Skip to main content

Authentication

All Wava API requests require authentication via headers. The type of header depends on your integration role.

Merchant authentication

Every request must include your store’s merchant key: 
curl -X GET "https://api.wava.co/v1/orders/paymentGateways" \
  -H "merchant-key: YOUR_MERCHANT_KEY" \
  -H "Content-Type: application/json"
Your merchant key identifies your store and determines which payment gateways are available, what currency is used, and where payouts are sent.

Partner authentication

Partners operating on behalf of onboarded stores include three headers: 
curl -X POST "https://api.wava.co/v1/orders" \
  -H "merchant-key: STORE_MERCHANT_KEY" \
  -H "X-API-Key: YOUR_PARTNER_API_KEY" \
  -H "X-API-Secret: YOUR_PARTNER_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{ ... }'
  • The merchant-key identifies the target store
  • The X-API-Key and X-API-Secret authenticate the partner (two-factor authentication)
The operation is associated with both the store and the partner for tracking and reporting.

Obtaining your credentials

Create a development account

1

Sign up

Go to https://app.dev.wava.co/ and use your email to create an account.
2

Create a test store

Create a test store with test data. This will be your sandbox environment.
3

Complete the compliance form

Fill the compliance form with test data — there are no required fields in development.
4

Navigate to Integrations

Upon activation, go to the Settings section, then open the Integrations tab.
5

Get your merchant key

Under API, you’ll find your merchant key for this environment. You can also configure your webhook URL here.
EnvironmentDashboard URLIntegrations page
Developmentapp.dev.wava.coapp.dev.wava.co/config#integrations
Productionapp.wava.coapp.wava.co/config#integrations
Your merchant key is available in the Wava Dashboard under Settings > Integrations > API. A separate key is provided for development and production environments.
Partner credentials (API Key and API Secret) are issued upon approval. Contact soporte@wava.co to apply for partner access. Both the API Key (X-API-Key) and API Secret (X-API-Secret) are required for authentication.

Security

Never expose your merchant key, partner API key, or partner API secret in client-side code (browser JavaScript, mobile apps). Always make API calls from your server.
Your keys should be stored as environment variables or in a secrets manager, never committed to source control. If you believe any credential has been compromised, contact soporte@wava.co immediately to rotate it.