API Authentication
Access to the AfriSwitch institutional API requires two mandatory headers: x-api-key and api-secret. These keys are unique to each organisation and are used to authenticate requests.
Required Headers
x-api-key: AFS-PROD-PUB-XXXXXXXXXXXX
api-secret: AFS-PROD-SEC-XXXXXXXXXXXXXXXXXXXX
Content-Type: application/json
Important: These keys must never be exposed on the frontend or in any public code.
Postman Example
In the Headers tab:
{
"x-api-key": "AFS-PROD-PUB-XXXXXXXXXXXX",
"api-secret": "AFS-PROD-SEC-XXXXXXXXXXXXXXXXXXXX",
"Content-Type": "application/json"
}
cURL Example
curl -X POST "https://api.afriswitch.net/api/v1/transactions/payin/" \
-H "x-api-key: AFS-PROD-PUB-XXXXXXXXXXXX" \
-H "api-secret: AFS-PROD-SEC-XXXXXXXXXXXXXXXXXXXX" \
-H "Content-Type: application/json" \
-d '{
"amount": 1000,
"currency": "GNF",
"operator": "mtn",
"country": "GN",
"phone_number": "224XXXXXX448",
"opaque_id": "test_payin_001"
}'
Security Notes
- API keys must be stored in a secure vault (Vault, AWS Secrets Manager, Azure Key Vault).
- Never include them in public source code.
- Never send them via email or unsecured messaging.
- If compromised, contact AfriSwitch immediately for regeneration.
HMAC Signature
The HMAC signature is automatically applied by the AfriSwitch portal. The partner does not need to sign anything manually. Only x-api-key and api-secret must be provided.