Getting started

Authentication

Authenticate every request with your API key as a bearer token in the Authorization header. Create and manage keys in the developer console.

Authorization: Bearer cwk_live_sk_...
Content-Type: application/json

Key types

Mavunta has three key types. The prefix shows the environment and type.

Type	Prefix	Use
Secret	`cwk_live_sk_`	Server-side, full access. Never expose to a browser or app.
Restricted	`cwk_live_rk_`	Server/bot/partner, limited to the scopes you choose.
Publishable	`cwk_live_pk_`	Client-safe, read-only (for example reading public checkout status).

Sandbox keys carry the test tag, for example cwk_test_sk_. Store only the key you are shown at creation; secrets are hashed and never displayed again, so rotate to replace a lost key.

Scopes

Assign a subset of scopes to a restricted key:

payments:read        payments:write       checkout:write
payment_links:read   payment_links:write
refunds:read         refunds:write
webhooks:read        webhooks:write
balances:read        settlements:read     reports:read

IP restrictions

A live key can be locked to specific IP addresses. A request from any other address is rejected with ip_not_allowed. Configure the allowlist when you create the key.

Verify a key

GET /v1/auth/verify authenticates a key without moving anything — the safe way to test a live key.

curl https://api.mavunta.com/v1/auth/verify \
  -H "Authorization: Bearer cwk_live_sk_..."

{ "livemode": true, "environment": "live", "merchant_id": "...",
  "scopes": ["payments:read", "payments:write"], "ip_allowed": true, "status": "active" }

Next: Sandbox and go-live →