Secret keys
The public API authenticates with a project secret key sent as a Bearer token:
Authorization: Bearer sk_live_xxx
sk_. Treat them like passwords: keep them server-side, never commit
them, and rotate them from the dashboard if exposed.
Anyone with your secret key can move money on your behalf. Never expose it in a
browser, mobile app or public repository.
Environments
Each gateway account is isolated per environment (live / sandbox). The environment
is determined by the key you use; the base URL is the same:
Rate limiting
The public API is rate limited. When you exceed the limit you receive 429 Too Many Requests; back off and retry after the delay in the Retry-After header. The PHP SDK
retries these automatically with exponential backoff.
Idempotency
Send an X-Idempotency-Key header on write requests so a retried request is never
processed twice:
curl https://api.orqex.com/v1/payment/intents \
-H "Authorization: Bearer sk_live_xxx" \
-H "X-Idempotency-Key: order-1024" \
-H "Content-Type: application/json" \
-d '{ ... }'
X-Idempotent-Replayed: true. See Idempotency.
