Security
Authentication
Every DGS-Pay API request requires two headers: your API key and your account number. Both are available in your merchant portal under Settings → API Settings. Test and live environments each have their own separate set of credentials.
Required Headers
Include these on every request:
HTTP Headers
X-DGS-API-Key: YOUR_DGS_API_KEY X-DGS-ACCOUNT-NUMBER: YOUR_DGS_ACCOUNT_NUMBER Content-Type: application/json
cURL Example with Auth
cURL
curl -X GET \ https://pay.digitalservicescenter.rw/generation/v2/balance \ -H "X-DGS-API-Key: sk_live_xxxxxxxxxxxxxxxxxxxx" \ -H "X-DGS-ACCOUNT-NUMBER: ACC-0001234" \ -H "Content-Type: application/json"
IP Whitelisting (Production only)
In production you can restrict API access to a specific set of server IP addresses. Any request arriving from an IP not on your whitelist will be rejected with a 91 Auth Error. Configure your allowed IPs in Settings → API Settings in the merchant portal. This feature is not enforced in sandbox.
Security Rules — Never Skip These
- Never embed your API key in client-side JavaScript or mobile app source code — keys must only exist on your server.
- Store keys as environment variables (e.g.
.envfiles) and keep them out of version control. - Enable IP whitelisting before switching to production.
- Rotate your API keys periodically and immediately if you suspect exposure.