be authenticated and authorized. You can do this by providing your secret key in the Authorization header of every request you make. You should authenticate your API client with the following header Authorization: Bearer SECRET_KEY

We provide two types of key on our sandbox and production environment: Public and Secret keys. Public keys are meant to be only used from your frontend or mobile app when integrating Maplerad.

Public keys are meant to be public by design, they have no write access to your account except for initiating the Maplerad Checkout.

Your secret keys are meant to be stay secret/hidden/private at all times.

To get your keys

  • Log in to your Maplerad dashboard.
  • Navigate to Settings
  • Select the API Keys open in the Developers section of the menu to view and copy your keys.



if you think your keys may have been compromised (for instance, you accidentally committed them to Git), you should immediately generate new ones using the Generate new keys button on the Settings > API page on your dashboard.

This will invalidate all existing keys and give you a new set, and you can then update your app to use the new ones.



To authorize API calls from your server, pass your secret key as a bearer token. This means passing an Authorization header with a value of Bearer: YOUR_SECRET_KEY

Every single API request must be authenticated or will fail with the status code 401: Unauthorized

After integration, you're expected to submit your server's IP address to Maplerad for final authorization, failure to do this means you'll likely get a 403: Forbidden error.



All API requests must be made over HTTPS. Please do not manually disable certificate verification from your HTTP client


Full Access

Please note that your secret key can perform any actions on your Maplerad account without restriction. It needs to be securely and confidentially stored.

Please do not include this in your git repository, mobile app or Frontend code.

In the instance you believe your key has been compromised, please make sure to revoke the key from the dashboard