# Keys and authentication

## Keys

The API and Secret keys will be provided by our team at the end of the onboarding process.

{% hint style="info" %}
If any keys are shared with unauthorised individuals or compromised, associated accounts, digital assets, services, or integrations may be at risk. Please contact our [support team](<mailto:support@xgateway.tech >) immediately if you have any concerns or suspect your keys may have been compromised.
{% endhint %}

Please maintain secure custody of credentials and promptly report any issues. The XGateway team is available to assist with any questions or concerns.

### API key

The API key is an automatically generated unique identifier used for authorising API requests.

{% hint style="warning" %}
It is crucial to keep the API key confidential and not share it with unauthorised individuals, as it can be used to access account funds and associated digital assets.
{% endhint %}

The `x-api-key` header should be included to authorize API requests.

<details>

<summary>Example of usage</summary>

```bash
curl -X 'POST' \
  'https://api.xgateway.tech/api/v1/invoice' \
  -H 'accept: application/json' \
  -H 'x-api-key: YOUR_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
  "amount": "20",
  "baseCurrency": "EUR",
  "customerId": "test_customer_id",
  "orderId": "test_order_id"
}'
```

</details>

### Secret Key

The secret key is an automatically generated unique identifier used for creating a hash for callback data verification. This ensures the callback originates from the payment processing system.

{% hint style="warning" %}
It is crucial to keep the secret key confidential and not share it with unauthorized individuals. While it does not provide account access, it should still be protected.
{% endhint %}

{% hint style="warning" %}
If the secret key is compromised, it could allow fake callbacks and withdrawal requests to be sent to your system. Please keep the secret key secure and confidential.
{% endhint %}

<details>

<summary>Example of usage</summary>

```typescript
const hash = crypto
      .createHash("sha512")
      .update(`TRANSACTION_ID.CUSTOMER_ID.AMOUNT.CURRENCY.YOUR_SECRET_KEY`)
      .digest("base64");
```

</details>

## Password

To sign in to your back office, you will need the email and password configured during onboarding. You can change your password via the back office after the first sign-in or by contacting the [support team](<mailto:support@xgateway.tech >).

{% hint style="warning" %}
It is crucial to keep the password confidential and not share it with unauthorized individuals, as it can be used to access account funds and associated digital assets.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xgateway.tech/miscellaneous/keys-and-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.