Skip to main content

Authentication

The Merchants API uses a static API key plus an IP allowlist. Both must match for a request to be authenticated.

API key header

Every request must carry an API-KEY header:

API-KEY: <your-api-key>
Content-Type: application/json

Send the literal header name API-KEY. Behind the scenes the Django runtime exposes this as HTTP_API_KEY, but partners only ever send API-KEY on the wire.

Keys are SHA-256 hashed at rest on Noju's side. Treat the plaintext value as an opaque secret:

  • Never embed an API key in client-side code, mobile binaries, or public repositories.
  • Store the key in a server-side secret manager and inject it as an environment variable (the examples in this site read NOJU_API_KEY).
  • One key is issued per environment. Sandbox and production keys are not interchangeable.

IP allowlist

Every request must originate from an IP address registered on your merchant account. Calls from unlisted IPs are rejected with HTTP 403 and message: "UNAUTHORIZED", even if the API key is valid.

Use static egress IPs for outbound traffic to https://merchants.noju.io. To register additional IPs (for example, a new region or a new service host), contact your Noju account manager with the IPs and effective date.

Inactive merchants and revoked keys

If your merchant account is deactivated, or your API key is revoked, requests fail with HTTP 401 and message: "UNAUTHORIZED".

Rotation

Rotation is handled by request — there is no self-serve rotation today. To rotate, contact your Noju account manager and we will issue a new key and arrange a brief overlap window during which both keys are accepted, before retiring the old one.