Authentication

AccruPay uses two distinct credentials for two distinct contexts. Using the wrong credential in the wrong context is the most common integration mistake.

Credential	Header / prop	Context	Secret?
`apiSecret`	`accrupay-api-secret`	Backend only	Yes — treat like a password
`merchantPublicId`	React SDK prop	Browser	No — safe to ship to clients

API Secret

The API secret authenticates every request your backend makes to the AccruPay GraphQL API. It must be present on every call — AccruPay will reject requests without it.

Raw GraphQL

POST https://api.pay.accru.co/graphql
Content-Type: application/json
accrupay-api-secret: <your-api-secret>

curl -X POST https://api.pay.accru.co/graphql \
  -H "Content-Type: application/json" \
  -H "accrupay-api-secret: $ACCRUPAY_API_SECRET" \
  -d '{"query":"{ merchantApi { id name } }"}'

Node SDK

The SDK reads the secret once at construction and attaches the header automatically on every request:

import AccruPay from '@accrupay/node';

const accrupay = new AccruPay({
  apiSecret: process.env.ACCRUPAY_API_SECRET,
});

Store the secret in an environment variable. Never hard-code it.

danger

Never use your API secret in frontend code or commit it to source control. Anyone who obtains it can create transactions, access your transaction history, and manage payment methods on behalf of your merchant account.

Merchant Public ID

The merchantPublicId is a stable, non-secret identifier for your merchant account. It is safe to include in browser-side code and client-facing bundles.

What it does

The React SDK uses merchantPublicId to scope its public API queries. Specifically, it enables clientPublicTransactionSession queries — read-only access to the state of a payment session that your backend already created.

import { AccruPay, CardNumber, CardExpiry, CardCVC, SubmitButton } from '@accrupay/react';

function CheckoutForm({ sessionId }: { sessionId: string }) {
  return (
    <AccruPay
      merchantPublicId={process.env.NEXT_PUBLIC_ACCRUPAY_MERCHANT_ID}
      transactionSessionId={sessionId}
    >
      <CardNumber />
      <CardExpiry />
      <CardCVC />
      <SubmitButton>Pay now</SubmitButton>
    </AccruPay>
  );
}

What an attacker can do with only the public ID

Read the status of a payment session they already have the session ID for

What an attacker cannot do with only the public ID

Create transactions
Charge cards
Access your transaction history
Manage or retrieve stored payment methods
Perform any write operation

The public ID grants no elevated access. All sensitive operations require the API secret on the backend.

Sandbox credentials

AccruPay provides separate credentials for the sandbox environment (https://api.qa.pay.accru.co/graphql). Sandbox secrets are not valid against the production endpoint, and vice versa.

const accrupay = new AccruPay({
  apiSecret: process.env.ACCRUPAY_API_SECRET, // sandbox secret in dev, production secret in prod
  environment: 'sandbox', // or omit for production
});

Where to find your credentials

Both credentials are available in the AccruPay dashboard:

Go to Settings → API Keys
Copy your API Secret — store it immediately in your secrets manager; it will not be shown again after creation
Copy your Merchant Public ID — available any time, safe to store in version control as an environment variable

Checklist

API secret is stored in a secrets manager or environment variable, not in code
API secret is only read in server-side code (Node process, serverless function, backend service)
merchantPublicId is used in the React SDK — no API secret in the browser
Sandbox and production credentials are kept separate

API Secret​

Raw GraphQL​

Node SDK​

Merchant Public ID​

What it does​

What an attacker can do with only the public ID​

What an attacker cannot do with only the public ID​

Sandbox credentials​

Where to find your credentials​

Checklist​